Date: Sat, 11 Jan 2014 13:37:51 -0700 From: "Vincent Danen" <vdanen@...hat.com> To: "Open Source Security" <oss-security@...ts.openwall.com> Subject: Re: CVE assignment for jinja2 On 01/10/2014, at 22:34 PM, Kurt Seifried wrote: > https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7 > > dirname = '_jinja2-cache-%d' % os.getuid() > > Arun Babu Neelicattu of Red Hat spotted this commit which introduces a > temporary file creation vulnerability. This issue has been assigned > CVE-2014-0012. For information on how to safely create temporary files > please see > http://kurt.seifried.org/2012/03/14/creating-temporary-files-securely/ > > For Python simply use ?mkstemp? for files and ?mkdtemp? for > directories from the ?tempfile? module. MITRE assigned CVE-2014-1402 to this yesterday: http://seclists.org/oss-sec/2014/q1/71 (the report, the followup has the CVE assignment). That means you'll need to reject this assignment; the commit that Arun spotted was due to the Debian bug report (which the git commit notes, and Ratul linked to in his initial CVE request to the list). -- Vincent Danen / Red Hat Security Response Team [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ