From 6a20e690dbcd05f7f83268605457a95b3ed3518c Mon Sep 17 00:00:00 2001
From: Zhao Hang <wb-zh951434@alibaba-inc.com>
Date: Tue, 25 Mar 2025 17:05:06 +0800
Subject: [PATCH] [CVE]update to fence-agents-4.10.0-76.6

to #IBW6MH
update to fence-agents-4.10.0-76.6 for CVE-2025-27516
Project: TC2024080204
Signed-off-by: Zhao Hang <wb-zh951434@alibaba-inc.com>
---
 0001-attr-filter-uses-env.getattr.patch | 80 +++++++++++++++++++++++++
 fence-agents.spec                       |  8 ++-
 2 files changed, 87 insertions(+), 1 deletion(-)
 create mode 100644 0001-attr-filter-uses-env.getattr.patch

diff --git a/0001-attr-filter-uses-env.getattr.patch b/0001-attr-filter-uses-env.getattr.patch
new file mode 100644
index 0000000..7933b82
--- /dev/null
+++ b/0001-attr-filter-uses-env.getattr.patch
@@ -0,0 +1,80 @@
+diff --git a/Jinja2-3.1.3/src/jinja2/filters.py b/Jinja2-3.1.3/src/jinja2/filters.py
+index e5b5a00c..2bcba4fb 100644
+--- a/Jinja2-3.1.3/src/jinja2/filters.py
++++ b/Jinja2-3.1.3/src/jinja2/filters.py
+@@ -6,6 +6,7 @@ import re
+ import typing
+ import typing as t
+ from collections import abc
++from inspect import getattr_static
+ from itertools import chain
+ from itertools import groupby
+ 
+@@ -1411,31 +1412,25 @@ def do_reverse(value: t.Union[str, t.Iterable[V]]) -> t.Union[str, t.Iterable[V]
+ def do_attr(
+     environment: "Environment", obj: t.Any, name: str
+ ) -> t.Union[Undefined, t.Any]:
+-    """Get an attribute of an object.  ``foo|attr("bar")`` works like
+-    ``foo.bar`` just that always an attribute is returned and items are not
+-    looked up.
++    """Get an attribute of an object. ``foo|attr("bar")`` works like
++    ``foo.bar``, but returns undefined instead of falling back to ``foo["bar"]``
++    if the attribute doesn't exist.
+ 
+     See :ref:`Notes on subscriptions <notes-on-subscriptions>` for more details.
+     """
++    # Environment.getattr will fall back to obj[name] if obj.name doesn't exist.
++    # But we want to call env.getattr to get behavior such as sandboxing.
++    # Determine if the attr exists first, so we know the fallback won't trigger.
+     try:
+-        name = str(name)
+-    except UnicodeError:
+-        pass
+-    else:
+-        try:
+-            value = getattr(obj, name)
+-        except AttributeError:
+-            pass
+-        else:
+-            if environment.sandboxed:
+-                environment = t.cast("SandboxedEnvironment", environment)
+-
+-                if not environment.is_safe_attribute(obj, name, value):
+-                    return environment.unsafe_undefined(obj, name)
+-
+-            return value
+-
+-    return environment.undefined(obj=obj, name=name)
++        # This avoids executing properties/descriptors, but misses __getattr__
++        # and __getattribute__ dynamic attrs.
++        getattr_static(obj, name)
++    except AttributeError:
++        # This finds dynamic attrs, and we know it's not a descriptor at this point.
++        if not hasattr(obj, name):
++            return environment.undefined(obj=obj, name=name)
++
++    return environment.getattr(obj, name)
+ 
+ 
+ @typing.overload
+diff --git a/Jinja2-3.1.3/tests/test_security.py b/Jinja2-3.1.3/tests/test_security.py
+index 864d5f7f..3a137819 100644
+--- a/Jinja2-3.1.3/tests/test_security.py
++++ b/Jinja2-3.1.3/tests/test_security.py
+@@ -190,3 +190,13 @@ class TestStringFormatMap:
+ 
+         with pytest.raises(SecurityError):
+             t.render()
++
++    def test_attr_filter(self) -> None:
++        env = SandboxedEnvironment()
++        t = env.from_string(
++            """{{ "{0.__call__.__builtins__[__import__]}"
++                  | attr("format")(not_here) }}"""
++        )
++
++        with pytest.raises(SecurityError):
++            t.render()
+-- 
+2.43.0
+
diff --git a/fence-agents.spec b/fence-agents.spec
index 6ff5afd..83562d0 100644
--- a/fence-agents.spec
+++ b/fence-agents.spec
@@ -60,7 +60,7 @@
 Name: fence-agents
 Summary: Set of unified programs capable of host isolation ("fencing")
 Version: 4.10.0
-Release: 76%{?alphatag:.%{alphatag}}%{anolis_release}%{?dist}.4
+Release: 76%{?alphatag:.%{alphatag}}%{anolis_release}%{?dist}.6
 License: GPLv2+ and LGPLv2+
 URL: https://github.com/ClusterLabs/fence-agents
 Source0: https://fedorahosted.org/releases/f/e/fence-agents/%{name}-%{version}.tar.gz
@@ -284,6 +284,8 @@ Patch2002: setuptools-fix-CVE-2024-6345.patch
 Patch2003: 0001-fix-f-string-syntax-error-in-code-generation.patch
 # https://github.com/pallets/jinja/commit/48b0687e05a5466a91cd5812d604fa37ad0943b4
 Patch2004: 0001-sandbox-indirect-calls-to-str.format.patch
+# https://github.com/pallets/jinja/commit/065334d1ee5b7210e1a0a93c37238c86858f2af7
+Patch2005: 0001-attr-filter-uses-env.getattr.patch
 
 %global supportedagents amt_ws apc apc_snmp bladecenter brocade cisco_mds cisco_ucs compute drac5 eaton_snmp emerson eps evacuate hpblade ibmblade ibm_powervs ibm_vpc ifmib ilo ilo_moonshot ilo_mp ilo_ssh intelmodular ipdu ipmilan kdump kubevirt lpar mpath redfish rhevm rsa rsb sbd scsi vmware_rest vmware_soap wti
 %ifarch x86_64
@@ -471,6 +473,7 @@ pushd %{_sourcedir}
 tar -xf %{SOURCE1082}
 %patch -p1 -P2003
 %patch -p1 -P2004
+%patch -p1 -P2005
 tar -czvf %{SOURCE1082} %{jinja2}-%{jinja2_version}/
 popd
 
@@ -1568,6 +1571,9 @@ are located on corosync cluster nodes.
 %endif
 
 %changelog
+* Tue Mar 25 2025 Zhao Hang <wb-zh951434@alibaba-inc.com> - 4.10.0-76.0.1.6
+- fix CVE-2025-27516
+
 * Fri Jan 17 2025 Zhao Hang <wb-zh951434@alibaba-inc.com> - 4.10.0-76.0.1.4
 - fix CVE-2024-56201 CVE-2024-56326
 
-- 
Gitee