Package: python-jinja2
Version: 2.7.1-1
Severity: important
Tags: security
Default directory for jinja2.bccache.FileSystemBytecodeCache is /tmp.
This is insecure, because the directory is world-writable and filenames
that FileSystemBytecodeCache uses are of course predictable. As I
understand it, malicious local user could exploit this bug to execute
arbitrary code as another user.
Proof of concept is attached. If you put the __jinja2_*.cache file in
/tmp, and make it world-readable, then test-bccache.py will print "moo"
instead of "foo" (even when run by another user than the owner of the
cache file).
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.12-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages python-jinja2 depends on:
ii python 2.7.5-5
ii python-markupsafe 0.18-1
--
Jakub Wilk
Information forwarded
to debian-bugs-dist@lists.debian.org, Piotr Ożarowski <piotr@debian.org>: Bug#734747; Package python-jinja2.
(Fri, 10 Jan 2014 10:57:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Armin Ronacher <armin.ronacher@active-4.com>:
Extra info received and forwarded to list. Copy sent to Piotr Ożarowski <piotr@debian.org>.
(Fri, 10 Jan 2014 10:57:09 GMT) (full text, mbox, link).
Changed Bug title to 'jinja2: CVE-2014-1402: jinja2.bccache.FileSystemBytecodeCache: insecure default directory' from 'jinja2.bccache.FileSystemBytecodeCache: insecure default directory'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 10 Jan 2014 12:33:18 GMT) (full text, mbox, link).
Reply sent
to Piotr Ożarowski <piotr@debian.org>:
You have taken responsibility.
(Fri, 10 Jan 2014 21:33:13 GMT) (full text, mbox, link).
Notification sent
to Jakub Wilk <jwilk@debian.org>:
Bug acknowledged by developer.
(Fri, 10 Jan 2014 21:33:13 GMT) (full text, mbox, link).
Source: jinja2
Source-Version: 2.7.2-1
We believe that the bug you reported is fixed in the latest version of
jinja2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 734747@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Piotr Ożarowski <piotr@debian.org> (supplier of updated jinja2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 10 Jan 2014 20:56:20 +0100
Source: jinja2
Binary: python-jinja2 python-jinja2-doc python3-jinja2
Architecture: source all
Version: 2.7.2-1
Distribution: unstable
Urgency: high
Maintainer: Piotr Ożarowski <piotr@debian.org>
Changed-By: Piotr Ożarowski <piotr@debian.org>
Description:
python-jinja2 - small but fast and easy to use stand-alone template engine
python-jinja2-doc - documentation for the Jinja2 Python library
python3-jinja2 - small but fast and easy to use stand-alone template engine
Closes: 734747
Changes:
jinja2 (2.7.2-1) unstable; urgency=high
.
* New upstream release
- changes default folder for the filesystem cache (closes: 734747,
CVE-2014-1402)
Checksums-Sha1:
248ead1fe0c64f25c1e938cbe358cdcaf85d082c 2178 jinja2_2.7.2-1.dsc
1ce4c8bc722444ec3e77ef9db76faebbd17a40d8 378300 jinja2_2.7.2.orig.tar.gz
09de29a96fe6b64e77d9dc4297ad265b645339ca 8281 jinja2_2.7.2-1.debian.tar.gz
4e78b82581b371e7b7e02eaa52a00317f2810761 170462 python-jinja2_2.7.2-1_all.deb
eda8e373328d7503cc6086d8ff3284f6d801a129 146362 python-jinja2-doc_2.7.2-1_all.deb
fa7c15d6806100d97cf1d3c1b8e43c063679e486 167748 python3-jinja2_2.7.2-1_all.deb
Checksums-Sha256:
bea9e8f2a3675bb1bba2d7276d339fcd50d732766775685d692d5d6ec1c85f5d 2178 jinja2_2.7.2-1.dsc
310a35fbccac3af13ebf927297f871ac656b9da1d248b1fe6765affa71b53235 378300 jinja2_2.7.2.orig.tar.gz
44b0f1cf4d49e129abeb6669fbef82dd0517298b1ff2137315cf1014bfd2c1d3 8281 jinja2_2.7.2-1.debian.tar.gz
4904800c0d620bd46ba31939465f526aab6fbaf626c3e7155cad22130fa0b759 170462 python-jinja2_2.7.2-1_all.deb
20292c85d22e8c53b01e1df841735091aa4fa2ad6bb48b4b604b77d20a6468aa 146362 python-jinja2-doc_2.7.2-1_all.deb
8a04e909b06b22e4328853579abc184b6678596a62df17806a47ce634ef51ed8 167748 python3-jinja2_2.7.2-1_all.deb
Files:
b2709cd4945ecf95076bf2574fa7798b 2178 python optional jinja2_2.7.2-1.dsc
df1581455564e97010e38bc792012aa5 378300 python optional jinja2_2.7.2.orig.tar.gz
109344890e2d341b5d99bd16284f3949 8281 python optional jinja2_2.7.2-1.debian.tar.gz
fba5be8ed4f86f52db1e9fc957683a06 170462 python optional python-jinja2_2.7.2-1_all.deb
b7b40b49d593218ad264b5c08178eea0 146362 doc extra python-jinja2-doc_2.7.2-1_all.deb
22fe74ebe7c2a35d7e279bfd52eac6a8 167748 python optional python3-jinja2_2.7.2-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJS0FWaAAoJEK728aKnRXZFYScP/iEDvcWkbWjNZfKLxGKDaN/V
iKybhVV7uCx9IKovRoKnsoKt7ekgml3JRdaHSRO4PR96bqxxtqS+s+JbwO43W/Yy
1oAfESH3v3TWxJYYvPrWS95obgICZqXCzGYEpnreshqsW42SK+dsug9bWu4+P8Dr
j5x/2Y57Vxy8m1A9EvXO7SLzCbZakm3cd+GYJ5kOnZ9WpiA1aDhiy2UsccSjL4pr
j0hMEp1KQV8BDIMbSzLGR638B/MVkdkOeYYAT2fPXMnDp+YghCHu7maXSYJxBmqr
3/v4CLrI7KjvNpG8e8Zu46A0FqeImz8OWypVIiEBcj37eK2sKjBrdkGl618ia0up
VOWdE603aCbx1Sr5m3Ag/0gfOUZPMJ3a2fZPLCYXGW4BQ+vWFTbvFzCvKETZpWc3
cljQxdmsvv0SsJFddtdXMuf9E2M3uWvGD3LkSuJcSuhDLY0M5nWidyLCnKsUYmzh
RE4azMQNyjSO9Ui5kC5K/YDa4k7c7dTYWTAa9gQuJYeyM9NduBfUCzOeEE5r1X0g
Sb2STLP0AyAf9VYq8q50wCL53qaUYEUUTd6aKV0EekJPMnUAMhiWXXNvjYBgo9fv
RjcyXVQGcWfrZ8uICp8+OpVQBdM8HN3y5j7QMyY514xo5YW2buhwv5UxM/JtNbye
/xo/a8l5KJCXAFX31I5x
=gg5T
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Piotr Ożarowski <piotr@debian.org>: Bug#734747; Package python-jinja2.
(Tue, 21 Jan 2014 12:21:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Philippe Makowski <pmakowski@espelida.com>:
Extra info received and forwarded to list. Copy sent to Piotr Ożarowski <piotr@debian.org>.
(Tue, 21 Jan 2014 12:21:10 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Piotr Ożarowski <piotr@debian.org>: Bug#734747; Package python-jinja2.
(Tue, 21 Jan 2014 12:39:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Piotr Ożarowski <piotr@debian.org>.
(Tue, 21 Jan 2014 12:39:09 GMT) (full text, mbox, link).
Hi,
On Tue, Jan 21, 2014 at 01:22:51PM +0100, Philippe Makowski wrote:
> Hi,
>
> the fix in Jinja 2.7.2 is not correct
> http://openwall.com/lists/oss-security/2014/01/11/1
FYI, this is known as #734956.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org: Bug#734747; Package python-jinja2.
(Tue, 21 Jan 2014 12:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Piotr Ożarowski <piotr@debian.org>:
Extra info received and forwarded to list.
(Tue, 21 Jan 2014 12:48:04 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.