Bug 1955615 (CVE-2021-20095, CVE-2021-42771)

Summary: CVE-2021-20095 CVE-2021-42771 python-babel: Relative path traversal allows attacker to load arbitrary locale files and execute arbitrary code
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apevec, bdettelb, fschwarz, hhorak, hvyas, jjoyce, jorton, jschluet, lhh, lpeer, mburns, nphilipp, python-maint, python-sig, sclewis, slinaber, tomckay
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-babel 2.9.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in python-babel. A path traversal vulnerability was found in how locale data files are checked and loaded within python-babel, allowing a local attacker to trick an application that uses python-babel to load a file outside of the intended locale directory. The highest threat from this vulnerability is to data confidentiality and integrity as well as service availability.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-24 15:35:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1954814, 1955725, 1956899, 1956900, 1956901, 1956902, 1956903, 1956904, 1957075, 1964344, 1969504, 1969520    
Bug Blocks: 1955616    

Description Guilherme de Almeida Suckevicz 2021-04-30 14:18:16 UTC
Relative Path Traversal in Babel 2.9.0 allows an attacker to load arbitrary locale files on disk and execute arbitrary code.

Reference:
https://www.tenable.com/security/research/tra-2021-14

Upstream patch:
https://github.com/python-babel/babel/pull/782

Comment 1 Guilherme de Almeida Suckevicz 2021-04-30 17:39:27 UTC
Created babel tracking bugs for this issue:

Affects: fedora-all [bug 1955725]

Comment 2 Riccardo Schirone 2021-05-04 15:01:18 UTC
External References:

https://www.tenable.com/security/research/tra-2021-14

Comment 4 Riccardo Schirone 2021-05-04 15:43:58 UTC
An application that uses `babel.Locale` to create a new Locale object with an untrusted language argument might be vulnerable to this flaw. The babel library uses the language argument to retrieve a file on disk, however it does not perform any check to ensure that the language is a well formed name and that it does not contain special path characters (e.g. `..`).

The locale files are essentially dumps of pickle, thus an attacker who can create a file on the system and trick an application to use that file as a babel Locale can easily execute arbitrary code on the vulnerable system.

Comment 13 errata-xmlrpc 2021-08-24 08:05:35 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3252 https://access.redhat.com/errata/RHSA-2021:3252

Comment 14 errata-xmlrpc 2021-08-24 08:09:16 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3254 https://access.redhat.com/errata/RHSA-2021:3254

Comment 15 Product Security DevOps Team 2021-08-24 15:35:14 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20095

Comment 16 Sandipan Roy 2021-10-25 05:00:22 UTC
*** Bug 2016686 has been marked as a duplicate of this bug. ***

Comment 18 Doran Moppert 2021-10-26 07:02:54 UTC
Note:  this CVE ID was rejected by MITRE, and CVE-2021-42771 used instead to track this issue.  Since Red Hat has already shipped errata referencing CVE-2021-20095, we continue to use this ID and instead mark CVE-2021-42771 as duplicate for our purposes.

Both identifiers reference the same issue and carry the same analysis results, so the net result in terms of affected & fixed products is the same.

Comment 19 Tomas Hoger 2021-11-05 10:34:13 UTC
Adding the new CVE-2021-42771 here as well, while keeping the original CVE-2021-20095 listed here as well, as it was already used in released errata.

Comment 20 errata-xmlrpc 2021-11-09 17:25:17 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4151 https://access.redhat.com/errata/RHSA-2021:4151

Comment 21 errata-xmlrpc 2021-11-09 17:28:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4162 https://access.redhat.com/errata/RHSA-2021:4162

Comment 22 errata-xmlrpc 2021-11-09 17:42:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4201 https://access.redhat.com/errata/RHSA-2021:4201