517570 – dev-python/jinja: Two vulnerabilities in bccache (CVE-2014-{0012,1402})

Bug 517570 - dev-python/jinja: Two vulnerabilities in bccache (CVE-2014-{0012,1402})

Summary: dev-python/jinja: Two vulnerabilities in bccache (CVE-2014-{0012,1402})

Status:	RESOLVED DUPLICATE of bug 497690

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	C3 [ebuild]
Keywords:

Depends on:
Blocks:

Reported:	2014-07-20 15:03 UTC by GLSAMaker/CVETool Bot
Modified:	2014-07-20 15:06 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2014-07-20 15:03:36 UTC

CVE-2014-1402 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1402):
  The default configuration for bccache.FileSystemBytecodeCache in Jinja2
  before 2.7.2 does not properly create temporary files, which allows local
  users to gain privileges via a crafted .cache file with a name starting with
  __jinja2_ in /tmp.

CVE-2014-0012 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0012):
  FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary
  directories, which allows local users to gain privileges by pre-creating a
  temporary directory with a user's uid.  NOTE: this vulnerability exists
  because of an incomplete fix for CVE-2014-1402.

Comment 1 Yury German Gentoo Infrastructure

2014-07-20 15:06:25 UTC


*** This bug has been marked as a duplicate of bug 497690 ***