jinja2: CVE-2014-1402: jinja2.bccache.FileSystemBytecodeCache: insecure default directory

Debian Bug report logs - #734747
jinja2: CVE-2014-1402: jinja2.bccache.FileSystemBytecodeCache: insecure default directory

Toggle useless messages

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: jinja2.bccache.FileSystemBytecodeCache: insecure default directory

Date: Thu, 9 Jan 2014 15:55:02 +0100

[Message part 1 (text/plain, inline)]

Package: python-jinja2
Version: 2.7.1-1
Severity: important
Tags: security

Default directory for jinja2.bccache.FileSystemBytecodeCache is /tmp. 
This is insecure, because the directory is world-writable and filenames 
that FileSystemBytecodeCache uses are of course predictable. As I 
understand it, malicious local user could exploit this bug to execute 
arbitrary code as another user.

Proof of concept is attached. If you put the __jinja2_*.cache file in 
/tmp, and make it world-readable, then test-bccache.py will print "moo" 
instead of "foo" (even when run by another user than the owner of the 
cache file).


-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.12-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages python-jinja2 depends on:
ii  python             2.7.5-5
ii  python-markupsafe  0.18-1

-- 
Jakub Wilk

[__jinja2_0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33.cache (chemical/x-cache, attachment)]

[test-bccache.py (text/x-python, attachment)]

Message #8 received at 734747@bugs.debian.org (full text, mbox, reply):

From: Armin Ronacher <armin.ronacher@active-4.com>

To: 734747@bugs.debian.org

Subject: Issue Fixed

Date: Fri, 10 Jan 2014 10:47:34 +0000

Hi,

Jinja 2.7.2 fixes this issue now:
https://pypi.python.org/packages/source/J/Jinja2/Jinja2-2.7.2.tar.gz#md5=df1581455564e97010e38bc792012aa5

It's not a super nice solution in that it creates a folder for the user, but it 
should be good enough for the moment.  I will consider making the path explicit 
in 2.8 which will put this issue to the forefront of users.


Regards,
Armin

Message #15 received at 734747-close@bugs.debian.org (full text, mbox, reply):

From: Piotr Ożarowski <piotr@debian.org>

To: 734747-close@bugs.debian.org

Subject: Bug#734747: fixed in jinja2 2.7.2-1

Date: Fri, 10 Jan 2014 21:29:09 +0000

Source: jinja2
Source-Version: 2.7.2-1

We believe that the bug you reported is fixed in the latest version of
jinja2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 734747@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Piotr Ożarowski <piotr@debian.org> (supplier of updated jinja2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 10 Jan 2014 20:56:20 +0100
Source: jinja2
Binary: python-jinja2 python-jinja2-doc python3-jinja2
Architecture: source all
Version: 2.7.2-1
Distribution: unstable
Urgency: high
Maintainer: Piotr Ożarowski <piotr@debian.org>
Changed-By: Piotr Ożarowski <piotr@debian.org>
Description: 
 python-jinja2 - small but fast and easy to use stand-alone template engine
 python-jinja2-doc - documentation for the Jinja2 Python library
 python3-jinja2 - small but fast and easy to use stand-alone template engine
Closes: 734747
Changes: 
 jinja2 (2.7.2-1) unstable; urgency=high
 .
   * New upstream release
     - changes default folder for the filesystem cache (closes: 734747,
       CVE-2014-1402)
Checksums-Sha1: 
 248ead1fe0c64f25c1e938cbe358cdcaf85d082c 2178 jinja2_2.7.2-1.dsc
 1ce4c8bc722444ec3e77ef9db76faebbd17a40d8 378300 jinja2_2.7.2.orig.tar.gz
 09de29a96fe6b64e77d9dc4297ad265b645339ca 8281 jinja2_2.7.2-1.debian.tar.gz
 4e78b82581b371e7b7e02eaa52a00317f2810761 170462 python-jinja2_2.7.2-1_all.deb
 eda8e373328d7503cc6086d8ff3284f6d801a129 146362 python-jinja2-doc_2.7.2-1_all.deb
 fa7c15d6806100d97cf1d3c1b8e43c063679e486 167748 python3-jinja2_2.7.2-1_all.deb
Checksums-Sha256: 
 bea9e8f2a3675bb1bba2d7276d339fcd50d732766775685d692d5d6ec1c85f5d 2178 jinja2_2.7.2-1.dsc
 310a35fbccac3af13ebf927297f871ac656b9da1d248b1fe6765affa71b53235 378300 jinja2_2.7.2.orig.tar.gz
 44b0f1cf4d49e129abeb6669fbef82dd0517298b1ff2137315cf1014bfd2c1d3 8281 jinja2_2.7.2-1.debian.tar.gz
 4904800c0d620bd46ba31939465f526aab6fbaf626c3e7155cad22130fa0b759 170462 python-jinja2_2.7.2-1_all.deb
 20292c85d22e8c53b01e1df841735091aa4fa2ad6bb48b4b604b77d20a6468aa 146362 python-jinja2-doc_2.7.2-1_all.deb
 8a04e909b06b22e4328853579abc184b6678596a62df17806a47ce634ef51ed8 167748 python3-jinja2_2.7.2-1_all.deb
Files: 
 b2709cd4945ecf95076bf2574fa7798b 2178 python optional jinja2_2.7.2-1.dsc
 df1581455564e97010e38bc792012aa5 378300 python optional jinja2_2.7.2.orig.tar.gz
 109344890e2d341b5d99bd16284f3949 8281 python optional jinja2_2.7.2-1.debian.tar.gz
 fba5be8ed4f86f52db1e9fc957683a06 170462 python optional python-jinja2_2.7.2-1_all.deb
 b7b40b49d593218ad264b5c08178eea0 146362 doc extra python-jinja2-doc_2.7.2-1_all.deb
 22fe74ebe7c2a35d7e279bfd52eac6a8 167748 python optional python3-jinja2_2.7.2-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJS0FWaAAoJEK728aKnRXZFYScP/iEDvcWkbWjNZfKLxGKDaN/V
iKybhVV7uCx9IKovRoKnsoKt7ekgml3JRdaHSRO4PR96bqxxtqS+s+JbwO43W/Yy
1oAfESH3v3TWxJYYvPrWS95obgICZqXCzGYEpnreshqsW42SK+dsug9bWu4+P8Dr
j5x/2Y57Vxy8m1A9EvXO7SLzCbZakm3cd+GYJ5kOnZ9WpiA1aDhiy2UsccSjL4pr
j0hMEp1KQV8BDIMbSzLGR638B/MVkdkOeYYAT2fPXMnDp+YghCHu7maXSYJxBmqr
3/v4CLrI7KjvNpG8e8Zu46A0FqeImz8OWypVIiEBcj37eK2sKjBrdkGl618ia0up
VOWdE603aCbx1Sr5m3Ag/0gfOUZPMJ3a2fZPLCYXGW4BQ+vWFTbvFzCvKETZpWc3
cljQxdmsvv0SsJFddtdXMuf9E2M3uWvGD3LkSuJcSuhDLY0M5nWidyLCnKsUYmzh
RE4azMQNyjSO9Ui5kC5K/YDa4k7c7dTYWTAa9gQuJYeyM9NduBfUCzOeEE5r1X0g
Sb2STLP0AyAf9VYq8q50wCL53qaUYEUUTd6aKV0EekJPMnUAMhiWXXNvjYBgo9fv
RjcyXVQGcWfrZ8uICp8+OpVQBdM8HN3y5j7QMyY514xo5YW2buhwv5UxM/JtNbye
/xo/a8l5KJCXAFX31I5x
=gg5T
-----END PGP SIGNATURE-----

Message #20 received at 734747@bugs.debian.org (full text, mbox, reply):

From: Philippe Makowski <pmakowski@espelida.com>

To: 734747@bugs.debian.org

Subject: Jinja 2.7.2 CVE-2014-0012

Date: Tue, 21 Jan 2014 13:22:51 +0100

Hi,

the fix in Jinja 2.7.2  is not correct
http://openwall.com/lists/oss-security/2014/01/11/1

Message #25 received at 734747@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Philippe Makowski <pmakowski@espelida.com>, 734747@bugs.debian.org

Subject: Re: Bug#734747: Jinja 2.7.2 CVE-2014-0012

Date: Tue, 21 Jan 2014 13:36:22 +0100

Hi,

On Tue, Jan 21, 2014 at 01:22:51PM +0100, Philippe Makowski wrote:
> Hi,
> 
> the fix in Jinja 2.7.2  is not correct
> http://openwall.com/lists/oss-security/2014/01/11/1

FYI, this is known as #734956.

Regards,
Salvatore

Message #30 received at 734747@bugs.debian.org (full text, mbox, reply):

From: Piotr Ożarowski <piotr@debian.org>

To: Philippe Makowski <pmakowski@espelida.com>

Cc: 734747@bugs.debian.org

Subject: Re: Bug#734747: Jinja 2.7.2 CVE-2014-0012

Date: Tue, 21 Jan 2014 13:37:16 +0100

[Philippe Makowski, 2014-01-21]
> the fix in Jinja 2.7.2  is not correct
> http://openwall.com/lists/oss-security/2014/01/11/1

that's why I added this patch:
http://patch-tracker.debian.org/patch/series/view/jinja2/2.7.2-2/fix_CVE-2014-0012.patch
see http://bugs.debian.org/734956

it's just a temporary fix - it practically disables caching so it's not
a long term solution (and that's why I didn't propose it as a fix in
Debian stable)

Send a report that this bug log contains spam.