Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE assignment for jinja2
From: "Vincent Danen" <vdanen () redhat com>
Date: Sat, 11 Jan 2014 13:37:51 -0700

On 01/10/2014, at 22:34 PM, Kurt Seifried wrote:

https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7

dirname = '_jinja2-cache-%d' % os.getuid()

Arun Babu Neelicattu of Red Hat spotted this commit which introduces a
temporary file creation vulnerability. This issue has been assigned
CVE-2014-0012. For information on how to safely create temporary files
please see
http://kurt.seifried.org/2012/03/14/creating-temporary-files-securely/

For Python simply use ?mkstemp? for files and ?mkdtemp? for
directories from the ?tempfile? module.

MITRE assigned CVE-2014-1402 to this yesterday:

http://seclists.org/oss-sec/2014/q1/71 (the report, the followup has the CVE assignment).

That means you'll need to reject this assignment; the commit that Arun spotted was due to the Debian bug report (which 
the git commit notes, and Ratul linked to in his initial CVE request to the list).

-- 
Vincent Danen / Red Hat Security Response Team

Attachment: signature.asc
Description: OpenPGP digital signature


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]