[issue13512] ~/.pypirc created insecurely
anatoly techtonik added the comment: CVE-2011-4944 -- nosy: +techtonik ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13512 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13512] ~/.pypirc created insecurely
Antoine Pitrou added the comment: Thank you Eric! -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13512 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13512] ~/.pypirc created insecurely
Roundup Robot added the comment: New changeset 4a2814f24a10 by Éric Araujo in branch '3.2': Create ~/.pypirc securely (#13512). http://hg.python.org/cpython/rev/4a2814f24a10 New changeset 10ab746f55fb by Éric Araujo in branch '3.3': Merge fixes for #13614, #13512 and #7719 from 3.2 http://hg.python.org/cpython/rev/10ab746f55fb New changeset b10c1c6f869f by Éric Araujo in branch 'default': Merge fixes for #13614, #13512 and #7719 from 3.3 http://hg.python.org/cpython/rev/b10c1c6f869f -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13512 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13512] ~/.pypirc created insecurely
Changes by Éric Araujo mer...@netwok.org: -- resolution: - fixed stage: patch review - committed/rejected status: open - closed versions: +Python 3.4 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13512 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13512] ~/.pypirc created insecurely
Roundup Robot devn...@psf.upfronthosting.co.za added the comment: New changeset f833e7ec4de1 by Éric Araujo in branch '2.7': Create ~/.pypirc securely (#13512). http://hg.python.org/cpython/rev/f833e7ec4de1 -- nosy: +python-dev ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13512 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13512] ~/.pypirc created insecurely
Éric Araujo mer...@netwok.org added the comment: Will port to 3.2 soon. Release managers: there are CVE and ocert numbers for this; do we take that as indication that it should be fixed in security releases too or do we stand by our own assessment that it’s just a bugfix? -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13512 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13512] ~/.pypirc created insecurely
Éric Araujo mer...@netwok.org added the comment: Do you have links to those patches? -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13512 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13512] ~/.pypirc created insecurely
Antoine Pitrou pit...@free.fr added the comment: I have a link to the Mageia patch: http://svnweb.mageia.org/packages/cauldron/python/current/SOURCES/python-2.7.3-upstream-pypirc-secure.patch?revision=261722view=markup -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13512 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13512] ~/.pypirc created insecurely
Éric Araujo mer...@netwok.org added the comment: And I see that doko has applied the same patch for Debian and derivatives: http://patch-tracker.debian.org/patch/series/view/python2.7/2.7.3~rc2-2.1/pypirc-secure.diff Will commit today. Release managers: there are CVE and ocert numbers for this; do we take that as indication that it should be fixed in security releases too or do we stand by our own assessment? -- priority: normal - high ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13512 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13512] ~/.pypirc created insecurely
Antoine Pitrou pit...@free.fr added the comment: Eric, do you plan to fix this soon? Linux distributions have started patched their Pythons manually. -- nosy: +pitrou ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13512 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13512] ~/.pypirc created insecurely
Barry A. Warsaw ba...@python.org added the comment: I don't think it's worth fixing in Python 2.6, at least not in 2.6.8 which is ready for rc2 today. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13512 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13512] ~/.pypirc created insecurely
Benjamin Peterson benja...@python.org added the comment: Check it in. It looks innocent enough to put in 2.7.3 final. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13512 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13512] ~/.pypirc created insecurely
Benjamin Peterson benja...@python.org added the comment: On the other hand, it doesn't seem to be a very pressing issue, so let's wait for 2.7.4. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13512 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13512] ~/.pypirc created insecurely
Éric Araujo mer...@netwok.org added the comment: Alright, I’ll commit normally to the stable and development versions, skipping the security-mode branches. -- type: security - behavior ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13512 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13512] ~/.pypirc created insecurely
Éric Araujo mer...@netwok.org added the comment: Barry, Benjamin: I’d like to fix this but am not sure if it should apply to 2.6 and 3.1 too. It does not look like a major flaw (see for example the assessment on the Red Hat bug page). -- components: +Distutils2 keywords: +easy nosy: +alexis, benjamin.peterson versions: +3rd party ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13512 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13512] ~/.pypirc created insecurely
Éric Araujo mer...@netwok.org added the comment: Thanks for the report Vincent. Philip, your patch looks good, except that the code cannot use the with statement due to PEP 291 (I’ll take care of that). 2.5 is also affected (the code is in the distutils.command.register module). I don’t think we can write a test for this bug. Barry, Martin, do you think this important enough for the versions in security mode? (I’ve forgotten whether 2.5 is still in security mode or not, and can’t find the info online). -- assignee: tarek - eric.araujo nosy: +barry, loewis stage: - patch review versions: +Python 3.2, Python 3.3 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13512 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13512] ~/.pypirc created insecurely
Philip Jenvey pjen...@underboss.org added the comment: 2.5 is done http://mail.python.org/pipermail/python-committers/2011-October/001844.html -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13512 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13512] ~/.pypirc created insecurely
New submission from Vincent Danen vda...@linsec.ca: A bug was reported in python's distutils in that ~/.pypirc was created insecurely by first creating and writing user/password information to the file, then chmod'ing it to 0600. Perhaps the file should be created (empty), chmod'd, and then written to or perhaps tempfile.mkstemp() could be used to create the file and then move it in-place. On systems where /home/user is 0700 by default this isn't a problem, but there is a race condition that could possibly (although the window would be small) to expose credentials in a home directory that is 0755, for instance. I searched and couldn't find a similar report here, so decided to make upstream aware of the bug reported to Debian. References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=650555 https://bugzilla.redhat.com/show_bug.cgi?id=758905 -- assignee: tarek components: Distutils messages: 148697 nosy: Vincent.Danen, eric.araujo, tarek priority: normal severity: normal status: open title: ~/.pypirc created insecurely type: security versions: Python 2.7 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13512 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13512] ~/.pypirc created insecurely
Philip Jenvey pjen...@underboss.org added the comment: Something along these lines (untested) should do it. 2.6 and 3.x need the fix as well -- keywords: +patch nosy: +pjenvey Added file: http://bugs.python.org/file23824/pypirc-secure.diff ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13512 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue13512] ~/.pypirc created insecurely
Philip Jenvey pjen...@underboss.org added the comment: It probably still needs to catch OSErrors which my patch doesn't do -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue13512 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com