Debian Bug report logs -
#734956
jinja2: CVE-2014-0012: unsafe temporary files creation
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 11 Jan 2014 07:24:02 UTC
Severity: important
Tags: security, upstream
Found in version 2.7.2-1
Fixed in version jinja2/2.7.2-2
Done: Piotr Ożarowski <piotr@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Piotr Ożarowski <piotr@debian.org>:
Bug#734956; Package jinja2.
(Sat, 11 Jan 2014 07:24:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Piotr Ożarowski <piotr@debian.org>.
(Sat, 11 Jan 2014 07:24:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: jinja2
Version: 2.7.2-1
Severity: important
Tags: security upstream
Hi Piotr,
the following vulnerability was published for jinja2. The upload for
jinja2/2.7.2-1 addressing CVE-2014-1402 introduced a unsafe temporary
files creation vulnerability.
CVE-2014-0012[0]:
unsafe temporary files creation
See also [1] for the CVE assignment. See the nice blogpost[2] from
Kurt Seifried for information on how to create safely temporary files
and directories in various languages.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0012
http://security-tracker.debian.org/tracker/CVE-2014-0012
[1] http://www.openwall.com/lists/oss-security/2014/01/11/1
[2] http://kurt.seifried.org/2012/03/14/creating-temporary-files-securely/
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Piotr Ożarowski <piotr@debian.org>:
Bug#734956; Package jinja2.
(Sat, 11 Jan 2014 09:09:05 GMT) (full text, mbox, link).
Message #8 received at 734956@bugs.debian.org (full text, mbox, reply):
* Salvatore Bonaccorso <carnil@debian.org>, 2014-01-11, 08:22:
>the following vulnerability was published for jinja2. The upload for
>jinja2/2.7.2-1 addressing CVE-2014-1402 introduced a unsafe temporary
>files creation vulnerability.
Yup, the in 2.7.2 is not much better. Actually, it enables one to
perform fully-automated attacks. Here's how a local attacker could do
it:
1) Create /tmp/_jinja2-cache-$UID for every uid on the system. Make the
directories world-writable (0777), so that victims can create files in
them.
2) Wait until someone creates some files in the cache directories. Then
replace the files with your crafted ones. (While you don't have
permission to modify the files directly, you can delete a file, and then
create another one under the same name.)
--
Jakub Wilk
Reply sent
to Piotr Ożarowski <piotr@debian.org>:
You have taken responsibility.
(Sun, 12 Jan 2014 15:24:30 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 12 Jan 2014 15:24:30 GMT) (full text, mbox, link).
Message #13 received at 734956-close@bugs.debian.org (full text, mbox, reply):
Source: jinja2
Source-Version: 2.7.2-2
We believe that the bug you reported is fixed in the latest version of
jinja2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 734956@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Piotr Ożarowski <piotr@debian.org> (supplier of updated jinja2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 12 Jan 2014 15:09:04 +0100
Source: jinja2
Binary: python-jinja2 python-jinja2-doc python3-jinja2
Architecture: source all
Version: 2.7.2-2
Distribution: unstable
Urgency: high
Maintainer: Piotr Ożarowski <piotr@debian.org>
Changed-By: Piotr Ożarowski <piotr@debian.org>
Description:
python-jinja2 - small but fast and easy to use stand-alone template engine
python-jinja2-doc - documentation for the Jinja2 Python library
python3-jinja2 - small but fast and easy to use stand-alone template engine
Closes: 734956
Changes:
jinja2 (2.7.2-2) unstable; urgency=high
.
* Add fix_CVE-2014-1402 patch which uses tempfile.mkdtemp to create
cache dir (closes: 734956)
Checksums-Sha1:
12f233817ce7dbb23e3c69c2dc19fd6a480258cd 2178 jinja2_2.7.2-2.dsc
58955fdeb33764a75311bb79ff08dfeae663828d 8646 jinja2_2.7.2-2.debian.tar.gz
77346c6f07862f1713376c08fc4faeb1238e494d 170638 python-jinja2_2.7.2-2_all.deb
1f07c8a1edaad5f2864d8f9519dab274ea5f98b6 146258 python-jinja2-doc_2.7.2-2_all.deb
ff6edbffc99530e248269d9355d3af9f950abd8e 167730 python3-jinja2_2.7.2-2_all.deb
Checksums-Sha256:
6ec10b91bf89e77ed01051e1c50597d3ee9ecdeb2af95770c039351aa2c45f8e 2178 jinja2_2.7.2-2.dsc
5eec760a6e794ae0700bd57b1e5ccad0cdda41b14135261a60c70d132a0afecd 8646 jinja2_2.7.2-2.debian.tar.gz
4b8ba9b21974bf5232bcd0700142f7cc071ee660d27b9f89478a1c5578fd7171 170638 python-jinja2_2.7.2-2_all.deb
b51a8344b985eb19fab71faa2612382699b8c0c5ffe5d81d877b5c9288e40477 146258 python-jinja2-doc_2.7.2-2_all.deb
7a7f47ee69f5c8190b88ba487dabe329a7b60456cf363186d958647cbf669868 167730 python3-jinja2_2.7.2-2_all.deb
Files:
95101362463b5bbf31a3326d864d4966 2178 python optional jinja2_2.7.2-2.dsc
0b2389a7880ef825287d73c900b6d37e 8646 python optional jinja2_2.7.2-2.debian.tar.gz
3a1950b9a4b0be21ee1d85aefe75bf28 170638 python optional python-jinja2_2.7.2-2_all.deb
37e289faa40347cebad9d353ba1d6b62 146258 doc extra python-jinja2-doc_2.7.2-2_all.deb
1ad39ab30e0e2044a35d0135e9571421 167730 python optional python3-jinja2_2.7.2-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJS0qXqAAoJEK728aKnRXZFE+EP/1cAO/t+GDRNz72CiJs+VZlp
KhJzOqdxeDoikBWLymw8QskBqDvL2+oGuZwjF6/IySloyku8D1cFRMtJ1T10eS5h
HGE8y/1PXGLbQFn0jpfBt/Nge8EI0V34TkkBznhFCRuqutMwAl9miTBLxoCsuGrV
Ur7SJfPFCeXEXqdb4zAmeAqSZisNYr+oTORyXv8cPH0IwpaqixYva9lvdOkLE8Xc
m67Lt7EMj3WlWmUhwoy2/DbxxURHNEdgDnyyJOxps1GON3Oj33An1QU2FyVTT946
Z4YY8reZNNwa+0Yr6Lqp/6OqPJU3dTpcyjWYTzYy2oWcix34pOtukArtFrPjMAXv
Xw0FHkzjmyyJg3eaCQ5AfNxbSkzd2Rvw/kVQP9OFd/lkYHKvdXkoSbVxSenHNIpy
vtmGAX+PbaIqGFF+EPx+ZYRFNKRX5qAKo4/3YodI9S8dSdZJLyzcZHVW6YANCawT
UI8zn7N7mBtRI6iZST1+mW1uiB5YCDllOj2hNf5LmsDXEbGE8WHmXHm8XwZBEBo2
2Dy6u9Xc0CkOnJcNWjs5uaDI5zuJRgaXsX304xuqJeozrdVZds/yGAb37sQ7GQZT
3/erbbLdeoQONIKp5f6HDpw9th+ktEqz7rA0uqQ4Uj73dcrErHXXynjO6UCQaFjB
GAvQ0mcUMHTx8dJCwSys
=piV3
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 12 Feb 2014 07:31:18 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:59:57 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon