Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: jin...@packages.debian.org
Control: affects -1 + src:jinja2
User: release.debian....@packages.debian.org
Usertags: pu
Adresses one low severity security issue, debdiff below.
Cheers,
Moritz
diff -Nru jinja2-3.1.2/debian/changelog jinja2-3.1.2/debian/changelog
--- jinja2-3.1.2/debian/changelog 2025-02-27 22:30:54.000000000 +0100
+++ jinja2-3.1.2/debian/changelog 2025-05-18 00:17:01.000000000 +0200
@@ -1,3 +1,9 @@
+jinja2 (3.1.2-1+deb12u3) bookworm; urgency=medium
+
+ * CVE-2025-27516 (Closes: #1099690)
+
+ -- Moritz Mühlenhoff <j...@debian.org> Sun, 18 May 2025 00:17:01 +0200
+
jinja2 (3.1.2-1+deb12u2) bookworm; urgency=medium
* Non-maintainer upload by the LTS security team.
diff -Nru jinja2-3.1.2/debian/patches/0008-CVE-2025-27516.patch
jinja2-3.1.2/debian/patches/0008-CVE-2025-27516.patch
--- jinja2-3.1.2/debian/patches/0008-CVE-2025-27516.patch 1970-01-01
01:00:00.000000000 +0100
+++ jinja2-3.1.2/debian/patches/0008-CVE-2025-27516.patch 2025-05-18
00:16:46.000000000 +0200
@@ -0,0 +1,60 @@
+Commit 065334d1ee5b7210e1a0a93c37238c86858f2af7 upstream:
+
+From: David Lord <david...@gmail.com>
+Date: Wed, 5 Mar 2025 10:08:48 -0800
+Subject: [PATCH] attr filter uses env.getattr
+
+--- jinja2-3.1.2.orig/src/jinja2/filters.py
++++ jinja2-3.1.2/src/jinja2/filters.py
+@@ -5,6 +5,7 @@ import re
+ import typing
+ import typing as t
+ from collections import abc
++from inspect import getattr_static
+ from itertools import chain
+ from itertools import groupby
+
+@@ -1393,30 +1394,24 @@ def do_attr(
+ environment: "Environment", obj: t.Any, name: str
+ ) -> t.Union[Undefined, t.Any]:
+ """Get an attribute of an object. ``foo|attr("bar")`` works like
+- ``foo.bar`` just that always an attribute is returned and items are not
+- looked up.
++ ``foo.bar``, but returns undefined instead of falling back to
``foo["bar"]``
++ if the attribute doesn't exist.
+
+ See :ref:`Notes on subscriptions <notes-on-subscriptions>` for more
details.
+ """
++ # Environment.getattr will fall back to obj[name] if obj.name doesn't
exist.
++ # But we want to call env.getattr to get behavior such as sandboxing.
++ # Determine if the attr exists first, so we know the fallback won't
trigger.
+ try:
+- name = str(name)
+- except UnicodeError:
+- pass
+- else:
+- try:
+- value = getattr(obj, name)
+- except AttributeError:
+- pass
+- else:
+- if environment.sandboxed:
+- environment = t.cast("SandboxedEnvironment", environment)
+-
+- if not environment.is_safe_attribute(obj, name, value):
+- return environment.unsafe_undefined(obj, name)
+-
+- return value
++ # This avoids executing properties/descriptors, but misses __getattr__
++ # and __getattribute__ dynamic attrs.
++ getattr_static(obj, name)
++ except AttributeError:
++ # This finds dynamic attrs, and we know it's not a descriptor at this
point.
++ if not hasattr(obj, name):
++ return environment.undefined(obj=obj, name=name)
+
+- return environment.undefined(obj=obj, name=name)
++ return environment.getattr(obj, name)
+
+
+ @typing.overload
diff -Nru jinja2-3.1.2/debian/patches/series jinja2-3.1.2/debian/patches/series
--- jinja2-3.1.2/debian/patches/series 2025-02-27 22:21:40.000000000 +0100
+++ jinja2-3.1.2/debian/patches/series 2025-05-18 00:16:34.000000000 +0200
@@ -5,3 +5,4 @@
0002-disallow-invalid-characters-in-keys-to-xmlattr-filte.patch
0006-Fix-CVE-2024-56201.patch
0007-Fix-CVE-2024-56326.patch
+0008-CVE-2025-27516.patch
