From ${URL} : Jinja2, a template engine written in pure python, was found to use /tmp as a default directory for jinja2.bccache.FileSystemBytecodeCache, which is insecure because the /tmp directory is world-writable and the filenames used like 'FileSystemBytecodeCache' are often predictable. A malicious user could exploit this bug to execute arbitrary code as another user. References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734747 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
jinja-2.7.2 has been released to address this issue.
*** Bug 517570 has been marked as a duplicate of this bug. ***
CVE-2014-1402 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1402): The default configuration for bccache.FileSystemBytecodeCache in Jinja2 before 2.7.2 does not properly create temporary files, which allows local users to gain privileges via a crafted .cache file with a name starting with __jinja2_ in /tmp.
CVE-2014-0012 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0012): FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user's uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402.
Version in Tree now: *jinja-2.7.3 (26 Jun 2014) 6 7 26 Jun 2014; Patrick McLean <chutzpah@gentoo.org> +jinja-2.7.3.ebuild: 8 Version bump, fix for CVE-2014-0012. Maintainer(s): please let us know when the ebuild is ready for stabilization.
Arches, please stabilize =dev-python/jinja-2.7.3.
(In reply to Dirkjan Ochtman from comment #6) Again and again, please do it like this: Arch teams, please test and mark stable: =dev-python/jinja-2.7.3 Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
RepoMan scours the neighborhood... >>> Creating Manifest for /newaches/gentoo/cvs/gentoo-x86/dev-python/jinja metadata.warning 1 dev-python/jinja/metadata.xml: unused local USE-description: 'i18n' Stable for HPPA.
Stable on alpha.
arm stable
ia64 stable
amd64 stable
x86 stable
sparc stable
ppc stable
ppc64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Arches, Thank you for your work Maintainer(s), please drop the vulnerable version(s). New GLSA Request filed.
Cleanup done.
(In reply to Dirkjan Ochtman from comment #18) > Cleanup done. Thank you for the cleanup
This issue was resolved and addressed in GLSA 201408-13 at http://security.gentoo.org/glsa/glsa-201408-13.xml by GLSA coordinator Kristian Fiskerstrand (K_F).