python2.6: distutils creates .pypirc insecurely

Debian Bug report logs - #615118
python2.6: distutils creates .pypirc insecurely

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: python2.6: distutils creates .pypirc insecurely

Date: Fri, 25 Feb 2011 22:07:57 +0100

Package: python2.6
Version: 2.6.6-8
Severity: important
Tags: security

distutils uses this method to create .pypirc:

    def _store_pypirc(self, username, password):
        """Creates a default .pypirc file."""
        rc = self._get_rc_file()
        f = open(rc, 'w')
        try:
            f.write(DEFAULT_PYPIRC % (username, password))
        finally:
            f.close()
        try:
            os.chmod(rc, 0600)
        except OSError:
            # should do something better here
            pass

There is a tiny timing window between write() and chmod() calls in which 
the file (with user's password) is world-readable.

-- 
Jakub Wilk

Message #10 received at 615118@bugs.debian.org (full text, mbox, reply):

From: Arne Wichmann <aw@anhrefn.saar.de>

To: 615118@bugs.debian.org

Subject: This affects python 2.7

Date: Sat, 15 Oct 2011 23:28:07 +0200

[Message part 1 (text/plain, inline)]

This problem affects python 2.7, too.

cu

AW
-- 
[...] If you don't want to be restricted, don't agree to it. If you are
coerced, comply as much as you must to protect yourself, just don't support
it. Noone can free you but yourself. (crag, on Debian Planet)
Arne Wichmann (aw@linux.de)

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 615118-close@bugs.debian.org (full text, mbox, reply):

From: Matthias Klose <doko@debian.org>

To: 615118-close@bugs.debian.org

Subject: Bug#615118: fixed in python2.6 2.6.8-1

Date: Wed, 28 Nov 2012 11:48:27 +0000

Source: python2.6
Source-Version: 2.6.8-1

We believe that the bug you reported is fixed in the latest version of
python2.6, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 615118@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthias Klose <doko@debian.org> (supplier of updated python2.6 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 28 Nov 2012 08:48:08 +0100
Source: python2.6
Binary: python2.6 python2.6-minimal libpython2.6 python2.6-examples python2.6-dev idle-python2.6 python2.6-doc python2.6-dbg
Architecture: source all amd64
Version: 2.6.8-1
Distribution: unstable
Urgency: medium
Maintainer: Matthias Klose <doko@debian.org>
Changed-By: Matthias Klose <doko@debian.org>
Description: 
 idle-python2.6 - IDE for Python (v2.6) using Tkinter
 libpython2.6 - Shared Python runtime library (version 2.6)
 python2.6  - Interactive high-level object-oriented language (version 2.6)
 python2.6-dbg - Debug Build of the Python Interpreter (version 2.6)
 python2.6-dev - Header files and a static library for Python (v2.6)
 python2.6-doc - Documentation for the high-level object-oriented language Python
 python2.6-examples - Examples for the Python language (v2.6)
 python2.6-minimal - Minimal subset of the Python language (version 2.6)
Closes: 615118 639327 639405 645125
Changes: 
 python2.6 (2.6.8-1) unstable; urgency=medium
 .
   * The wininst-* files cannot be built within Debian from the included
     sources, needing a zlib mingw build, which the zlib maintainer isn't
     going to provide. Closes: #639405.
   * Fix determination of Metadata version (issue #8933). Closes: #645125.
   * SECURE UPDATE: http://bugs.python.org/issue13512
     - debian/patches/CVE-2011-4944.diff: create ~/.pypirc securely
     - CVE-2011-4944. Closes: #615118.
   * SECURITY UPDATE: Fix CGIHTTPServer information disclosure.
     - debian/patches/CVE-2011-1015.diff: Relative paths are now collapsed
       within the url properly before looking in cgi_directories.
     - CVE-2011-1015
   * Add man page for 2to3, copied from 2.7 (Nobuhiro Iwamatsu).
     Closes: #639327.
   * Avoid runtime path for the sqlite extension.
Checksums-Sha1: 
 8e058c55041a9260901e18c4e7455ebea89a2921 2034 python2.6_2.6.8-1.dsc
 187b05462670451e2fb73ff7a659997f91f2bedc 317978 python2.6_2.6.8-1.diff.gz
 8a0a054264166e0f7a81699d46432d2e1f19ec9e 696006 python2.6-examples_2.6.8-1_all.deb
 e9ea84c23f9788a6338b84db3fc2c90d1c0fafc2 298410 idle-python2.6_2.6.8-1_all.deb
 8944643236a3dba7bdade8911d6cc38d3367fb84 5794910 python2.6-doc_2.6.8-1_all.deb
 6b7edd02788424d9e7d9832d4df2a5b80b94c0f9 2504352 python2.6_2.6.8-1_amd64.deb
 20fb23dbabbdad652ea2cb896c9e29e80fe7d84e 1545396 python2.6-minimal_2.6.8-1_amd64.deb
 dfc85148e37dea5ba6648abe700d8acff496d284 1103746 libpython2.6_2.6.8-1_amd64.deb
 40d0ba23b88ca4656534ae0b737a34253306cf6f 4572846 python2.6-dev_2.6.8-1_amd64.deb
 810dd0bcc0aaf34f7e339b091a1eecff0e17fa93 13694248 python2.6-dbg_2.6.8-1_amd64.deb
Checksums-Sha256: 
 de4265b38e72a459a9153dea33db5d836c20aaa8e202c49ca907d141e5b73b68 2034 python2.6_2.6.8-1.dsc
 ae3b2583706447511f6aab70dd52aeb76fd12d800d3a817aef29f66fe8b46f9d 317978 python2.6_2.6.8-1.diff.gz
 e46152ad11fa6571a870337ad7db1f5935ef00f6b8448f0b246b830fe39b86d8 696006 python2.6-examples_2.6.8-1_all.deb
 5b72680fd812747a0cad5816c89c5c670ee6c95b1ad390d4cc9773e25c761a28 298410 idle-python2.6_2.6.8-1_all.deb
 b25c72990a287f24627532e4f2c9cdc3c71a5f9b112acd51ac37ff8d09b7a310 5794910 python2.6-doc_2.6.8-1_all.deb
 20d174ee920ff1180cc17f6da2e53018689da5baccad4b1787705a4c4cd165b0 2504352 python2.6_2.6.8-1_amd64.deb
 9f147bee16a27519e8113338d135f0d369f1051d9f9c800160d75c3fadd55eba 1545396 python2.6-minimal_2.6.8-1_amd64.deb
 83e613f259b984df5c65c5fbe47eae9eafdf4a2327789ba454fc1cecdcfc3d21 1103746 libpython2.6_2.6.8-1_amd64.deb
 f36918254c3c2521ca414c70dfc6917bf41f6c8e8fb53735ed3904aeb9502869 4572846 python2.6-dev_2.6.8-1_amd64.deb
 cc6397375582fa8eb87bcb79d251a9cbf07cf933a170750ffb043f063cab39b9 13694248 python2.6-dbg_2.6.8-1_amd64.deb
Files: 
 076d051b5632e49dfb0792c1b5bbf79a 2034 python optional python2.6_2.6.8-1.dsc
 579b296e9e4ecd72c9e2aba24ebb495f 317978 python optional python2.6_2.6.8-1.diff.gz
 c96b9d3d173060943d4b81781ad64cb4 696006 python optional python2.6-examples_2.6.8-1_all.deb
 46e5bb1532cf76e54c8b1e562b72e28a 298410 python optional idle-python2.6_2.6.8-1_all.deb
 82564495fb690978e06309f18a04d4b8 5794910 doc optional python2.6-doc_2.6.8-1_all.deb
 5e70ea6944b2d7f99a81b3df19c7fbeb 2504352 python standard python2.6_2.6.8-1_amd64.deb
 16942b63f1fc9134baaaab963dc9e5ff 1545396 python standard python2.6-minimal_2.6.8-1_amd64.deb
 1ab408c98625743af49c4c6e198c0a1a 1103746 libs optional libpython2.6_2.6.8-1_amd64.deb
 6b79d5318378aba936fc1c74c5472eac 4572846 python optional python2.6-dev_2.6.8-1_amd64.deb
 bdcf14949e26bc020ef984f45cea69e7 13694248 debug extra python2.6-dbg_2.6.8-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAlC19XcACgkQStlRaw+TLJwe5gCffdAxBGuQFeuUQwClxsn65HIC
yJAAn0Kj4+USoj5ysBRfpAtlLJ0hVpai
=cCAR
-----END PGP SIGNATURE-----

Message #22 received at 615118@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: 615118@bugs.debian.org

Subject: Re: python2.6: distutils creates .pypirc insecurely

Date: Wed, 28 Nov 2012 12:15:02 -0000

Package: python2.6

Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.7) - use target "stable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.

For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].

0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/615118/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Send a report that this bug log contains spam.