Bug 24787 - python-jinja2 new security issues CVE-2016-10745 and CVE-2019-10906
Summary: python-jinja2 new security issues CVE-2016-10745 and CVE-2019-10906
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-05-08 13:42 CEST by David Walser
Modified: 2019-05-18 14:34 CEST (History)
5 users (show)

See Also:
Source RPM: python-jinja2-2.8-4.mga6.src.rpm
CVE:
Status comment:


Attachments
file adapted to python and python3 (166 bytes, text/plain)
2019-05-17 08:49 CEST, Herman Viaene
Details

Description David Walser 2019-05-08 13:42:42 CEST
RedHat has issued an advisory on May 7:
https://access.redhat.com/errata/RHSA-2019:1022

The issue is fixed upstream in 2.8.1.
Comment 1 David GEIGER 2019-05-08 15:12:33 CEST
Fixed for mga6!

CC: (none) => geiger.david68210

Comment 2 David Walser 2019-05-08 17:27:52 CEST
Advisory:
========================

Updated python-jinja2 packages fix security vulnerability:

Sandbox escape due to information disclosure via str.format (CVE-2016-10745).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10745
https://access.redhat.com/errata/RHSA-2019:1022
========================

Updated packages in core/updates_testing:
========================
python-jinja2-2.8.1-1.mga6
python3-jinja2-2.8.1-1.mga6

from python-jinja2-2.8.1-1.mga6.src.rpm

Assignee: bugsquad => qa-bugs

Comment 3 David Walser 2019-05-13 13:58:08 CEST
RedHat has issued an advisory today (May 13):
https://access.redhat.com/errata/RHSA-2019:1152

The issue is fixed upstream in 2.10.1.

CC: (none) => qa-bugs
Summary: python-jinja2 new security issue CVE-2016-10745 => python-jinja2 new security issues CVE-2016-10745 and CVE-2019-10906
Assignee: qa-bugs => geiger.david68210

Comment 4 David GEIGER 2019-05-13 14:23:51 CEST
Fixed for mga6!
Comment 5 David Walser 2019-05-13 16:23:27 CEST
Advisory:
========================

Updated python-jinja2 packages fix security vulnerabilities:

Sandbox escape due to information disclosure via str.format (CVE-2016-10745).

str.format_map allows sandbox escape (CVE-2019-10906).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10745
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10906
https://access.redhat.com/errata/RHSA-2019:1022
https://access.redhat.com/errata/RHSA-2019:1152
========================

Updated packages in core/updates_testing:
========================
python-jinja2-2.10.1-1.mga6
python3-jinja2-2.10.1-1.mga6

from python-jinja2-2.10.1-1.mga6.src.rpm

CC: qa-bugs => (none)
Assignee: geiger.david68210 => qa-bugs

Comment 6 Herman Viaene 2019-05-16 13:41:45 CEST
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
Followed test as per bug 12265, the test file and Comment 9.
At CLI:
$ python test.py 
Hello. If you see this with no errors then it worked :)

but as this update is also on python3:
$ python3 test.py 
  File "test.py", line 4
    print output
               ^
SyntaxError: Missing parentheses in call to 'print'
I am not fluent at python and lack the time now to look into it, so abandoning  for now until later or someone else picks the python3 issue up.

CC: (none) => herman.viaene

Comment 7 Len Lawrence 2019-05-16 18:08:17 CEST
Rplying to Herman comment 6:
Yes, the parentheses are required in python3.  It is better to write scripts eith
print( whatever ) for either version of python because python2.7 izaccepts both forms.  Not in a position to do much testing these days but may pick it up later.

Len

CC: (none) => tarazed25

Comment 8 Herman Viaene 2019-05-17 08:47:57 CEST
Changed the test file following Len's hint. Now I get.
$ python test.py 
Hello. If you see this with no errors then it worked :)
and
$ python3 test.py 
Hello. If you see this with no errors then it worked :)

So OK for me, I will upload the adapted test.py file.

Whiteboard: (none) => MGA6-32-OK

Comment 9 Herman Viaene 2019-05-17 08:49:05 CEST
Created attachment 11000 [details]
file adapted to python and python3
Comment 10 Dave Hodgins 2019-05-18 12:00:57 CEST
Advisory committed to svn. Validating the update.

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 11 Mageia Robot 2019-05-18 14:34:15 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0177.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.