Bug 1052102 (CVE-2014-0012) - CVE-2014-0012 python-jinja2: FileSystemBytecodeCache insecure cache temporary file use, incorrect CVE-2014-1402 fix
Summary: CVE-2014-0012 python-jinja2: FileSystemBytecodeCache insecure cache temporary...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2014-0012
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1051427
Blocks: 1051429
TreeView+ depends on / blocked
 
Reported: 2014-01-13 10:29 UTC by Ratul Gupta
Modified: 2019-09-29 13:12 UTC (History)
28 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-01-16 19:00:28 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Debian BTS 734956 None None None Never

Description Ratul Gupta 2014-01-13 10:29:54 UTC
An insecure temporary file creation vulnerability was introduced in Jinja2 in the fix for CVE-2014-1402 through the commit:
https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7

References:
http://seclists.org/oss-sec/2014/q1/73

Comment 1 Ratul Gupta 2014-01-13 10:32:35 UTC
Acknowledgement:

This issue was discovered by Arun Babu Neelicattu of the Red Hat Security Response Team.

Comment 3 Ratul Gupta 2014-01-13 10:50:59 UTC
Statement:

Not vulnerable. This issue did not affect the versions of python-jinja2 as shipped with Red Hat Enterprise Linux 6 as it did not include the patch that introduced this flaw.

Comment 8 Tomas Hoger 2014-01-27 16:14:31 UTC
This issue has pretty much identical impact to the original issue - file overwrites typical for temporary file handling issues, or application using spoofed cache file.  As Jinja2 cache files contain python bytecode that is executed by Jinja2, there's a risk of direct code execution impact as a consequence of this flaw.

Comment 9 Tomas Hoger 2014-01-27 16:27:27 UTC
Bug 1051421 comment 20 has few notes on how upstream fix used in Jinja2 2.7.2 changes impact of the issue.

Comment 10 Tomas Hoger 2014-01-27 17:08:17 UTC
This patch used in Debian packages:

http://patch-tracker.debian.org/patch/series/view/jinja2/2.7.2-2/fix_CVE-2014-0012.patch

or this upstream pull request:

https://github.com/mitsuhiko/jinja2/pull/292

both use tempfile.mkdtemp() to create directory used to store cache files.  That does not seem like a viable approach, as previously discussed in bug 1051421 comment 12.


Note You need to log in before you can comment on or make changes to this bug.