Bug 1698839 (CVE-2019-10906) - CVE-2019-10906 python-jinja2: str.format_map allows sandbox escape
Summary: CVE-2019-10906 python-jinja2: str.format_map allows sandbox escape
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-10906
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20190406,repo...
Depends On: 1698840 1699112 1701301 1699111 1699113 1699114 1701123 1701124 1701184 1701300 1701302 1701303 1701304 1701306 1702428
Blocks: 1698841
TreeView+ depends on / blocked
 
Reported: 2019-04-11 10:55 UTC by Dhananjay Arunesh
Modified: 2019-09-18 22:55 UTC (History)
44 users (show)

Fixed In Version: jinja 2.10.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-10 10:53:56 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:1152 None None None 2019-05-13 10:51:09 UTC
Red Hat Product Errata RHSA-2019:1237 None None None 2019-05-16 12:56:37 UTC
Red Hat Product Errata RHSA-2019:1329 None None None 2019-06-04 15:16:54 UTC

Description Dhananjay Arunesh 2019-04-11 10:55:05 UTC
In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.

Reference:
https://palletsprojects.com/blog/jinja-2-10-1-released/

Upstream commit:
https://github.com/pallets/jinja/commit/a2a6c930bcca591a25d2b316fcfd2d6793897b26

Comment 1 Dhananjay Arunesh 2019-04-11 11:01:06 UTC
Created python-jinja2 tracking bugs for this issue:

Affects: epel-6 [bug 1698840]

Comment 2 Tomas Hoger 2019-04-11 20:02:01 UTC
Created python-jinja2 tracking bugs for this issue:

Affects: fedora-all [bug 1699111]


Created python3-jinja2 tracking bugs for this issue:

Affects: epel-6 [bug 1699113]
Affects: epel-7 [bug 1699114]

Comment 11 Riccardo Schirone 2019-04-18 15:09:40 UTC
External References:

https://palletsprojects.com/blog/jinja-2-10-1-released/

Comment 23 Summer Long 2019-04-26 04:38:39 UTC
Mitigation:

If you cannot upgrade python-Jinja2, you can override the `is_safe_attribute` method on the sandbox and explicitly disallow the `format_map` method on string objects.

Comment 24 Riccardo Schirone 2019-04-26 07:22:03 UTC
Statement:

Red Hat Virtualization Management Appliance includes python-jinja2 as a dependency of ovirt-engine-backend, which only uses it with controlled format strings that are not exploitable.
Red Hat Satellite 6 will receive fixes through the underlying Red Hat Enterprise Linux, so it won't issue updates to its own affected package.

This issue does not affect versions of python-jinja2 as shipped with:
* Red Hat Enterprise Linux 6, and 7 as python2 does not support str.format_map.
* Red Hat Update Infrastructure as it does not use the Sandbox feature, nor does it allow untrusted jinja2 templates.
* Red Hat Ceph Storage 2, 3 and Red Hat Gluster Storage 3 as python2 does not support str.format_map.
* Red Hat OpenStack Platform 13 or 14 as python2 does not support str.format_map.

Comment 25 Lumír Balhar 2019-05-06 09:04:24 UTC
Why there are no bugs created for python27:2.7 module where python-jinja2 is available? Should I create them as a copy of bugs for rhel 8.0.0 and 8.1.0?

Comment 26 errata-xmlrpc 2019-05-13 10:51:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1152 https://access.redhat.com/errata/RHSA-2019:1152

Comment 29 errata-xmlrpc 2019-05-16 12:56:35 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:1237 https://access.redhat.com/errata/RHSA-2019:1237

Comment 30 errata-xmlrpc 2019-06-04 15:16:52 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:1329 https://access.redhat.com/errata/RHSA-2019:1329


Note You need to log in before you can comment on or make changes to this bug.