CVE-2014-0012

Priority
Medium
Description
FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary
directories, which allows local users to gain privileges by pre-creating a
temporary directory with a user's uid. NOTE: this vulnerability exists
because of an incomplete fix for CVE-2014-1402.
References
Bugs
Notes
mdeslaur> Introduced in 2.7.2, and in CVE-2014-1402 security fix.
mdeslaur> 2.7.2-2 in trusty switches to tempfile.mkdtemp which fixes the
mdeslaur> security issue, but isn't an ideal fix for proper caching.
Assigned-to
mdeslaur
Package
Upstream:released (2.7.3,2.7.2-2)
Ubuntu 10.04 LTS (Lucid Lynx):ignored (reached end-of-life)
Ubuntu 12.04 LTS (Precise Pangolin):released (2.6-1ubuntu0.1)
Ubuntu 14.04 LTS (Trusty Tahr):not-affected (2.7.2-2)
Ubuntu 14.10 (Utopic Unicorn):not-affected (2.7.3-1)
Patches:
Upstream:https://github.com/mitsuhiko/jinja2/commit/964c61ce79f6748ff8c583e2eb12ec54082bf188
More Information

Valid XHTML 1.0 Strict

Updated: 2014-07-24 14:14:38 UTC (commit 8276)