Bug#615118: marked as done (python2.6: distutils creates .pypirc insecurely)

Wed, 28 Nov 2012 03:51:15 -0800 

Your message dated Wed, 28 Nov 2012 11:48:27 +0000
with message-id <[email protected]>
and subject line Bug#615118: fixed in python2.6 2.6.8-1
has caused the Debian Bug report #615118,
regarding python2.6: distutils creates .pypirc insecurely
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
615118: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=615118
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: python2.6
Version: 2.6.6-8
Severity: important
Tags: security

distutils uses this method to create .pypirc:

    def _store_pypirc(self, username, password):
        """Creates a default .pypirc file."""
        rc = self._get_rc_file()
        f = open(rc, 'w')
        try:
            f.write(DEFAULT_PYPIRC % (username, password))
        finally:
            f.close()
        try:
            os.chmod(rc, 0600)
        except OSError:
            # should do something better here
            pass
There is a tiny timing window between write() and chmod() calls in which the file (with user's password) is world-readable. 

--
Jakub Wilk

--- End Message ---
--- Begin Message --- 
Source: python2.6
Source-Version: 2.6.8-1

We believe that the bug you reported is fixed in the latest version of
python2.6, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthias Klose <[email protected]> (supplier of updated python2.6 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 28 Nov 2012 08:48:08 +0100
Source: python2.6
Binary: python2.6 python2.6-minimal libpython2.6 python2.6-examples 
python2.6-dev idle-python2.6 python2.6-doc python2.6-dbg
Architecture: source all amd64
Version: 2.6.8-1
Distribution: unstable
Urgency: medium
Maintainer: Matthias Klose <[email protected]>
Changed-By: Matthias Klose <[email protected]>
Description: 
 idle-python2.6 - IDE for Python (v2.6) using Tkinter
 libpython2.6 - Shared Python runtime library (version 2.6)
 python2.6  - Interactive high-level object-oriented language (version 2.6)
 python2.6-dbg - Debug Build of the Python Interpreter (version 2.6)
 python2.6-dev - Header files and a static library for Python (v2.6)
 python2.6-doc - Documentation for the high-level object-oriented language 
Python
 python2.6-examples - Examples for the Python language (v2.6)
 python2.6-minimal - Minimal subset of the Python language (version 2.6)
Closes: 615118 639327 639405 645125
Changes: 
 python2.6 (2.6.8-1) unstable; urgency=medium
 .
   * The wininst-* files cannot be built within Debian from the included
     sources, needing a zlib mingw build, which the zlib maintainer isn't
     going to provide. Closes: #639405.
   * Fix determination of Metadata version (issue #8933). Closes: #645125.
   * SECURE UPDATE: http://bugs.python.org/issue13512
     - debian/patches/CVE-2011-4944.diff: create ~/.pypirc securely
     - CVE-2011-4944. Closes: #615118.
   * SECURITY UPDATE: Fix CGIHTTPServer information disclosure.
     - debian/patches/CVE-2011-1015.diff: Relative paths are now collapsed
       within the url properly before looking in cgi_directories.
     - CVE-2011-1015
   * Add man page for 2to3, copied from 2.7 (Nobuhiro Iwamatsu).
     Closes: #639327.
   * Avoid runtime path for the sqlite extension.
Checksums-Sha1: 
 8e058c55041a9260901e18c4e7455ebea89a2921 2034 python2.6_2.6.8-1.dsc
 187b05462670451e2fb73ff7a659997f91f2bedc 317978 python2.6_2.6.8-1.diff.gz
 8a0a054264166e0f7a81699d46432d2e1f19ec9e 696006 
python2.6-examples_2.6.8-1_all.deb
 e9ea84c23f9788a6338b84db3fc2c90d1c0fafc2 298410 idle-python2.6_2.6.8-1_all.deb
 8944643236a3dba7bdade8911d6cc38d3367fb84 5794910 python2.6-doc_2.6.8-1_all.deb
 6b7edd02788424d9e7d9832d4df2a5b80b94c0f9 2504352 python2.6_2.6.8-1_amd64.deb
 20fb23dbabbdad652ea2cb896c9e29e80fe7d84e 1545396 
python2.6-minimal_2.6.8-1_amd64.deb
 dfc85148e37dea5ba6648abe700d8acff496d284 1103746 libpython2.6_2.6.8-1_amd64.deb
 40d0ba23b88ca4656534ae0b737a34253306cf6f 4572846 
python2.6-dev_2.6.8-1_amd64.deb
 810dd0bcc0aaf34f7e339b091a1eecff0e17fa93 13694248 
python2.6-dbg_2.6.8-1_amd64.deb
Checksums-Sha256: 
 de4265b38e72a459a9153dea33db5d836c20aaa8e202c49ca907d141e5b73b68 2034 
python2.6_2.6.8-1.dsc
 ae3b2583706447511f6aab70dd52aeb76fd12d800d3a817aef29f66fe8b46f9d 317978 
python2.6_2.6.8-1.diff.gz
 e46152ad11fa6571a870337ad7db1f5935ef00f6b8448f0b246b830fe39b86d8 696006 
python2.6-examples_2.6.8-1_all.deb
 5b72680fd812747a0cad5816c89c5c670ee6c95b1ad390d4cc9773e25c761a28 298410 
idle-python2.6_2.6.8-1_all.deb
 b25c72990a287f24627532e4f2c9cdc3c71a5f9b112acd51ac37ff8d09b7a310 5794910 
python2.6-doc_2.6.8-1_all.deb
 20d174ee920ff1180cc17f6da2e53018689da5baccad4b1787705a4c4cd165b0 2504352 
python2.6_2.6.8-1_amd64.deb
 9f147bee16a27519e8113338d135f0d369f1051d9f9c800160d75c3fadd55eba 1545396 
python2.6-minimal_2.6.8-1_amd64.deb
 83e613f259b984df5c65c5fbe47eae9eafdf4a2327789ba454fc1cecdcfc3d21 1103746 
libpython2.6_2.6.8-1_amd64.deb
 f36918254c3c2521ca414c70dfc6917bf41f6c8e8fb53735ed3904aeb9502869 4572846 
python2.6-dev_2.6.8-1_amd64.deb
 cc6397375582fa8eb87bcb79d251a9cbf07cf933a170750ffb043f063cab39b9 13694248 
python2.6-dbg_2.6.8-1_amd64.deb
Files: 
 076d051b5632e49dfb0792c1b5bbf79a 2034 python optional python2.6_2.6.8-1.dsc
 579b296e9e4ecd72c9e2aba24ebb495f 317978 python optional 
python2.6_2.6.8-1.diff.gz
 c96b9d3d173060943d4b81781ad64cb4 696006 python optional 
python2.6-examples_2.6.8-1_all.deb
 46e5bb1532cf76e54c8b1e562b72e28a 298410 python optional 
idle-python2.6_2.6.8-1_all.deb
 82564495fb690978e06309f18a04d4b8 5794910 doc optional 
python2.6-doc_2.6.8-1_all.deb
 5e70ea6944b2d7f99a81b3df19c7fbeb 2504352 python standard 
python2.6_2.6.8-1_amd64.deb
 16942b63f1fc9134baaaab963dc9e5ff 1545396 python standard 
python2.6-minimal_2.6.8-1_amd64.deb
 1ab408c98625743af49c4c6e198c0a1a 1103746 libs optional 
libpython2.6_2.6.8-1_amd64.deb
 6b79d5318378aba936fc1c74c5472eac 4572846 python optional 
python2.6-dev_2.6.8-1_amd64.deb
 bdcf14949e26bc020ef984f45cea69e7 13694248 debug extra 
python2.6-dbg_2.6.8-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAlC19XcACgkQStlRaw+TLJwe5gCffdAxBGuQFeuUQwClxsn65HIC
yJAAn0Kj4+USoj5ysBRfpAtlLJ0hVpai
=cCAR
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to