Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clean locale identifiers before loading from file #782

Merged
merged 2 commits into from
Apr 28, 2021
Merged

Conversation

akx
Copy link
Member

@akx akx commented Apr 28, 2021

No description provided.

@akx akx force-pushed the locale-basename branch from 4851ab7 to 3a700b5 Compare April 28, 2021 07:38
Copy link
Member

@mitsuhiko mitsuhiko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is kinda okay but there is a potential concern. Since certain names are reserved on windows you could cause a DOS by for instance trying to load aux.dat or similar files. To make this safer this should likely assert it's not in the list of reserved file names.

basename itself might be okay. While there are some scary inputs like .. loading the join of dirname name ...dat is still okay.

@akx akx changed the title Run locale identifiers through os.path.basename() Clean locale identifiers before loading from file Apr 28, 2021
@akx
Copy link
Member Author

akx commented Apr 28, 2021

@mitsuhiko Good call on the special filenames, I had forgotten those are still a thing on Windows. I added another commit that refactors the previous single call to basename to a function that resolves locale identifiers into full paths, taking them into account.

@akx akx requested a review from mitsuhiko April 28, 2021 08:54
@akx akx merged commit 412015e into master Apr 28, 2021
@akx akx deleted the locale-basename branch April 28, 2021 19:34
@StayPirate
Copy link

CVE-2021-20095 has been assigned to this.

@akx akx mentioned this pull request May 26, 2021
@carnil
Copy link

carnil commented Jun 16, 2021

CVE-2021-20095 appers to have been rejected again "This candidate was withdrawn by its CNA" according to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20095

@StayPirate
Copy link

Anybody knows something more about the rejection from Tenable? I can't find any useful information on their blog.

@Beuc
Copy link

Beuc commented Oct 18, 2021

I asked Tenable about it:
https://lists.debian.org/debian-lts/2021/10/msg00039.html

@Beuc
Copy link

Beuc commented Oct 19, 2021

Tenable answered they didn't mean to register it in the first place, hence why they rejected it.
I just requested a CVE identifier through https://cveform.mitre.org/ .

@Beuc
Copy link

Beuc commented Oct 21, 2021

sbrunner added a commit to camptocamp/c2cgeoportal that referenced this pull request Nov 10, 2021
```
  +==============================================================================+
  |                                                                              |
  |                               /$$$$$$            /$$                         |
  |                              /$$__  $$          | $$                         |
  |           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
  |          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
  |         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
  |          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
  |          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
  |         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
  |                                                          /$$  | $$           |
  |                                                         |  $$$$$$/           |
  |  by pyup.io                                              \______/            |
  |                                                                              |
  +==============================================================================+
  | REPORT                                                                       |
  | checked 90 packages, using default DB                                        |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | babel                      | 2.6.0     | <2.9.1                   | 42203    |
  +==============================================================================+
  | Babel 2.9.1 includes a fix for CVE-2021-42771: Babel.Locale in Babel before  |
  | 2.9.1 allows attackers to load arbitrary locale .dat files (containing       |
  | serialized Python objects) via directory traversal, leading to code          |
  | execution. python-babel/babel#782                    |
  | https://lists.debian.org/debian-lts/2021/10/msg00040.html                    |
  | https://www.tenable.com/security/research/tra-2021-14                        |
  | https://lists.debian.org/debian-lts-announce/2021/10/msg00018.html           |
  +==============================================================================+
  | pycryptodome               | 3.10.3    | <3.11.0                  | 42084    |
  +==============================================================================+
  | Pycryptodome version 3.11.0 includes a fix for the DSA construction          |
  | algorithm. Modulus "p" primality check wasn't working. https://github.com/Le |
  | grandin/pycryptodome/pull/557/commits/183f8d1c7a5e145e78b86fb54da7e327a277d9 |
  | c6                                                                           |
  +==============================================================================+
```
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this pull request Nov 10, 2021
```
  +==============================================================================+
  |                                                                              |
  |                               /$$$$$$            /$$                         |
  |                              /$$__  $$          | $$                         |
  |           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
  |          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
  |         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
  |          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
  |          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
  |         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
  |                                                          /$$  | $$           |
  |                                                         |  $$$$$$/           |
  |  by pyup.io                                              \______/            |
  |                                                                              |
  +==============================================================================+
  | REPORT                                                                       |
  | checked 80 packages, using free DB (updated once a month)                    |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | babel                      | 2.8.0     | <2.9.1                   | 42203    |
  +==============================================================================+
  | Babel 2.9.1 includes a fix for CVE-2021-42771: Babel.Locale in Babel before  |
  | 2.9.1 allows attackers to load arbitrary locale .dat files (containing       |
  | serialized Python objects) via directory traversal, leading to code          |
  | execution.                                                                   |
  | python-babel/babel#782                               |
  | https://lists.debian.org/debian-lts/2021/10/msg00040.html                    |
  | https://www.tenable.com/security/research/tra-2021-14                        |
  | https://lists.debian.org/debian-lts-announce/2021/10/msg00018.html           |
  +==============================================================================+
  | pycryptodome               | 3.10.3    | <3.11.0                  | 42084    |
  +==============================================================================+
  | Pycryptodome version 3.11.0 includes a fix for the DSA construction          |
  | algorithm. Modulus "p" primality check wasn't working.                       |
  | Legrandin/pycryptodome@183f8d1c7a5e145e7 |
  | 8b86fb54da7e327a277d9c6                                                      |
  +==============================================================================+
```
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this pull request Nov 10, 2021
```
  +==============================================================================+
  |                                                                              |
  |                               /$$$$$$            /$$                         |
  |                              /$$__  $$          | $$                         |
  |           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
  |          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
  |         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
  |          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
  |          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
  |         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
  |                                                          /$$  | $$           |
  |                                                         |  $$$$$$/           |
  |  by pyup.io                                              \______/            |
  |                                                                              |
  +==============================================================================+
  | REPORT                                                                       |
  | checked 118 packages, using free DB (updated once a month)                   |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | pycryptodome               | 3.10.3    | <3.11.0                  | 42084    |
  +==============================================================================+
  | Pycryptodome version 3.11.0 includes a fix for the DSA construction          |
  | algorithm. Modulus "p" primality check wasn't working.                       |
  | Legrandin/pycryptodome@183f8d1c7a5e145e7 |
  | 8b86fb54da7e327a277d9c6                                                      |
  +==============================================================================+
  | babel                      | 2.9.0     | <2.9.1                   | 42203    |
  +==============================================================================+
  | Babel 2.9.1 includes a fix for CVE-2021-42771: Babel.Locale in Babel before  |
  | 2.9.1 allows attackers to load arbitrary locale .dat files (containing       |
  | serialized Python objects) via directory traversal, leading to code          |
  | execution.                                                                   |
  | python-babel/babel#782                               |
  | https://lists.debian.org/debian-lts/2021/10/msg00040.html                    |
  | https://www.tenable.com/security/research/tra-2021-14                        |
  | https://lists.debian.org/debian-lts-announce/2021/10/msg00018.html           |
  +==============================================================================+
  | sqlalchemy-utils           | 0.36.8    | >=0.27.0                 | 42194    |
  +==============================================================================+
  | Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES     |
  | with CBC mode. The IV that it uses is not random though.                     |
  | kvesteri/sqlalchemy-utils#166                      |
  +==============================================================================+
  | babel                      | 2.9.0     | <2.9.1                   | 42203    |
  +==============================================================================+
  | Babel 2.9.1 includes a fix for CVE-2021-42771: Babel.Locale in Babel before  |
  | 2.9.1 allows attackers to load arbitrary locale .dat files (containing       |
  | serialized Python objects) via directory traversal, leading to code          |
  | execution.                                                                   |
  | python-babel/babel#782                               |
  | https://lists.debian.org/debian-lts/2021/10/msg00040.html                    |
  | https://www.tenable.com/security/research/tra-2021-14                        |
  | https://lists.debian.org/debian-lts-announce/2021/10/msg00018.html           |
  +==============================================================================+
```
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this pull request Nov 12, 2021
   +==============================================================================+
  |                                                                              |
  |                               /$$$$$$            /$$                         |
  |                              /$$__  $$          | $$                         |
  |           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
  |          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
  |         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
  |          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
  |          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
  |         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
  |                                                          /$$  | $$           |
  |                                                         |  $$$$$$/           |
  |  by pyup.io                                              \______/            |
  |                                                                              |
  +==============================================================================+
  | REPORT                                                                       |
  | checked 25 packages, using free DB (updated once a month)                    |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | babel                      | 2.8.0     | <2.9.1                   | 42203    |
  +==============================================================================+
  | Babel 2.9.1 includes a fix for CVE-2021-42771: Babel.Locale in Babel before  |
  | 2.9.1 allows attackers to load arbitrary locale .dat files (containing       |
  | serialized Python objects) via directory traversal, leading to code          |
  | execution.                                                                   |
  | python-babel/babel#782                               |
  | https://lists.debian.org/debian-lts/2021/10/msg00040.html                    |
  | https://www.tenable.com/security/research/tra-2021-14                        |
  | https://lists.debian.org/debian-lts-announce/2021/10/msg00018.html           |
  +==============================================================================+
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants