Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 786954 (CVE-2021-20095) - <dev-python/Babel-2.9.1: Arbitrary locale loading weakness (CVE-2021-20095)
Summary: <dev-python/Babel-2.9.1: Arbitrary locale loading weakness (CVE-2021-20095)
Status: RESOLVED FIXED
Alias: CVE-2021-20095
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-29 19:06 UTC by Sam James
Modified: 2022-08-04 14:15 UTC (History)
3 users (show)

See Also:
Package list:
dev-python/Babel-2.9.1
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-29 19:06:11 UTC 
Description:
"Relative Path Traversal in Babel 2.9.0 allows an attacker to load arbitrary locale files on disk and execute arbitrary code."

Disclosure: https://www.tenable.com/security/research/tra-2021-14
Comment 1 Agostino Sarubbo gentoo-dev 2021-04-30 15:24:25 UTC 
ALLARCHES stable. Closing.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-30 19:49:35 UTC 
Please cleanup

(In reply to Agostino Sarubbo from comment #1)
> ALLARCHES stable. Closing.

It’s a security bug! ;)
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-04-30 20:24:28 UTC 
Already done.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-04 03:56:49 UTC 
GLSA request filed.
Comment 5 Larry the Git Cow gentoo-dev 2022-08-04 14:02:15 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=f6e2e11e7ff841fcf8e693775058b96ef4b3e7b1

commit f6e2e11e7ff841fcf8e693775058b96ef4b3e7b1
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-04 13:53:26 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-04 13:59:54 +0000

    [ GLSA 202208-03 ] Babel: Remote code execution
    
    Bug: https://bugs.gentoo.org/786954
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-03.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-04 14:15:17 UTC 
GLSA released, all done!