Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 497690 (CVE-2014-0012) - <dev-python/jinja-2.7.3: arbitrary code execution vulnerability (CVE-2014-{0012,1402})
Summary: <dev-python/jinja-2.7.3: arbitrary code execution vulnerability (CVE-2014-{00...
Status: RESOLVED FIXED
Alias: CVE-2014-0012
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B2 [glsa]
Keywords:
: 517570 (view as bug list)
Depends on:
Blocks:
 
Reported: 2014-01-10 09:41 UTC by Agostino Sarubbo
Modified: 2014-08-29 18:47 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-01-10 09:41:41 UTC
From ${URL} :

Jinja2, a template engine written in pure python, was found to use /tmp as a default directory for 
jinja2.bccache.FileSystemBytecodeCache, which is insecure because the /tmp directory is world-writable and 
the filenames used like 'FileSystemBytecodeCache' are often predictable. A malicious user could exploit 
this bug to execute arbitrary code as another user.

References:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734747


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Dirkjan Ochtman (RETIRED) gentoo-dev 2014-01-10 12:22:47 UTC
jinja-2.7.2 has been released to address this issue.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-07-20 15:06:25 UTC
*** Bug 517570 has been marked as a duplicate of this bug. ***
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2014-07-20 15:07:52 UTC
CVE-2014-1402 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1402):
  The default configuration for bccache.FileSystemBytecodeCache in Jinja2
  before 2.7.2 does not properly create temporary files, which allows local
  users to gain privileges via a crafted .cache file with a name starting with
  __jinja2_ in /tmp.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2014-07-20 15:08:45 UTC
CVE-2014-0012 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0012):
  FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary
  directories, which allows local users to gain privileges by pre-creating a
  temporary directory with a user's uid.  NOTE: this vulnerability exists
  because of an incomplete fix for CVE-2014-1402.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2014-07-20 15:11:36 UTC
Version in Tree now:

*jinja-2.7.3 (26 Jun 2014)
6	
7	  26 Jun 2014; Patrick McLean <chutzpah@gentoo.org> +jinja-2.7.3.ebuild:
8	  Version bump, fix for CVE-2014-0012.

Maintainer(s): please let us know when the ebuild is ready for  stabilization.
Comment 6 Dirkjan Ochtman (RETIRED) gentoo-dev 2014-07-21 09:35:26 UTC
Arches, please stabilize =dev-python/jinja-2.7.3.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2014-07-21 12:52:39 UTC
(In reply to Dirkjan Ochtman from comment #6)

Again and again, please do it like this:

Arch teams, please test and mark stable:
=dev-python/jinja-2.7.3
Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2014-07-22 02:01:12 UTC
RepoMan scours the neighborhood...
>>> Creating Manifest for /newaches/gentoo/cvs/gentoo-x86/dev-python/jinja
  metadata.warning              1
   dev-python/jinja/metadata.xml: unused local USE-description: 'i18n'


Stable for HPPA.
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2014-07-23 11:39:42 UTC
Stable on alpha.
Comment 10 Markus Meier gentoo-dev 2014-07-27 19:11:42 UTC
arm stable
Comment 11 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-07-28 22:13:31 UTC
ia64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-08-02 12:42:11 UTC
amd64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2014-08-02 12:44:17 UTC
x86 stable
Comment 14 Raúl Porcel (RETIRED) gentoo-dev 2014-08-02 15:39:34 UTC
sparc stable
Comment 15 Agostino Sarubbo gentoo-dev 2014-08-08 21:35:51 UTC
ppc stable
Comment 16 Agostino Sarubbo gentoo-dev 2014-08-09 10:49:01 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 17 Yury German Gentoo Infrastructure gentoo-dev 2014-08-19 05:24:08 UTC
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version(s).

New GLSA Request filed.
Comment 18 Dirkjan Ochtman (RETIRED) gentoo-dev 2014-08-19 06:59:46 UTC
Cleanup done.
Comment 19 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-08-19 07:21:34 UTC
(In reply to Dirkjan Ochtman from comment #18)
> Cleanup done.

Thank you for the cleanup
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2014-08-29 18:47:43 UTC
This issue was resolved and addressed in
 GLSA 201408-13 at http://security.gentoo.org/glsa/glsa-201408-13.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).