Lucene search

K
gentooGentoo FoundationGLSA-202208-03
HistoryAug 04, 2022 - 12:00 a.m.

Babel: Remote code execution

2022-08-0400:00:00
Gentoo Foundation
security.gentoo.org
17

0.002 Low

EPSS

Percentile

63.6%

Background

Babel is a collection of tools for internationalizing Python applications.

Description

Babel does not properly restrict which sources a locale can be loaded from. If Babel loads an attacker-controlled .dat file, arbitrary code execution can be achieved via unsafe Pickle deserialization.

Impact

An attacker with filesystem access and control over the locales Babel loads can achieve code execution.

Workaround

There is no known workaround at this time.

Resolution

All Babel users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-python/Babel-2.9.1"
OSVersionArchitecturePackageVersionFilename
Gentooanyalldev-python/babel< 2.9.1UNKNOWN

0.002 Low

EPSS

Percentile

63.6%

Related for GLSA-202208-03