[issue13512] ~/.pypirc created insecurely

2013-02-18 Thread anatoly techtonik 

anatoly techtonik added the comment:

CVE-2011-4944

--
nosy: +techtonik

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13512
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue13512] ~/.pypirc created insecurely

2012-12-09 Thread Antoine Pitrou 

Antoine Pitrou added the comment:

Thank you Eric!

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13512
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue13512] ~/.pypirc created insecurely

2012-12-08 Thread Roundup Robot 

Roundup Robot added the comment:

New changeset 4a2814f24a10 by Éric Araujo in branch '3.2':
Create ~/.pypirc securely (#13512).
http://hg.python.org/cpython/rev/4a2814f24a10

New changeset 10ab746f55fb by Éric Araujo in branch '3.3':
Merge fixes for #13614, #13512 and #7719 from 3.2
http://hg.python.org/cpython/rev/10ab746f55fb

New changeset b10c1c6f869f by Éric Araujo in branch 'default':
Merge fixes for #13614, #13512 and #7719 from 3.3
http://hg.python.org/cpython/rev/b10c1c6f869f

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13512
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue13512] ~/.pypirc created insecurely

2012-12-08 Thread Éric Araujo 

Changes by Éric Araujo mer...@netwok.org:


--
resolution:  - fixed
stage: patch review - committed/rejected
status: open - closed
versions: +Python 3.4

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13512
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue13512] ~/.pypirc created insecurely

2012-07-02 Thread Roundup Robot 

Roundup Robot devn...@psf.upfronthosting.co.za added the comment:

New changeset f833e7ec4de1 by Éric Araujo in branch '2.7':
Create ~/.pypirc securely (#13512).
http://hg.python.org/cpython/rev/f833e7ec4de1

--
nosy: +python-dev

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13512
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue13512] ~/.pypirc created insecurely

2012-07-02 Thread Éric Araujo 

Éric Araujo mer...@netwok.org added the comment:

Will port to 3.2 soon.

Release managers: there are CVE and ocert numbers for this; do we take that as 
indication that it should be fixed in security releases too or do we stand by 
our own assessment that it’s just a bugfix?

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13512
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue13512] ~/.pypirc created insecurely

2012-06-24 Thread Éric Araujo 

Éric Araujo mer...@netwok.org added the comment:

Do you have links to those patches?

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13512
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue13512] ~/.pypirc created insecurely

2012-06-24 Thread Antoine Pitrou 

Antoine Pitrou pit...@free.fr added the comment:

I have a link to the Mageia patch:

http://svnweb.mageia.org/packages/cauldron/python/current/SOURCES/python-2.7.3-upstream-pypirc-secure.patch?revision=261722view=markup

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13512
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue13512] ~/.pypirc created insecurely

2012-06-24 Thread Éric Araujo 

Éric Araujo mer...@netwok.org added the comment:

And I see that doko has applied the same patch for Debian and derivatives: 
http://patch-tracker.debian.org/patch/series/view/python2.7/2.7.3~rc2-2.1/pypirc-secure.diff
  Will commit today.

Release managers: there are CVE and ocert numbers for this; do we take that as 
indication that it should be fixed in security releases too or do we stand by 
our own assessment?

--
priority: normal - high

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13512
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue13512] ~/.pypirc created insecurely

2012-06-18 Thread Antoine Pitrou 

Antoine Pitrou pit...@free.fr added the comment:

Eric, do you plan to fix this soon? Linux distributions have started patched 
their Pythons manually.

--
nosy: +pitrou

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13512
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue13512] ~/.pypirc created insecurely

2012-03-17 Thread Barry A. Warsaw 

Barry A. Warsaw ba...@python.org added the comment:

I don't think it's worth fixing in Python 2.6, at least not in 2.6.8 which is 
ready for rc2 today.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13512
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue13512] ~/.pypirc created insecurely

2012-03-17 Thread Benjamin Peterson 

Benjamin Peterson benja...@python.org added the comment:

Check it in. It looks innocent enough to put in 2.7.3 final.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13512
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue13512] ~/.pypirc created insecurely

2012-03-17 Thread Benjamin Peterson 

Benjamin Peterson benja...@python.org added the comment:

On the other hand, it doesn't seem to be a very pressing issue, so let's wait 
for 2.7.4.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13512
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue13512] ~/.pypirc created insecurely

2012-03-17 Thread Éric Araujo 

Éric Araujo mer...@netwok.org added the comment:

Alright, I’ll commit normally to the stable and development versions, skipping 
the security-mode branches.

--
type: security - behavior

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13512
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue13512] ~/.pypirc created insecurely

2012-03-16 Thread Éric Araujo 

Éric Araujo mer...@netwok.org added the comment:

Barry, Benjamin: I’d like to fix this but am not sure if it should apply to 2.6 
and 3.1 too.  It does not look like a major flaw (see for example the 
assessment on the Red Hat bug page).

--
components: +Distutils2
keywords: +easy
nosy: +alexis, benjamin.peterson
versions: +3rd party

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13512
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue13512] ~/.pypirc created insecurely

2011-12-01 Thread Éric Araujo 

Éric Araujo mer...@netwok.org added the comment:

Thanks for the report Vincent.  Philip, your patch looks good, except that the 
code cannot use the with statement due to PEP 291 (I’ll take care of that).  
2.5 is also affected (the code is in the distutils.command.register module).

I don’t think we can write a test for this bug.

Barry, Martin, do you think this important enough for the versions in security 
mode?  (I’ve forgotten whether 2.5 is still in security mode or not, and can’t 
find the info online).

--
assignee: tarek - eric.araujo
nosy: +barry, loewis
stage:  - patch review
versions: +Python 3.2, Python 3.3

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13512
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue13512] ~/.pypirc created insecurely

2011-12-01 Thread Philip Jenvey 

Philip Jenvey pjen...@underboss.org added the comment:

2.5 is done 
http://mail.python.org/pipermail/python-committers/2011-October/001844.html

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13512
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue13512] ~/.pypirc created insecurely

2011-11-30 Thread Vincent Danen 

New submission from Vincent Danen vda...@linsec.ca:

A bug was reported in python's distutils in that ~/.pypirc was created 
insecurely by first creating and writing user/password information to the file, 
then chmod'ing it to 0600.

Perhaps the file should be created (empty), chmod'd, and then written to or 
perhaps tempfile.mkstemp() could be used to create the file and then move it 
in-place.

On systems where /home/user is 0700 by default this isn't a problem, but there 
is a race condition that could possibly (although the window would be small) to 
expose credentials in a home directory that is 0755, for instance.

I searched and couldn't find a similar report here, so decided to make upstream 
aware of the bug reported to Debian.

References:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=650555
https://bugzilla.redhat.com/show_bug.cgi?id=758905

--
assignee: tarek
components: Distutils
messages: 148697
nosy: Vincent.Danen, eric.araujo, tarek
priority: normal
severity: normal
status: open
title: ~/.pypirc created insecurely
type: security
versions: Python 2.7

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13512
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue13512] ~/.pypirc created insecurely

2011-11-30 Thread Philip Jenvey 

Philip Jenvey pjen...@underboss.org added the comment:

Something along these lines (untested) should do it. 2.6 and 3.x need the fix 
as well

--
keywords: +patch
nosy: +pjenvey
Added file: http://bugs.python.org/file23824/pypirc-secure.diff

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13512
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue13512] ~/.pypirc created insecurely

2011-11-30 Thread Philip Jenvey 

Philip Jenvey pjen...@underboss.org added the comment:

It probably still needs to catch OSErrors which my patch doesn't do

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13512
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com