[Bug 2102129] Re: Fix for CVE-2025-27516 regressed jinja in Python2 on focal and previous releases (ESM)

Gianfranco Costamagna 2102129 at bugs.launchpad.net
Wed Mar 12 17:54:58 UTC 2025 

Setting up libpython3.8-stdlib:amd64 (3.8.10-0ubuntu1~20.04.15) ...
Setting up python3.8 (3.8.10-0ubuntu1~20.04.15) ...
Setting up libpython3-stdlib:amd64 (3.8.2-0ubuntu2) ...
Setting up python2.7 (2.7.18-1~20.04.7) ...
Setting up libpython2-stdlib:amd64 (2.7.17-2ubuntu4) ...
Setting up python3 (3.8.2-0ubuntu2) ...
Setting up python3-markupsafe (1.1.0-1build2) ...
Setting up python2 (2.7.17-2ubuntu4) ...
Setting up python3-jinja2 (2.10.1-2ubuntu0.6) ...
Setting up python-markupsafe (1.1.0-1build2) ...
Setting up python-jinja2 (2.10.1-2ubuntu0.6) ...
Processing triggers for libc-bin (2.31-0ubuntu9.17) ...
root at Unimatrix04-Noble:/# dpkg -i *deb^C
root at Unimatrix04-Noble:/# md5sum *deb
6806af5e0fb85ab95adaf88a8d8f1e51  python-jinja2_2.10.1-2ubuntu0.6_all.deb
fe991a99b2d9b610a39bdf1e028bc901  python3-jinja2_2.10.1-2ubuntu0.6_all.deb
root at Unimatrix04-Noble:/# dpkg -i *deb
(Reading database ... 11410 files and directories currently installed.)
Preparing to unpack python-jinja2_2.10.1-2ubuntu0.6_all.deb ...
Unpacking python-jinja2 (2.10.1-2ubuntu0.6) over (2.10.1-2ubuntu0.6) ...
Preparing to unpack python3-jinja2_2.10.1-2ubuntu0.6_all.deb ...
Unpacking python3-jinja2 (2.10.1-2ubuntu0.6) over (2.10.1-2ubuntu0.6) ...
Setting up python-jinja2 (2.10.1-2ubuntu0.6) ...
Setting up python3-jinja2 (2.10.1-2ubuntu0.6) ...
root at Unimatrix04-Noble:/# python2.7 -c "import jinja2"


The package in ppa works beautifully, thanks!

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to jinja2 in Ubuntu.
https://bugs.launchpad.net/bugs/2102129

Title:
  Fix for CVE-2025-27516 regressed jinja in Python2 on focal and
  previous releases (ESM)

Status in jinja2 package in Ubuntu:
  In Progress

Bug description:
  Reason is the patch:
  diff -Nru jinja2-2.10.1/debian/patches/CVE-2025-27516.patch jinja2-2.10.1/debian/patches/CVE-2025-27516.patch
  --- jinja2-2.10.1/debian/patches/CVE-2025-27516.patch	1970-01-01 00:00:00.000000000 +0000
  +++ jinja2-2.10.1/debian/patches/CVE-2025-27516.patch	2025-03-10 16:46:08.000000000 +0000
  @@ -0,0 +1,61 @@
  +Backport of:
  +From 065334d1ee5b7210e1a0a93c37238c86858f2af7 Mon Sep 17 00:00:00 2001
  +From: David Lord <davidism at gmail.com>
  +Date: Wed, 5 Mar 2025 10:08:48 -0800
  +Subject: [PATCH] attr filter uses env.getattr
  +
  +---
  + src/jinja2/filters.py  | 37 ++++++++++++++++---------------------
  + 1 file changed, 30 insertions(+), 21 deletions(-)
  +
  +--- jinja2-2.10.1.orig/jinja2/filters.py
  ++++ jinja2-2.10.1/jinja2/filters.py
  +@@ -14,6 +14,7 @@ import math
  + import random
  + import warnings
  + 
  ++from inspect import getattr_static
  + from itertools import groupby, chain
  + 
  + try:
  +@@ -935,26 +936,24 @@ def do_reverse(value):
  + @environmentfilter
  + def do_attr(environment, obj, name):
  +     """Get an attribute of an object.  ``foo|attr("bar")`` works like
  +-    ``foo.bar`` just that always an attribute is returned and items are not
  +-    looked up.
  ++    ``foo.bar``, but returns undefined instead of falling back to ``foo["bar"]``
  ++    if the attribute doesn't exist
  + 
  +     See :ref:`Notes on subscriptions <notes-on-subscriptions>` for more details.
  +     """
  ++    # Environment.getattr will fall back to obj[name] if obj.name doesn't exist.
  ++    # But we want to call env.getattr to get behavior such as sandboxing.
  ++    # Determine if the attr exists first, so we know the fallback won't trigger.
  +     try:
  +-        name = str(name)
  +-    except UnicodeError:
  +-        pass
  +-    else:
  +-        try:
  +-            value = getattr(obj, name)
  +-        except AttributeError:
  +-            pass
  +-        else:
  +-            if environment.sandboxed and not \
  +-               environment.is_safe_attribute(obj, name, value):
  +-                return environment.unsafe_undefined(obj, name)
  +-            return value
  +-    return environment.undefined(obj=obj, name=name)
  ++        # This avoids executing properties/descriptors, but misses __getattr__
  ++        # and __getattribute__ dynamic attrs.
  ++        getattr_static(obj, name)
  ++    except AttributeError:
  ++        # This finds dynamic attrs, and we know it's not a descriptor at this point.
  ++        if not hasattr(obj, name):
  ++            return environment.undefined(obj=obj, name=name)
  ++
  ++    return environment.getattr(obj, name)
  + 
  + 
  + @contextfilter

  The getattr_static attribute can't be found on the Python2 standard library of inspect tool
  from inspect import getattr_static


  python -c "import jinja2"
  Traceback (most recent call last):
    File "<string>", line 1, in <module>
    File "/usr/lib/python2.7/dist-packages/jinja2/__init__.py", line 33, in <module>
      from jinja2.environment import Environment, Template
    File "/usr/lib/python2.7/dist-packages/jinja2/environment.py", line 16, in <module>
      from jinja2.defaults import BLOCK_START_STRING, \
    File "/usr/lib/python2.7/dist-packages/jinja2/defaults.py", line 31, in <module>
      from jinja2.filters import FILTERS as DEFAULT_FILTERS
    File "/usr/lib/python2.7/dist-packages/jinja2/filters.py", line 17, in <module>
      from inspect import getattr_static
  ImportError: cannot import name getattr_static

  
  Without the CVE patch fix, the import works

  python -c "import jinja2"
  echo $?
  0

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/jinja2/+bug/2102129/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list