oss-sec mailing list archives
Re: CVE assignment for jinja2
From: "Vincent Danen" <vdanen () redhat com>
Date: Sat, 11 Jan 2014 13:51:47 -0700
On 01/11/2014, at 13:37 PM, Vincent Danen wrote:
On 01/10/2014, at 22:34 PM, Kurt Seifried wrote:https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7 dirname = '_jinja2-cache-%d' % os.getuid() Arun Babu Neelicattu of Red Hat spotted this commit which introduces a temporary file creation vulnerability. This issue has been assigned CVE-2014-0012. For information on how to safely create temporary files please see http://kurt.seifried.org/2012/03/14/creating-temporary-files-securely/ For Python simply use ?mkstemp? for files and ?mkdtemp? for directories from the ?tempfile? module.MITRE assigned CVE-2014-1402 to this yesterday: http://seclists.org/oss-sec/2014/q1/71 (the report, the followup has the CVE assignment). That means you'll need to reject this assignment; the commit that Arun spotted was due to the Debian bug report (which the git commit notes, and Ratul linked to in his initial CVE request to the list).
Sorry, I thought the same thing as what Ratul requested for (CVE-2014-1402) was being reported again. This is indeed something different as the git commit to fix CVE-2014-1402 introduced this new temporary file issue. Sorry for the noise/confusion. -- Vincent Danen / Red Hat Security Response Team
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE assignment for jinja2 Kurt Seifried (Jan 10)
- Re: CVE assignment for jinja2 Vincent Danen (Jan 11)
- Re: CVE assignment for jinja2 Vincent Danen (Jan 11)
- Re: CVE assignment for jinja2 Salvatore Bonaccorso (Jan 11)
- Re: CVE assignment for jinja2 Vincent Danen (Jan 11)
- Re: CVE assignment for jinja2 Vincent Danen (Jan 11)