mailing list archives
Re: CVE assignment for jinja2
From: "Vincent Danen" <vdanen () redhat com>
Date: Sat, 11 Jan 2014 13:51:47 -0700
On 01/11/2014, at 13:37 PM, Vincent Danen wrote:
On 01/10/2014, at 22:34 PM, Kurt Seifried wrote:
dirname = '_jinja2-cache-%d' % os.getuid()
Arun Babu Neelicattu of Red Hat spotted this commit which introduces a
temporary file creation vulnerability. This issue has been assigned
CVE-2014-0012. For information on how to safely create temporary files
For Python simply use ?mkstemp? for files and ?mkdtemp? for
directories from the ?tempfile? module.
MITRE assigned CVE-2014-1402 to this yesterday:
http://seclists.org/oss-sec/2014/q1/71 (the report, the followup has the CVE assignment).
That means you'll need to reject this assignment; the commit that Arun spotted was due to the Debian bug report
(which the git commit notes, and Ratul linked to in his initial CVE request to the list).
Sorry, I thought the same thing as what Ratul requested for (CVE-2014-1402) was being reported again. This is indeed
something different as the git commit to fix CVE-2014-1402 introduced this new temporary file issue.
Sorry for the noise/confusion.
Vincent Danen / Red Hat Security Response Team
Description: OpenPGP digital signature