PublicDateAtUSN: 2014-05-19
Candidate: CVE-2014-1402
PublicDate: 2014-05-19 14:55:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1402
 https://ubuntu.com/security/notices/USN-2301-1
Description:
 The default configuration for bccache.FileSystemBytecodeCache in Jinja2
 before 2.7.2 does not properly create temporary files, which allows local
 users to gain privileges via a crafted .cache file with a name starting
 with __jinja2_ in /tmp.
Ubuntu-Description:
Notes:
 mdeslaur> upstream commit below included in 2.7.2 introduces a temp file
 mdeslaur> issue, which is CVE-2014-0012
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734747
 https://bugzilla.redhat.com/show_bug.cgi?id=1051421
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS: 

Patches_jinja2:
 upstream: https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7
upstream_jinja2: released (2.7.2)
lucid_jinja2: ignored (reached end-of-life)
precise_jinja2: released (2.6-1ubuntu0.1)
quantal_jinja2: ignored (reached end-of-life)
raring_jinja2: ignored (reached end-of-life)
saucy_jinja2: ignored (reached end-of-life)
trusty_jinja2: not-affected (2.7.2-2)
trusty/esm_jinja2: not-affected (2.7.2-2)
devel_jinja2: not-affected (2.7.2-2)