Bug 58099 - jinja2: Multiple issues (5.2)
Summary: jinja2: Multiple issues (5.2)
Status: CLOSED FIXED
Alias: None
Product: UCS
Classification: Unclassified
Component: Security updates
Version: UCS 5.2
Hardware: All Linux
: P3 normal
Target Milestone: UCS 5.2-1-errata
Assignee: Quality Assurance
QA Contact: Felix Botner
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-03-24 14:35 CET by Quality Assurance
Modified: 2025-03-26 16:47 CET (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Customer ID:
Max CVSS v3 score: 7.3 (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2025-03-24 14:35:58 CET 
New Debian jinja2 3.1.2-1+deb12u2 fixes:
This update addresses the following issues:
* jinja2: Jinja has a sandbox breakout through malicious filenames  (CVE-2024-56201)
* jinja2: Jinja has a sandbox breakout through indirect reference to format  method (CVE-2024-56326)
Comment 1 Quality Assurance univentionstaff 2025-03-24 16:00:13 CET 
--- mirror/ftp/pool/main/j/jinja2/jinja2_3.1.2-1+deb12u1.dsc
+++ apt/ucs_5.2-0-errata5.2-1/source/jinja2_3.1.2-1+deb12u2.dsc
@@ -1,3 +1,29 @@
+3.1.2-1+deb12u2 [Thu, 27 Feb 2025 22:30:54 +0100] Lee Garrett <debian@rocketjump.eu>:
+
+  * Non-maintainer upload by the LTS security team.
+  * Fix CVE-2024-56201:
+    In versions on the 3.x branch prior to 3.1.5, a bug in the Jinja compiler
+    allows an attacker that controls both the content and filename of a template
+    to execute arbitrary Python code, regardless of if Jinja's sandbox is used.
+    To exploit the vulnerability, an attacker needs to control both the filename
+    and the contents of a template. Whether that is the case depends on the type
+    of application using Jinja. This vulnerability impacts users of applications
+    which execute untrusted templates where the template author can also choose
+    the template filename.
+  * Fix CVE-2024-56326:
+    Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects
+    calls to str.format allows an attacker that controls the content of a
+    template to execute arbitrary Python code. To exploit the vulnerability, an
+    attacker needs to control the content of a template. Whether that is the
+    case depends on the type of application using Jinja. This vulnerability
+    impacts users of applications which execute untrusted templates. Jinja's
+    sandbox does catch calls to str.format and ensures they don't escape the
+    sandbox. However, it's possible to store a reference to a malicious string's
+    format method, then pass that to a filter that calls it. No such filters are
+    built-in to Jinja, but could be present through custom filters in an
+    application. After the fix, such indirect calls are also handled by the
+    sandbox.
+
 3.1.2-1+deb12u1 [Sat, 07 Dec 2024 19:15:36 +0200] Adrian Bunk <bunk@debian.org>:
 
   * Non-maintainer upload.

<http://piuparts.knut.univention.de/5.2-1/#4346713918964406369>
Comment 2 Felix Botner univentionstaff 2025-03-24 17:14:51 CET 
OK: bug
OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[5.2-1] 6ef566df613 Bug #58099: jinja2 3.1.2-1+deb12u2
 doc/errata/staging/jinja2.yaml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)