Bug 30570 - python-cookiecutter new security issue CVE-2022-24065
Summary: python-cookiecutter new security issue CVE-2022-24065
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2022-06-20 19:38 CEST by David Walser
Modified: 2022-07-13 22:44 CEST (History)
5 users (show)

See Also:
Source RPM: python-cookiecutter-1.7.3-3.mga9.src.rpm
Status comment:


Description David Walser 2022-06-20 19:38:12 CEST
Fedora has issued an advisory on June 19:

The issue is fixed upstream in 2.1.1.

Mageia 8 is also affected.
David Walser 2022-06-20 19:38:23 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 2.1.1

Comment 1 Lewis Smith 2022-06-22 20:47:39 CEST
Assigning this globally because 'python-cookiecutter' has been previously updated by different packagers.

Assignee: bugsquad => pkg-bugs

Comment 2 papoteur 2022-07-05 21:09:48 CEST
There is now:

It contains the patch from https://github.com/cookiecutter/cookiecutter/pull/1689
Cauldron is updated to 2.1.1.

Status comment: Fixed upstream in 2.1.1 => (none)
Whiteboard: MGA8TOO => (none)
CC: (none) => yves.brungard_mageia
Version: Cauldron => 8
Assignee: pkg-bugs => qa-bugs

Comment 3 David Walser 2022-07-06 16:45:13 CEST
from python-cookiecutter-1.7.2-2.mga8.src.rpm
Comment 4 Herman Viaene 2022-07-08 13:59:02 CEST
MGA8-64 Plasma on Acer Aspire 5253
No installation issues, apart from the fact that in MCC the same description is given for the python3-cookiecutter as for the python-cookiecutter-doc, which is not correct AFAICS.
Found example in python-cookiecutter-doc, following it...

CC: (none) => herman.viaene

Comment 5 Herman Viaene 2022-07-08 14:17:02 CEST
I don't get it:
$ mkdir HelloCookieCutter1
[tester8@mach7 Documents]$ cd HelloCookieCutter1
[tester8@mach7 HelloCookieCutter1]$ mkdir {{cookiecutter.testset}}
[tester8@mach7 HelloCookieCutter1]$ cd {{cookiecutter.testset}}
[tester8@mach7 {{cookiecutter.testset}}]$ touch {{cookiecutter.testfile}}.py
so far so good, but then there is something I don't quit understand:
"Anything inside templating tags can be placed inside a namespace. Here, by putting directory_name inside the cookiecutter namespace, cookiecutter.directory_name will be looked up from the cookiecutter.json file as the project is generated by Cookiecutter."
Contnuing anyway, I created the cookiecutter.json file and went on
$ cd ..
[tester8@mach7 Documents]$ mkdir cookcut
[tester8@mach7 Documents]$ cd cookcut
[tester8@mach7 cookcut]$ cookiecutter  /home/tester8/Documents/HelloCookieCutter1/
directory_name [Hello]: 
file_name [Howdy]: 
greeting_recipient [Julie]: 
Unable to create project directory '{{cookiecutter.testset}}'
Error message: 'collections.OrderedDict object' has no attribute 'testset'
Context: {
    "cookiecutter": {
        "_template": "/home/tester8/Documents/HelloCookieCutter1/",
        "directory_name": "Hello",
        "file_name": "Howdy",
        "greeting_recipient": "Julie"
Either someone has a better understanding of this, or give it an OK on clean install.
Comment 6 Thomas Andrews 2022-07-13 14:15:24 CEST
From https://github.com/claws/cookiecutter-python-project :

"This project contains a Cookiecutter template that helps you create new Python 3.6+ package projects by automatically generating most of the boiler plate content for you.

Cookiecutter is a command-line utility that creates projects from templates. Cookiecutter lets you to easily and quickly bootstrap a new project from a template which allows you to skip all manual setup and common mistakes when starting a new project."

Sounds like developer territory to me. OKing on Herman's clean install, and validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK

Dave Hodgins 2022-07-13 19:02:37 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Mageia Robot 2022-07-13 22:44:59 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.