685844 – (CVE-2019-10906) <dev-python/jinja-2.10.1: str.format_map allows sandbox escape (CVE-2019-10906)

Bug 685844 (CVE-2019-10906) - <dev-python/jinja-2.10.1: str.format_map allows sandbox escape (CVE-2019-10906)

Summary: <dev-python/jinja-2.10.1: str.format_map allows sandbox escape (CVE-2019-10906)

Status:	RESOLVED FIXED

Alias:	CVE-2019-10906

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [noglsa cve]
Keywords:

Duplicates (1):	685842 (view as bug list)
Depends on:
Blocks:

Reported:	2019-05-13 14:52 UTC by GLSAMaker/CVETool Bot
Modified:	2019-08-11 01:08 UTC (History)
CC List:	2 users (show)

See Also:
Package list:	dev-python/jinja-2.10.1
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2019-05-13 14:52:48 UTC

CVE-2019-10906 (https://nvd.nist.gov/vuln/detail/CVE-2019-10906):
  In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2019-05-13 14:53:30 UTC

*** Bug 685842 has been marked as a duplicate of this bug. ***

Comment 2 Virgil Dupras (RETIRED) gentoo-dev

2019-05-13 15:00:09 UTC

The 2.10.1 ebuild is already in the tree. Arches, please stabilize.

Comment 3 Aaron Bauman (RETIRED) gentoo-dev

2019-05-13 20:31:11 UTC

arm64 stable

Comment 4 Rolf Eike Beer archtester

2019-05-14 08:31:12 UTC

sparc stable

Comment 5 Mikle Kolyada (RETIRED) archtester

2019-05-15 15:05:31 UTC

amd64 stable

Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev

2019-05-16 23:57:21 UTC

x86 stable

Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev

2019-05-22 08:13:32 UTC

ia64 stable

Comment 8 Mikle Kolyada (RETIRED) archtester

2019-05-23 13:18:01 UTC

arm stable

Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev

2019-05-25 07:58:14 UTC

ppc stable

Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev

2019-05-25 08:03:14 UTC

ppc64 stable

Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev

2019-05-26 07:10:13 UTC

hppa stable

Comment 12 Agostino Sarubbo gentoo-dev

2019-06-04 18:52:42 UTC

s390 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 13 Virgil Dupras (RETIRED) gentoo-dev

2019-06-05 11:51:00 UTC

alpha is still missing.

Comment 14 Agostino Sarubbo gentoo-dev

2019-06-06 06:49:16 UTC

alpha stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 15 Larry the Git Cow gentoo-dev

2019-06-06 11:55:31 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eb32ce68d51df398d42cfed16b93a263381b5093

commit eb32ce68d51df398d42cfed16b93a263381b5093
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2019-06-06 11:54:54 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2019-06-06 11:54:54 +0000

    dev-python/jinja: remove old
    
    Bug: https://bugs.gentoo.org/685844
    Signed-off-by: Virgil Dupras <vdupras@gentoo.org>
    Package-Manager: Portage-2.3.66, Repoman-2.3.11

 dev-python/jinja/Manifest           |  2 -
 dev-python/jinja/jinja-2.10.ebuild  | 72 -----------------------------------
 dev-python/jinja/jinja-2.9.5.ebuild | 75 -------------------------------------
 3 files changed, 149 deletions(-)