Bug 1052102 (CVE-2014-0012)

Summary: CVE-2014-0012 python-jinja2: FileSystemBytecodeCache insecure cache temporary file use, incorrect CVE-2014-1402 fix
Product: [Other] Security Response Reporter: Ratul Gupta <ratulg>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, aortega, apevec, ayoung, bgollahe, bkabrda, chrisw, dallan, drieden, gkotton, jkurik, jrusnack, lhh, lmacken, markmc, mmaslano, nobody+bgollahe, orion, pfrields, pj.pandit, python-maint, rbryant, rhos-maint, sclewis, tdawson, thomas.moschny, tkramer, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-16 19:00:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1051427    
Bug Blocks: 1051429    

Description Ratul Gupta 2014-01-13 10:29:54 UTC 
An insecure temporary file creation vulnerability was introduced in Jinja2 in the fix for CVE-2014-1402 through the commit:
https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7

References:
http://seclists.org/oss-sec/2014/q1/73
Comment 1 Ratul Gupta 2014-01-13 10:32:35 UTC 
Acknowledgement:

This issue was discovered by Arun Babu Neelicattu of the Red Hat Security Response Team.
Comment 3 Ratul Gupta 2014-01-13 10:50:59 UTC 
Statement:

Not vulnerable. This issue did not affect the versions of python-jinja2 as shipped with Red Hat Enterprise Linux 6 as it did not include the patch that introduced this flaw.
Comment 8 Tomas Hoger 2014-01-27 16:14:31 UTC 
This issue has pretty much identical impact to the original issue - file overwrites typical for temporary file handling issues, or application using spoofed cache file.  As Jinja2 cache files contain python bytecode that is executed by Jinja2, there's a risk of direct code execution impact as a consequence of this flaw.
Comment 9 Tomas Hoger 2014-01-27 16:27:27 UTC 
Bug 1051421 comment 20 has few notes on how upstream fix used in Jinja2 2.7.2 changes impact of the issue.
Comment 10 Tomas Hoger 2014-01-27 17:08:17 UTC 
This patch used in Debian packages:

http://patch-tracker.debian.org/patch/series/view/jinja2/2.7.2-2/fix_CVE-2014-0012.patch

or this upstream pull request:

https://github.com/mitsuhiko/jinja2/pull/292

both use tempfile.mkdtemp() to create directory used to store cache files.  That does not seem like a viable approach, as previously discussed in bug 1051421 comment 12.