Your submission was sent successfully! Close

CVE-2014-0012

Published: 19 May 2014

FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user's uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402.

Priority

Medium

Status

Package Release Status
jinja2
Launchpad, Ubuntu, Debian
Upstream
Released (2.7.3,2.7.2-2)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(2.7.2-2)
Patches:
Upstream: https://github.com/mitsuhiko/jinja2/commit/964c61ce79f6748ff8c583e2eb12ec54082bf188

Notes

AuthorNote
mdeslaur
Introduced in 2.7.2, and in CVE-2014-1402 security fix.
2.7.2-2 in trusty switches to tempfile.mkdtemp which fixes the
security issue, but isn't an ideal fix for proper caching.

References

Bugs