Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 517570

Summary: dev-python/jinja: Two vulnerabilities in bccache (CVE-2014-{0012,1402})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: minor CC: python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: C3 [ebuild]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2014-07-20 15:03:36 UTC 
CVE-2014-1402 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1402):
  The default configuration for bccache.FileSystemBytecodeCache in Jinja2
  before 2.7.2 does not properly create temporary files, which allows local
  users to gain privileges via a crafted .cache file with a name starting with
  __jinja2_ in /tmp.

CVE-2014-0012 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0012):
  FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary
  directories, which allows local users to gain privileges by pre-creating a
  temporary directory with a user's uid.  NOTE: this vulnerability exists
  because of an incomplete fix for CVE-2014-1402.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2014-07-20 15:06:25 UTC 

*** This bug has been marked as a duplicate of bug 497690 ***