A vulnerability in Babel could result in remote code execution.
|Package||dev-python/Babel on all architectures|
|Affected versions||< 2.9.1|
|Unaffected versions||>= 2.9.1|
Babel is a collection of tools for internationalizing Python applications.
Babel does not properly restrict which sources a locale can be loaded from. If Babel loads an attacker-controlled .dat file, arbitrary code execution can be achieved via unsafe Pickle deserialization.
An attacker with filesystem access and control over the locales Babel loads can achieve code execution.
There is no known workaround at this time.
All Babel users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-python/Babel-2.9.1"
August 04, 2022
August 04, 2022: 1