Re: CVE assignment for jinja2

["Vincent Danen" <vdanen () redhat com>]

On 01/11/2014, at 13:58 PM, Salvatore Bonaccorso wrote:

> Hi Vicnent,
>
> Disclaimer: to be taken with some caution.
>
> On Sat, Jan 11, 2014 at 01:37:51PM -0700, Vincent Danen wrote:
> > On 01/10/2014, at 22:34 PM, Kurt Seifried wrote:
> >
> > > https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7
> > >
> > > dirname = '_jinja2-cache-%d' % os.getuid()
> > >
> > > Arun Babu Neelicattu of Red Hat spotted this commit which introduces a
> > > temporary file creation vulnerability. This issue has been assigned
> > > CVE-2014-0012. For information on how to safely create temporary files
> > > please see
> > > http://kurt.seifried.org/2012/03/14/creating-temporary-files-securely/
> > >
> > > For Python simply use ?mkstemp? for files and ?mkdtemp? for
> > > directories from the ?tempfile? module.
> >
> > MITRE assigned CVE-2014-1402 to this yesterday:
> >
> > http://seclists.org/oss-sec/2014/q1/71 (the report, the followup has the CVE assignment).
> >
> > That means you'll need to reject this assignment; the commit that Arun spotted was due to the Debian bug report 
> > (which the git commit notes, and Ratul linked to in his initial CVE request to the list).
>
> Aren't the two CVE assignments correct this way as the second
> temporary file creation vulnerability was introduced by the mentioned
> commit?
>
> Initially there was assigned CVE-2014-1402 for:
>
> http://seclists.org/oss-sec/2014/q1/71
>
> wich is also http://bugs.debian.org/734747 and was attempted to be
> fixed with commit
> https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7
>
> But the above commit introduces a new temporary file creation
> vulnerability, which then got CVE-2014-0012 assigned by Kurt.

Yes, all correct.  Which is why I apologized in a subsequent email about the confusion.  =)

-- 
Vincent Danen / Red Hat Security Response Team

Attachment: signature.asc
Description: OpenPGP digital signature