Package: python-jinja2 Version: 2.7.1-1 Severity: important Tags: security
Default directory for jinja2.bccache.FileSystemBytecodeCache is /tmp. This is insecure, because the directory is world-writable and filenames that FileSystemBytecodeCache uses are of course predictable. As I understand it, malicious local user could exploit this bug to execute arbitrary code as another user.
Proof of concept is attached. If you put the __jinja2_*.cache file in /tmp, and make it world-readable, then test-bccache.py will print "moo" instead of "foo" (even when run by another user than the owner of the cache file).
-- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (990, 'unstable'), (500, 'experimental') Architecture: i386 (x86_64) Foreign Architectures: amd64 Kernel: Linux 3.12-1-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages python-jinja2 depends on: ii python 2.7.5-5 ii python-markupsafe 0.18-1 -- Jakub Wilk
__jinja2_0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33.cache
Description: chemical/cache
#!/usr/bin/python2.7
import jinja2
loader = jinja2.DictLoader({'foo': 'foo'})
cache = jinja2.bccache.FileSystemBytecodeCache()
env = env = jinja2.Environment(
loader=loader,
bytecode_cache=cache
)
print env.get_template('foo').render()
