Bug 786954 (CVE-2021-20095)

Summary:	<dev-python/Babel-2.9.1: Arbitrary locale loading weakness (CVE-2021-20095)
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	ago, mgorny, python
Priority:	Normal	Flags:	nattka: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B2 [glsa+]
Package list:	dev-python/Babel-2.9.1	Runtime testing required:	---

Description Sam James archtester

2021-04-29 19:06:11 UTC

Description:
"Relative Path Traversal in Babel 2.9.0 allows an attacker to load arbitrary locale files on disk and execute arbitrary code."

Disclosure: https://www.tenable.com/security/research/tra-2021-14

Comment 1 Agostino Sarubbo gentoo-dev

2021-04-30 15:24:25 UTC

ALLARCHES stable. Closing.

Comment 2 Sam James archtester

2021-04-30 19:49:35 UTC

Please cleanup

(In reply to Agostino Sarubbo from comment #1)
> ALLARCHES stable. Closing.

It’s a security bug! ;)

Comment 3 Michał Górny archtester

2021-04-30 20:24:28 UTC

Already done.

Comment 4 John Helmert III archtester

2022-08-04 03:56:49 UTC

GLSA request filed.

Comment 5 Larry the Git Cow gentoo-dev

2022-08-04 14:02:15 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=f6e2e11e7ff841fcf8e693775058b96ef4b3e7b1

commit f6e2e11e7ff841fcf8e693775058b96ef4b3e7b1
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-04 13:53:26 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-04 13:59:54 +0000

    [ GLSA 202208-03 ] Babel: Remote code execution
    
    Bug: https://bugs.gentoo.org/786954
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-03.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

Comment 6 John Helmert III archtester

2022-08-04 14:15:17 UTC

GLSA released, all done!