Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 10 Jan 2014 22:34:10 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: Open Source Security <oss-security@...ts.openwall.com>
Subject: CVE assignment for jinja2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7

dirname = '_jinja2-cache-%d' % os.getuid()

Arun Babu Neelicattu of Red Hat spotted this commit which introduces a
temporary file creation vulnerability. This issue has been assigned
CVE-2014-0012. For information on how to safely create temporary files
please see
http://kurt.seifried.org/2012/03/14/creating-temporary-files-securely/

For Python simply use ?mkstemp? for files and ?mkdtemp? for
directories from the ?tempfile? module.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJS0NfSAAoJEBYNRVNeJnmT9BMQAMg1DOmYdeZc+E4iKDf8DB8Z
pUwmv0fq64L1zkWK6tPi4PcEAh2b37RaVKTW8pU7QAzsDYiQvuPpgFKrAKD/wKJq
S6ySyyILmc8+ZDdamkRTq97i8Cfe/tf5wR/el4Cax+P8sL5qlfAKzfzdoG6PHErk
zlvfv6ESAPDAmh6iC4ckd4+Kkda6xdN1pAJsY3y+TTtE/tnCRJfR5r6QZLsJma8p
ovRZ4zzbn0I+i5/kyReVKKRQSaHF2jMY5Mt12V/vkIFyHovL9MJC7GrSos0VM6C1
V6YtkWjc/GYyIeookaHXRpaJx65BLqPcaQ6EpQ8jcogkfnHT0Eyh9G9EItcfqA9g
2rd7/1H6zpM+ijzq4SVFZAzhXvUmstk6ruUzbP90BPwrD6YEobzRTys/ZsV9Wnek
HCTW2NYh/qXRSvQrwNoKB8rIrvg2YKoz40LBsMF3fsvrWKZ86zBNYsgebXecdc+T
F+fNh7ioBWZnKGpZFCCzarAzrV1OjkSuAmf7cLLITSttJOAZkD1bcn40R2Z6YiRf
fWKgR8Af/SqIq6/8EVk9FEzJ9ni2I/0qaPOzX5927xSV+4vogyYBq4RZhEwqCQjs
+zfpiOUwzDuiQ5aRmMYqJSXK5ww+qO5hNiLyyxfLY/psaP2Y2df5zaRltvMLxCuk
wU92wxHFjUBKS5wBgwlP
=7f5m
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.