CVE-2014-0012

Priority
Medium
Description
FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary
directories, which allows local users to gain privileges by pre-creating a
temporary directory with a user's uid. NOTE: this vulnerability exists
because of an incomplete fix for CVE-2014-1402.
References
Bugs
Notes
 mdeslaur> Introduced in 2.7.2, and in CVE-2014-1402 security fix.
 mdeslaur> 2.7.2-2 in trusty switches to tempfile.mkdtemp which fixes the
 mdeslaur> security issue, but isn't an ideal fix for proper caching.
Assigned-to
mdeslaur
Package
Upstream:released (2.7.3,2.7.2-2)
Ubuntu 12.04 LTS (Precise Pangolin):released (2.6-1ubuntu0.1)
Ubuntu 14.04 LTS (Trusty Tahr):not-affected (2.7.2-2)
Patches:
Upstream:https://github.com/mitsuhiko/jinja2/commit/964c61ce79f6748ff8c583e2eb12ec54082bf188
More Information

Valid XHTML 1.0 Strict

Updated: 2015-07-29 20:42:12 UTC (commit 9756)