[Bug 2102129] Re: Fix for CVE-2025-27516 regressed jinja in Python2 on focal

Wed Mar 12 16:34:14 UTC 2025

Thank you for the feedback thus far on this. For trusty and xenial I accounted for Python 2 compatibility and wrote a backport of getattr_static:
```
def getattr_static_py2(obj, attr, default=None):
   """ Mimic getattr_static from Python 3 in Python 2.7. """
   for cls in inspect.getmro(type(obj)):
       if attr in cls.__dict__:
           return cls.__dict__[attr]
   return getattr(obj, attr, default)
```
Unfortunately, I did not have the same foresight to do this for bionic and focal. I am in the process of modifying the patches for bionic and focal to reference this function instead. 

** Changed in: jinja2 (Ubuntu)
       Status: Confirmed => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to jinja2 in Ubuntu.
https://bugs.launchpad.net/bugs/2102129

Title:
  Fix for CVE-2025-27516 regressed jinja in Python2 on focal

Status in jinja2 package in Ubuntu:
  In Progress

Bug description:
  Reason is the patch:
  diff -Nru jinja2-2.10.1/debian/patches/CVE-2025-27516.patch jinja2-2.10.1/debian/patches/CVE-2025-27516.patch
  --- jinja2-2.10.1/debian/patches/CVE-2025-27516.patch	1970-01-01 00:00:00.000000000 +0000
  +++ jinja2-2.10.1/debian/patches/CVE-2025-27516.patch	2025-03-10 16:46:08.000000000 +0000
  @@ -0,0 +1,61 @@
  +Backport of:
  +From 065334d1ee5b7210e1a0a93c37238c86858f2af7 Mon Sep 17 00:00:00 2001
  +From: David Lord <davidism at gmail.com>
  +Date: Wed, 5 Mar 2025 10:08:48 -0800
  +Subject: [PATCH] attr filter uses env.getattr
  +
  +---
  + src/jinja2/filters.py  | 37 ++++++++++++++++---------------------
  + 1 file changed, 30 insertions(+), 21 deletions(-)
  +
  +--- jinja2-2.10.1.orig/jinja2/filters.py
  ++++ jinja2-2.10.1/jinja2/filters.py
  +@@ -14,6 +14,7 @@ import math
  + import random
  + import warnings
  + 
  ++from inspect import getattr_static
  + from itertools import groupby, chain
  + 
  + try:
  +@@ -935,26 +936,24 @@ def do_reverse(value):
  + @environmentfilter
  + def do_attr(environment, obj, name):
  +     """Get an attribute of an object.  ``foo|attr("bar")`` works like
  +-    ``foo.bar`` just that always an attribute is returned and items are not
  +-    looked up.
  ++    ``foo.bar``, but returns undefined instead of falling back to ``foo["bar"]``
  ++    if the attribute doesn't exist
  + 
  +     See :ref:`Notes on subscriptions <notes-on-subscriptions>` for more details.
  +     """
  ++    # Environment.getattr will fall back to obj[name] if obj.name doesn't exist.
  ++    # But we want to call env.getattr to get behavior such as sandboxing.
  ++    # Determine if the attr exists first, so we know the fallback won't trigger.
  +     try:
  +-        name = str(name)
  +-    except UnicodeError:
  +-        pass
  +-    else:
  +-        try:
  +-            value = getattr(obj, name)
  +-        except AttributeError:
  +-            pass
  +-        else:
  +-            if environment.sandboxed and not \
  +-               environment.is_safe_attribute(obj, name, value):
  +-                return environment.unsafe_undefined(obj, name)
  +-            return value
  +-    return environment.undefined(obj=obj, name=name)
  ++        # This avoids executing properties/descriptors, but misses __getattr__
  ++        # and __getattribute__ dynamic attrs.
  ++        getattr_static(obj, name)
  ++    except AttributeError:
  ++        # This finds dynamic attrs, and we know it's not a descriptor at this point.
  ++        if not hasattr(obj, name):
  ++            return environment.undefined(obj=obj, name=name)
  ++
  ++    return environment.getattr(obj, name)
  + 
  + 
  + @contextfilter

  The getattr_static attribute can't be found on the Python2 standard library of inspect tool
  from inspect import getattr_static


  python -c "import jinja2"
  Traceback (most recent call last):
    File "<string>", line 1, in <module>
    File "/usr/lib/python2.7/dist-packages/jinja2/__init__.py", line 33, in <module>
      from jinja2.environment import Environment, Template
    File "/usr/lib/python2.7/dist-packages/jinja2/environment.py", line 16, in <module>
      from jinja2.defaults import BLOCK_START_STRING, \
    File "/usr/lib/python2.7/dist-packages/jinja2/defaults.py", line 31, in <module>
      from jinja2.filters import FILTERS as DEFAULT_FILTERS
    File "/usr/lib/python2.7/dist-packages/jinja2/filters.py", line 17, in <module>
      from inspect import getattr_static
  ImportError: cannot import name getattr_static

  
  Without the CVE patch fix, the import works

  python -c "import jinja2"
  echo $?
  0

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/jinja2/+bug/2102129/+subscriptions