Bug 29011

No registered maintainer, assigning to the Python team.

Assignee: bugsquad => python

The issue is also fixed upstream in 2.9.1:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/J6N66MDKHESXGMHWX4YKNW7DWXMQVL3F/

Done for Cauldron, mga8 and mga7!

CC: (none) => geiger.david68210

RPMS:
python2-babel-2.6.0-2.1.mga7
python3-babel-2.6.0-2.1.mga7
python3-babel-2.9.1-1.mga8

from SRPMS:
python-babel-2.6.0-2.1.mga7.src.rpm
python-babel-2.9.1-1.mga8.src.rpm

Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Version: Cauldron => 8
Status comment: Patch available from Ubuntu => (none)
Assignee: python => qa-bugs

MGA7-64 Plasma on Lenovo B50
No installation issues.
OK'ing on clean install as for other developer's stuff.

CC: (none) => herman.viaene
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK

(In reply to Herman Viaene from comment #5)
> MGA7-64 Plasma on Lenovo B50
> No installation issues.
> OK'ing on clean install as for other developer's stuff.

MGA8 64 Plasma.

On clean isntall, this is OK.

Source RPM: python-babel-2.9.0-2.mga9.src.rpm => python-babel-2.9.0-1.mga8.src.rpm
CC: (none) => ouaurelien
CVE: (none) => CVE-2021-20095
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK

Advisory:
========================

Updated python-babel packages fix a security vulnerability:

Relative Path Traversal in Babel 2.9.0 allows an attacker to load arbitrary locale files on disk and execute arbitrary code (CVE-2021-20095).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=29011
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20095
 - https://ubuntu.com/security/notices/USN-4962-1
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/J6N66MDKHESXGMHWX4YKNW7DWXMQVL3F/
========================

Updated packages in 7/core/updates_testing:
========================
python2-babel-2.6.0-2.1.mga7
python3-babel-2.6.0-2.1.mga7

from SRPMS:
python-babel-2.6.0-2.1.mga7.src.rpm
========================

Updated packages in 8/core/updates_testing:
========================
python3-babel-2.9.1-1.mga8

from SRPM:
python-babel-2.9.1-1.mga8.src.rpm
========================

Validating.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0267.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

This CVE was rejected in favor of CVE-2021-42771:
https://www.debian.org/lts/security/2021/dla-2790

Summary: python-babel new security issues CVE-2021-20095 => python-babel new security issue CVE-2021-20095 / CVE-2021-42771

Curiosity check :-

$ rpm -q python3-babel
python3-babel-2.9.1-1.mga8

Followed the PoC trail for CVE-2021-42771.
Copied the python script at https://www.tenable.com/security/research/tra-2021-14
and ran it.
$ python3 babel_id_exploit.py
Created /tmp/evil.dat
Traceback (most recent call last):
  File "babel_id_exploit.py", line 18, in <module>
    locale = babel.Locale(language)
  File "/usr/lib/python3.8/site-packages/babel/core.py", line 168, in __init__
    raise UnknownLocaleError(identifier)
babel.core.UnknownLocaleError: unknown locale '../../../../../../../../../../tmp/evil'

Looks like a win for the update.

CC: (none) => tarazed25