| Summary: | python-cookiecutter new security issue CVE-2022-24065 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, herman.viaene, sysadmin-bugs, yvesbrungard |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | python-cookiecutter-1.7.3-3.mga9.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2022-06-20 19:38:12 CEST
David Walser
2022-06-20 19:38:23 CEST
Whiteboard:
(none) =>
MGA8TOO Assigning this globally because 'python-cookiecutter' has been previously updated by different packagers. Assignee:
bugsquad =>
pkg-bugs There is now: python3-cookiecutter-1.7.2-2.mga8.noarch python-cookiecutter-doc-1.7.2-2.mga8.noarch It contains the patch from https://github.com/cookiecutter/cookiecutter/pull/1689 Cauldron is updated to 2.1.1. Status comment:
Fixed upstream in 2.1.1 =>
(none) from python-cookiecutter-1.7.2-2.mga8.src.rpm MGA8-64 Plasma on Acer Aspire 5253 No installation issues, apart from the fact that in MCC the same description is given for the python3-cookiecutter as for the python-cookiecutter-doc, which is not correct AFAICS. Found example in python-cookiecutter-doc, following it... CC:
(none) =>
herman.viaene I don't get it:
$ mkdir HelloCookieCutter1
[tester8@mach7 Documents]$ cd HelloCookieCutter1
[tester8@mach7 HelloCookieCutter1]$ mkdir {{cookiecutter.testset}}
[tester8@mach7 HelloCookieCutter1]$ cd {{cookiecutter.testset}}
[tester8@mach7 {{cookiecutter.testset}}]$ touch {{cookiecutter.testfile}}.py
so far so good, but then there is something I don't quit understand:
"Anything inside templating tags can be placed inside a namespace. Here, by putting directory_name inside the cookiecutter namespace, cookiecutter.directory_name will be looked up from the cookiecutter.json file as the project is generated by Cookiecutter."
Contnuing anyway, I created the cookiecutter.json file and went on
$ cd ..
[tester8@mach7 Documents]$ mkdir cookcut
[tester8@mach7 Documents]$ cd cookcut
[tester8@mach7 cookcut]$ cookiecutter /home/tester8/Documents/HelloCookieCutter1/
directory_name [Hello]:
file_name [Howdy]:
greeting_recipient [Julie]:
Unable to create project directory '{{cookiecutter.testset}}'
Error message: 'collections.OrderedDict object' has no attribute 'testset'
Context: {
"cookiecutter": {
"_template": "/home/tester8/Documents/HelloCookieCutter1/",
"directory_name": "Hello",
"file_name": "Howdy",
"greeting_recipient": "Julie"
}
}
Either someone has a better understanding of this, or give it an OK on clean install.
From https://github.com/claws/cookiecutter-python-project : "This project contains a Cookiecutter template that helps you create new Python 3.6+ package projects by automatically generating most of the boiler plate content for you. Cookiecutter is a command-line utility that creates projects from templates. Cookiecutter lets you to easily and quickly bootstrap a new project from a template which allows you to skip all manual setup and common mistakes when starting a new project." Sounds like developer territory to me. OKing on Herman's clean install, and validating. CC:
(none) =>
andrewsfarm, sysadmin-bugs
Dave Hodgins
2022-07-13 19:02:37 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0258.html Resolution:
(none) =>
FIXED |