anatoly techtonik added the comment:
CVE-2011-4944
--
nosy: +techtonik
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13512
___
___
Antoine Pitrou added the comment:
Thank you Eric!
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13512
___
___
Python-bugs-list mailing list
Roundup Robot added the comment:
New changeset 4a2814f24a10 by Éric Araujo in branch '3.2':
Create ~/.pypirc securely (#13512).
http://hg.python.org/cpython/rev/4a2814f24a10
New changeset 10ab746f55fb by Éric Araujo in branch '3.3':
Merge fixes for #13614, #13512 and #7719 from 3.2
Changes by Éric Araujo mer...@netwok.org:
--
resolution: - fixed
stage: patch review - committed/rejected
status: open - closed
versions: +Python 3.4
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13512
Roundup Robot devn...@psf.upfronthosting.co.za added the comment:
New changeset f833e7ec4de1 by Éric Araujo in branch '2.7':
Create ~/.pypirc securely (#13512).
http://hg.python.org/cpython/rev/f833e7ec4de1
--
nosy: +python-dev
___
Python tracker
Éric Araujo mer...@netwok.org added the comment:
Will port to 3.2 soon.
Release managers: there are CVE and ocert numbers for this; do we take that as
indication that it should be fixed in security releases too or do we stand by
our own assessment that it’s just a bugfix?
--
Éric Araujo mer...@netwok.org added the comment:
Do you have links to those patches?
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13512
___
Antoine Pitrou pit...@free.fr added the comment:
I have a link to the Mageia patch:
http://svnweb.mageia.org/packages/cauldron/python/current/SOURCES/python-2.7.3-upstream-pypirc-secure.patch?revision=261722view=markup
--
___
Python tracker
Éric Araujo mer...@netwok.org added the comment:
And I see that doko has applied the same patch for Debian and derivatives:
http://patch-tracker.debian.org/patch/series/view/python2.7/2.7.3~rc2-2.1/pypirc-secure.diff
Will commit today.
Release managers: there are CVE and ocert numbers for
Antoine Pitrou pit...@free.fr added the comment:
Eric, do you plan to fix this soon? Linux distributions have started patched
their Pythons manually.
--
nosy: +pitrou
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13512
Barry A. Warsaw ba...@python.org added the comment:
I don't think it's worth fixing in Python 2.6, at least not in 2.6.8 which is
ready for rc2 today.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13512
Benjamin Peterson benja...@python.org added the comment:
Check it in. It looks innocent enough to put in 2.7.3 final.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13512
___
Benjamin Peterson benja...@python.org added the comment:
On the other hand, it doesn't seem to be a very pressing issue, so let's wait
for 2.7.4.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13512
Éric Araujo mer...@netwok.org added the comment:
Alright, I’ll commit normally to the stable and development versions, skipping
the security-mode branches.
--
type: security - behavior
___
Python tracker rep...@bugs.python.org
Éric Araujo mer...@netwok.org added the comment:
Barry, Benjamin: I’d like to fix this but am not sure if it should apply to 2.6
and 3.1 too. It does not look like a major flaw (see for example the
assessment on the Red Hat bug page).
--
components: +Distutils2
keywords: +easy
nosy:
Éric Araujo mer...@netwok.org added the comment:
Thanks for the report Vincent. Philip, your patch looks good, except that the
code cannot use the with statement due to PEP 291 (I’ll take care of that).
2.5 is also affected (the code is in the distutils.command.register module).
I don’t
Philip Jenvey pjen...@underboss.org added the comment:
2.5 is done
http://mail.python.org/pipermail/python-committers/2011-October/001844.html
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13512
New submission from Vincent Danen vda...@linsec.ca:
A bug was reported in python's distutils in that ~/.pypirc was created
insecurely by first creating and writing user/password information to the file,
then chmod'ing it to 0600.
Perhaps the file should be created (empty), chmod'd, and then
Philip Jenvey pjen...@underboss.org added the comment:
Something along these lines (untested) should do it. 2.6 and 3.x need the fix
as well
--
keywords: +patch
nosy: +pjenvey
Added file: http://bugs.python.org/file23824/pypirc-secure.diff
___
Philip Jenvey pjen...@underboss.org added the comment:
It probably still needs to catch OSErrors which my patch doesn't do
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13512
___
20 matches
Mail list logo