diff --git a/Babel-2.9.0.tar.gz b/Babel-2.9.1.tar.gz similarity index 52% rename from Babel-2.9.0.tar.gz rename to Babel-2.9.1.tar.gz index 95929f246c7a7fb3f80e82997da169c1ecbe9daa..64b02c5c5f66f818c0d96c0150a60fd64c8814a0 100644 Binary files a/Babel-2.9.0.tar.gz and b/Babel-2.9.1.tar.gz differ diff --git a/babel-2.3.4-remove-pytz-version.patch b/babel-2.3.4-remove-pytz-version.patch deleted file mode 100644 index 96d375877ef43ef8521558b2f67dd8526e4eaaa0..0000000000000000000000000000000000000000 --- a/babel-2.3.4-remove-pytz-version.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff -up Babel-2.3.4/setup.py.orig Babel-2.3.4/setup.py ---- Babel-2.3.4/setup.py.orig 2016-04-11 11:58:25.000000000 +0200 -+++ Babel-2.3.4/setup.py 2016-04-25 13:35:54.458765892 +0200 -@@ -59,7 +59,10 @@ setup( - # This version identifier is currently necessary as - # pytz otherwise does not install on pip 1.4 or - # higher. -- 'pytz>=2015.7', -+ ### But the version confuses setuptools 8 and higher so remove it in the -+ ### system package -+ #'pytz>=2015.7', -+ 'pytz', - ], - - cmdclass={'import_cldr': import_cldr}, diff --git a/babel.spec b/babel.spec index 86cbc8bfa2ce9406ce1e8760bab3380f299980f4..06782e666ac31ddefa77cd30c68704c89c934540 100644 --- a/babel.spec +++ b/babel.spec @@ -1,15 +1,11 @@ Name: babel -Version: 2.9.0 -Release: 2 +Version: 2.9.1 +Release: 1 Summary: Tools for internationalizing and localizing Python applications License: BSD URL: http://babel.pocoo.org/ Source0: https://files.pythonhosted.org/packages/source/B/Babel/Babel-%{version}.tar.gz -Patch0: babel-2.3.4-remove-pytz-version.patch -Patch1: backport-0001-CVE-2021-20095-Run-locale-identifiers-through-os.path.basename.patch -Patch2: backport-0002-CVE-2021-20095-Disallow-special-filenames-on-Windows.patch - BuildArch: noarch BuildRequires: gcc git make @@ -60,7 +56,7 @@ rm -f "$BUILDDIR/html/.buildinfo" %py3_install %check -export TZ=Asia/Shanghai +export TZ=UTC %{__python3} -m pytest %pre @@ -84,6 +80,12 @@ export TZ=Asia/Shanghai %doc built-docs/html/* %changelog +* Fri Jul 30 2021 panxiaohe - 2.9.1-1 +- Type:enhancement +- ID:NA +- SUG:NA +- DESC:update to 2.9.1 + * Tue May 11 2021 yangzhuangzhuang - 2.9.0-2 - Type:bugfix - ID:NA diff --git a/backport-0001-CVE-2021-20095-Run-locale-identifiers-through-os.path.basename.patch b/backport-0001-CVE-2021-20095-Run-locale-identifiers-through-os.path.basename.patch deleted file mode 100644 index 6988b71ef1f7f736cd4cf233d2a58fc7f6639eb3..0000000000000000000000000000000000000000 --- a/backport-0001-CVE-2021-20095-Run-locale-identifiers-through-os.path.basename.patch +++ /dev/null @@ -1,79 +0,0 @@ -From 3a700b5b8b53606fd98ef8294a56f9510f7290f8 Mon Sep 17 00:00:00 2001 -From: Aarni Koskela -Date: Wed, 28 Apr 2021 10:33:40 +0300 -Subject: [PATCH] Run locale identifiers through `os.path.basename()` - ---- - babel/localedata.py | 2 ++ - tests/test_localedata.py | 30 +++++++++++++++++++++++++++++- - 2 files changed, 31 insertions(+), 1 deletion(-) - -diff --git a/babel/localedata.py b/babel/localedata.py -index f4771d1f..11085490 100644 ---- a/babel/localedata.py -+++ b/babel/localedata.py -@@ -47,6 +47,7 @@ def exists(name): - """ - if not name or not isinstance(name, string_types): - return False -+ name = os.path.basename(name) - if name in _cache: - return True - file_found = os.path.exists(os.path.join(_dirname, '%s.dat' % name)) -@@ -102,6 +103,7 @@ def load(name, merge_inherited=True): - :raise `IOError`: if no locale data file is found for the given locale - identifer, or one of the locales it inherits from - """ -+ name = os.path.basename(name) - _cache_lock.acquire() - try: - data = _cache.get(name) -diff --git a/tests/test_localedata.py b/tests/test_localedata.py -index 83cd6699..9cb4282e 100644 ---- a/tests/test_localedata.py -+++ b/tests/test_localedata.py -@@ -11,11 +11,17 @@ - # individuals. For the exact contribution history, see the revision - # history and logs, available at http://babel.edgewall.org/log/. - -+import os -+import pickle -+import sys -+import tempfile - import unittest - import random - from operator import methodcaller - --from babel import localedata -+import pytest -+ -+from babel import localedata, Locale, UnknownLocaleError - - - class MergeResolveTestCase(unittest.TestCase): -@@ -131,3 +137,25 @@ def listdir_spy(*args): - localedata.locale_identifiers.cache = None - assert localedata.locale_identifiers() - assert len(listdir_calls) == 2 -+ -+ -+def test_locale_name_cleanup(): -+ """ -+ Test that locale identifiers are cleaned up to avoid directory traversal. -+ """ -+ no_exist_name = os.path.join(tempfile.gettempdir(), "babel%d.dat" % random.randint(1, 99999)) -+ with open(no_exist_name, "wb") as f: -+ pickle.dump({}, f) -+ -+ try: -+ name = os.path.splitext(os.path.relpath(no_exist_name, localedata._dirname))[0] -+ except ValueError: -+ if sys.platform == "win32": -+ pytest.skip("unable to form relpath") -+ raise -+ -+ assert not localedata.exists(name) -+ with pytest.raises(IOError): -+ localedata.load(name) -+ with pytest.raises(UnknownLocaleError): -+ Locale(name) diff --git a/backport-0002-CVE-2021-20095-Disallow-special-filenames-on-Windows.patch b/backport-0002-CVE-2021-20095-Disallow-special-filenames-on-Windows.patch deleted file mode 100644 index fc9d84a5174c6a92d5ac43ee4ee29a99fe20575b..0000000000000000000000000000000000000000 --- a/backport-0002-CVE-2021-20095-Disallow-special-filenames-on-Windows.patch +++ /dev/null @@ -1,92 +0,0 @@ -From 5caf717ceca4bd235552362b4fbff88983c75d8c Mon Sep 17 00:00:00 2001 -From: Aarni Koskela -Date: Wed, 28 Apr 2021 11:47:42 +0300 -Subject: [PATCH] Disallow special filenames on Windows - ---- - babel/localedata.py | 24 +++++++++++++++++++++--- - tests/test_localedata.py | 9 +++++++++ - 2 files changed, 30 insertions(+), 3 deletions(-) - -diff --git a/babel/localedata.py b/babel/localedata.py -index 11085490..782b7afa 100644 ---- a/babel/localedata.py -+++ b/babel/localedata.py -@@ -13,6 +13,8 @@ - """ - - import os -+import re -+import sys - import threading - from itertools import chain - -@@ -22,6 +24,7 @@ - _cache = {} - _cache_lock = threading.RLock() - _dirname = os.path.join(os.path.dirname(__file__), 'locale-data') -+_windows_reserved_name_re = re.compile("^(con|prn|aux|nul|com[0-9]|lpt[0-9])$", re.I) - - - def normalize_locale(name): -@@ -38,6 +41,22 @@ def normalize_locale(name): - return locale_id - - -+def resolve_locale_filename(name): -+ """ -+ Resolve a locale identifier to a `.dat` path on disk. -+ """ -+ -+ # Clean up any possible relative paths. -+ name = os.path.basename(name) -+ -+ # Ensure we're not left with one of the Windows reserved names. -+ if sys.platform == "win32" and _windows_reserved_name_re.match(os.path.splitext(name)[0]): -+ raise ValueError("Name %s is invalid on Windows" % name) -+ -+ # Build the path. -+ return os.path.join(_dirname, '%s.dat' % name) -+ -+ - def exists(name): - """Check whether locale data is available for the given locale. - -@@ -47,10 +66,9 @@ def exists(name): - """ - if not name or not isinstance(name, string_types): - return False -- name = os.path.basename(name) - if name in _cache: - return True -- file_found = os.path.exists(os.path.join(_dirname, '%s.dat' % name)) -+ file_found = os.path.exists(resolve_locale_filename(name)) - return True if file_found else bool(normalize_locale(name)) - - -@@ -121,7 +139,7 @@ def load(name, merge_inherited=True): - else: - parent = '_'.join(parts[:-1]) - data = load(parent).copy() -- filename = os.path.join(_dirname, '%s.dat' % name) -+ filename = resolve_locale_filename(name) - with open(filename, 'rb') as fileobj: - if name != 'root' and merge_inherited: - merge(data, pickle.load(fileobj)) -diff --git a/tests/test_localedata.py b/tests/test_localedata.py -index 9cb4282e..c852c1b6 100644 ---- a/tests/test_localedata.py -+++ b/tests/test_localedata.py -@@ -159,3 +159,12 @@ def test_locale_name_cleanup(): - localedata.load(name) - with pytest.raises(UnknownLocaleError): - Locale(name) -+ -+ -+@pytest.mark.skipif(sys.platform != "win32", reason="windows-only test") -+def test_reserved_locale_names(): -+ for name in ("con", "aux", "nul", "prn", "com8", "lpt5"): -+ with pytest.raises(ValueError): -+ localedata.load(name) -+ with pytest.raises(ValueError): -+ Locale(name)