!85 [sync] PR-84: fix CVE-2024-56201

From: @openeuler-sync-bot Reviewed-by: @dillon_chen Signed-off-by: @dillon_chen
2024-12-26 07:42:45 +00:00 · 2024-12-26 07:42:45 +00:00 · ac802891dd
commit ac802891dd
parent 946cb7d628 260d8deb7c
2 changed files with 89 additions and 1 deletions
--- a/backport-CVE-2024-56201.patch
+++ b/backport-CVE-2024-56201.patch
@ -0,0 +1,81 @@
+From 336315f75ea1a788b3254bab5fb75f3aec558b67 Mon Sep 17 00:00:00 2001
+From: JackWei <weihaohao2@huawei.com>
+Date: Thu, 26 Dec 2024 14:49:28 +0800
+Subject: [PATCH] fix CVE-2024-56201
+
+---
+ Jinja2-3.0.3/CHANGES.rst            |  3 +++
+ Jinja2-3.0.3/src/jinja2/compiler.py |  7 ++++++-
+ Jinja2-3.0.3/tests/test_compile.py  | 19 +++++++++++++++++++
+ 3 files changed, 28 insertions(+), 1 deletion(-)
+
+diff --git a/Jinja2-3.0.3/CHANGES.rst b/Jinja2-3.0.3/CHANGES.rst
+index a62255b..55d8a96 100644
+--- a/Jinja2-3.0.3/CHANGES.rst
+++ b/Jinja2-3.0.3/CHANGES.rst
+@@ -1,5 +1,8 @@
+ .. currentmodule:: jinja2
+ 
+-   Escape template name before formatting it into error messages, to avoid
+    issues with names that contain f-string syntax.
+    :issue:`1792`, :ghsa:`gmj6-6f8f-6699`
+ -   The ``xmlattr`` filter does not allow keys with ``/`` solidus, ``>``
+     greater-than sign, or ``=`` equals sign, in addition to disallowing spaces.
+     Regardless of any validation done by Jinja, user input should never be used
+diff --git a/Jinja2-3.0.3/src/jinja2/compiler.py b/Jinja2-3.0.3/src/jinja2/compiler.py
+index 52fd5b8..0314f67 100644
+--- a/Jinja2-3.0.3/src/jinja2/compiler.py
+++ b/Jinja2-3.0.3/src/jinja2/compiler.py
+@@ -1122,9 +1122,14 @@ class CodeGenerator(NodeVisitor):
+             )
+             self.writeline(f"if {frame.symbols.ref(alias)} is missing:")
+             self.indent()
+            # The position will contain the template name, and will be formatted
+            # into a string that will be compiled into an f-string. Curly braces
+            # in the name must be replaced with escapes so that they will not be
+            # executed as part of the f-string.
+            position = self.position(node).replace("{", "{{").replace("}", "}}")
+             message = (
+                 "the template {included_template.__name__!r}"
+-                f" (imported on {self.position(node)})"
+                f" (imported on {position})"
+                 f" does not export the requested name {name!r}"
+             )
+             self.writeline(
+diff --git a/Jinja2-3.0.3/tests/test_compile.py b/Jinja2-3.0.3/tests/test_compile.py
+index 42a773f..b33a877 100644
+--- a/Jinja2-3.0.3/tests/test_compile.py
+++ b/Jinja2-3.0.3/tests/test_compile.py
+@@ -1,6 +1,9 @@
+ import os
+ import re
+ 
+import pytest
+
+from jinja2 import UndefinedError
+ from jinja2.environment import Environment
+ from jinja2.loaders import DictLoader
+ 
+@@ -26,3 +29,19 @@ def test_import_as_with_context_deterministic(tmp_path):
+     expect = [f"'bar{i}': " for i in range(10)]
+     found = re.findall(r"'bar\d': ", content)[:10]
+     assert found == expect
+
+
+def test_undefined_import_curly_name():
+    env = Environment(
+        loader=DictLoader(
+            {
+                "{bad}": "{% from 'macro' import m %}{{ m() }}",
+                "macro": "",
+             }
+        )
+    )
+
+    # Must not raise `NameError: 'bad' is not defined`, as that would indicate
+    # that `{bad}` is being interpreted as an f-string. It must be escaped.
+    with pytest.raises(UndefinedError):
+        env.get_template("{bad}").render()
+-- 
+2.33.0
+
--- a/python-jinja2.spec
+++ b/python-jinja2.spec
@ -2,7 +2,7 @@

 Name:           python-jinja2
 Version:        3.0.3
-Release:        5
+Release:        6
 Summary:        A full-featured template engine for Python
 License:        BSD
 URL:            http://jinja.pocoo.org/
@ -11,6 +11,7 @@ Source0:        https://files.pythonhosted.org/packages/source/J/Jinja2/Jinja2-%
 Patch6000:      backport-CVE-2024-22195.patch
 Patch6001:      backport-CVE-2024-34064.patch
 Patch6002:      backport-CVE-2024-56326.patch
+Patch6003:      backport-CVE-2024-56201.patch

 BuildArch:      noarch

@ -66,6 +67,12 @@ popd
 %doc Jinja2-%{version}/examples

 %changelog
+* Thu Dec 26 2024 weihaohao <weihaohao2@huawei.com> - 3.0.3-6
+- Type:CVE
+- CVE:CVE-2024-56201
+- SUG:NA
+- DESC:fix CVE-2024-56201
+
 * Wed Dec 25 2024 changtao <changtao@kylinos.cn> - 3.0.3-5
 - Type:CVE
 - CVE:CVE-2024-56326