From a826d6f1bfa6f98f8a7d65775db687f2cfb85206 Mon Sep 17 00:00:00 2001 From: Thomas Moschny Date: Fri, 13 Jun 2014 20:52:51 +0200 Subject: [PATCH] Fix CVE-2014-1402 (using patch from RHSA-2014:0748). --- Jinja2-2.6-fix-CVE-2014-1402.patch | 64 ++++++++++++++++++++++++++++++ python-jinja2.spec | 11 ++++- 2 files changed, 74 insertions(+), 1 deletion(-) create mode 100644 Jinja2-2.6-fix-CVE-2014-1402.patch diff --git a/Jinja2-2.6-fix-CVE-2014-1402.patch b/Jinja2-2.6-fix-CVE-2014-1402.patch new file mode 100644 index 0000000..c77bacc --- /dev/null +++ b/Jinja2-2.6-fix-CVE-2014-1402.patch @@ -0,0 +1,64 @@ +--- jinja2/bccache.py.orig 2011-07-12 14:02:32.000000000 +0200 ++++ jinja2/bccache.py 2014-05-30 13:15:12.850410773 +0200 +@@ -20,6 +20,9 @@ + import tempfile + import cPickle as pickle + import fnmatch ++import os ++import errno ++import stat + try: + from hashlib import sha1 + except ImportError: +@@ -194,7 +197,9 @@ + two arguments: The directory where the cache items are stored and a + pattern string that is used to build the filename. + +- If no directory is specified the system temporary items folder is used. ++ If no directory is specified a default cache directory is selected. On ++ Windows the user's temp directory is used, on UNIX systems a directory ++ is created for the user in the system temp directory. + + The pattern can be used to have multiple separate caches operate on the + same directory. The default pattern is ``'__jinja2_%s.cache'``. ``%s`` +@@ -207,10 +212,39 @@ + + def __init__(self, directory=None, pattern='__jinja2_%s.cache'): + if directory is None: +- directory = tempfile.gettempdir() ++ directory = self._get_default_cache_dir() + self.directory = directory + self.pattern = pattern + ++ def _get_default_cache_dir(self): ++ tmpdir = tempfile.gettempdir() ++ ++ # On windows the temporary directory is used specific unless ++ # explicitly forced otherwise. We can just use that. ++ if os.name == 'nt': ++ return tmpdir ++ if not hasattr(os, 'getuid'): ++ raise RuntimeError('Cannot determine safe temp directory. You ' ++ 'need to explicitly provide one.') ++ ++ dirname = '_jinja2-cache-%d' % os.getuid() ++ actual_dir = os.path.join(tmpdir, dirname) ++ try: ++ os.mkdir(actual_dir, stat.S_IRWXU) # 0o700 ++ except OSError as e: ++ if e.errno != errno.EEXIST: ++ raise ++ ++ actual_dir_stat = os.lstat(actual_dir) ++ if actual_dir_stat.st_uid != os.getuid() \ ++ or not stat.S_ISDIR(actual_dir_stat.st_mode) \ ++ or stat.S_IMODE(actual_dir_stat.st_mode) != stat.S_IRWXU: ++ raise RuntimeError('Temporary directory \'%s\' has an incorrect ' ++ 'owner, permissions, or type.' % actual_dir) ++ ++ ++ return actual_dir ++ + def _get_cache_filename(self, bucket): + return path.join(self.directory, self.pattern % bucket.key) + diff --git a/python-jinja2.spec b/python-jinja2.spec index d842836..4f7c463 100644 --- a/python-jinja2.spec +++ b/python-jinja2.spec @@ -10,12 +10,17 @@ Name: python-jinja2 Version: 2.6 -Release: 6%{?dist} +Release: 7%{?dist} Summary: General purpose template engine Group: Development/Languages License: BSD URL: http://jinja.pocoo.org/ Source0: http://pypi.python.org/packages/source/J/Jinja2/Jinja2-%{version}.tar.gz +# This patch consists of two upstream patches merged and rebased +# (the first upstream patch introduced CVE-2014-0012 and the second fixed it) +# https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7 +# https://github.com/mitsuhiko/jinja2/pull/296/files +Patch0: Jinja2-2.6-fix-CVE-2014-1402.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildArch: noarch BuildRequires: python-devel @@ -69,6 +74,7 @@ environments. %prep %setup -q -n Jinja2-%{version} +%patch0 -p0 # cleanup find . -name '*.pyo' -o -name '*.pyc' -delete @@ -155,6 +161,9 @@ popd %changelog +* Fri Jun 13 2014 Thomas Moschny - 2.6-7 +- Fix CVE-2014-1402 (using patch from RHSA-2014:0748). + * Thu Feb 14 2013 Fedora Release Engineering - 2.6-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild