Debian Bug report logs - #650555
python2.7: distutils creates .pypirc insecurely

version graph

Package: python2.7; Maintainer for python2.7 is Matthias Klose <doko@debian.org>; Source for python2.7 is src:python2.7.

Reported by: Arne Wichmann <aw@linux.de>

Date: Wed, 30 Nov 2011 20:12:05 UTC

Severity: important

Tags: security

Found in version python2.7/2.7.2-7

Fixed in version python2.7/2.7.3~rc2-2

Done: Matthias Klose <doko@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#650555; Package python2.7. (Wed, 30 Nov 2011 20:12:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Arne Wichmann <aw@linux.de>:
New Bug report received and forwarded. Copy sent to Matthias Klose <doko@debian.org>. (Wed, 30 Nov 2011 20:12:08 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Arne Wichmann <aw@linux.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: python2.7: distutils creates .pypirc insecurely
Date: Wed, 30 Nov 2011 21:03:14 +0100
Package: python2.7
Version: 2.7.2-7
Severity: important
Tags: security

Just to have it visible from python2.7, too:

-- begin citation --
distutils uses this method to create .pypirc:
                                             
    def _store_pypirc(self, username, password):
        """Creates a default .pypirc file."""
        rc = self._get_rc_file()
        f = open(rc, 'w')
        try:
            f.write(DEFAULT_PYPIRC % (username, password))
        finally:
            f.close()
        try:
            os.chmod(rc, 0600)
        except OSError:
            # should do something better here
            pass

There is a tiny timing window between write() and chmod() calls in
which the file (with user's password) is world-readable.

--
Jaku Wilk
-- end citation --




Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#650555; Package python2.7. (Tue, 27 Mar 2012 18:51:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Seifried <kseifried@redhat.com>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. (Tue, 27 Mar 2012 18:51:05 GMT) Full text and rfc822 format available.

Message #10 received at 650555@bugs.debian.org (full text, mbox):

From: Kurt Seifried <kseifried@redhat.com>
To: 650555@bugs.debian.org
Subject: Corrected CVE for this issue (wrong year), please use CVE-2011-4944
Date: Tue, 27 Mar 2012 12:48:39 -0600
Corrected CVE for this issue (wrong year), please use CVE-2011-4944

Corrected CVE number as per
http://www.openwall.com/lists/oss-security/2012/03/27/10

-- 
Kurt Seifried Red Hat Security Response Team (SRT)




Reply sent to Matthias Klose <doko@debian.org>:
You have taken responsibility. (Thu, 05 Apr 2012 17:24:08 GMT) Full text and rfc822 format available.

Notification sent to Arne Wichmann <aw@linux.de>:
Bug acknowledged by developer. (Thu, 05 Apr 2012 17:24:08 GMT) Full text and rfc822 format available.

Message #15 received at 650555-close@bugs.debian.org (full text, mbox):

From: Matthias Klose <doko@debian.org>
To: 650555-close@bugs.debian.org
Subject: Bug#650555: fixed in python2.7 2.7.3~rc2-2
Date: Thu, 05 Apr 2012 17:18:54 +0000
Source: python2.7
Source-Version: 2.7.3~rc2-2

We believe that the bug you reported is fixed in the latest version of
python2.7, which is due to be installed in the Debian FTP archive:

idle-python2.7_2.7.3~rc2-2_all.deb
  to main/p/python2.7/idle-python2.7_2.7.3~rc2-2_all.deb
libpython2.7_2.7.3~rc2-2_amd64.deb
  to main/p/python2.7/libpython2.7_2.7.3~rc2-2_amd64.deb
python2.7-dbg_2.7.3~rc2-2_amd64.deb
  to main/p/python2.7/python2.7-dbg_2.7.3~rc2-2_amd64.deb
python2.7-dev_2.7.3~rc2-2_amd64.deb
  to main/p/python2.7/python2.7-dev_2.7.3~rc2-2_amd64.deb
python2.7-doc_2.7.3~rc2-2_all.deb
  to main/p/python2.7/python2.7-doc_2.7.3~rc2-2_all.deb
python2.7-examples_2.7.3~rc2-2_all.deb
  to main/p/python2.7/python2.7-examples_2.7.3~rc2-2_all.deb
python2.7-minimal_2.7.3~rc2-2_amd64.deb
  to main/p/python2.7/python2.7-minimal_2.7.3~rc2-2_amd64.deb
python2.7_2.7.3~rc2-2.diff.gz
  to main/p/python2.7/python2.7_2.7.3~rc2-2.diff.gz
python2.7_2.7.3~rc2-2.dsc
  to main/p/python2.7/python2.7_2.7.3~rc2-2.dsc
python2.7_2.7.3~rc2-2_amd64.deb
  to main/p/python2.7/python2.7_2.7.3~rc2-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 650555@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthias Klose <doko@debian.org> (supplier of updated python2.7 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 05 Apr 2012 15:47:03 +0200
Source: python2.7
Binary: python2.7 python2.7-minimal libpython2.7 python2.7-examples python2.7-dev idle-python2.7 python2.7-doc python2.7-dbg
Architecture: source all amd64
Version: 2.7.3~rc2-2
Distribution: unstable
Urgency: low
Maintainer: Matthias Klose <doko@debian.org>
Changed-By: Matthias Klose <doko@debian.org>
Description: 
 idle-python2.7 - IDE for Python (v2.7) using Tkinter
 libpython2.7 - Shared Python runtime library (version 2.7)
 python2.7  - Interactive high-level object-oriented language (version 2.7)
 python2.7-dbg - Debug Build of the Python Interpreter (version 2.7)
 python2.7-dev - Header files and a static library for Python (v2.7)
 python2.7-doc - Documentation for the high-level object-oriented language Python
 python2.7-examples - Examples for the Python language (v2.7)
 python2.7-minimal - Minimal subset of the Python language (version 2.7)
Closes: 621374 650555 654783 656763 663874 664529 665346
Changes: 
 python2.7 (2.7.3~rc2-2) unstable; urgency=low
 .
   * Use xdg-open/gvfs-open in Lib/webbrowser.py (Michael Vogt).
     LP: #971311.
   * Add a paragraph about python-foo-dbg packages to README.debug.
     LP: #872050.
   * Disable some tests (no feedback from porters):
     - test_socket on hurd-i386.
     - test_io on amd64.
     - test_signal on kfreebsd-*. Closes: #654783.
     - test_threading on sparc.
   * Tighten build dependency on libexpat-dev. Closes: #665346.
   * Build-depend on db-5.1, don't care about testsuite regressions on
     some esoteric ports.  If packages rely on threaded applications or
     transactions, please use the python-bsddb3 package.
     Closes: #621374.
   * Don't ship the python2 and python2-config symlinks, move these
     to the python-minimal and python-dev packages. Closes: #663874.
   * Remove PVER-doc.doc-base.PVER-doc.in. Closes: #656763.
   * Update symbols files.
   * Avoid runtime path for the sqlite extension.
   * CVE-2011-4944, distutils creates ~/.pypirc insecurely. Closes: #650555.
   * Fix issue #14505, file descriptor leak when deallocating file objects
     created with PyFile_FromString(). Closes: #664529.
Checksums-Sha1: 
 d19eb6482d01ba27b12fa61ba735cf9bb27c3aed 2085 python2.7_2.7.3~rc2-2.dsc
 a1ea7e8742d9055b6c963d7f34b1c10a732db171 250980 python2.7_2.7.3~rc2-2.diff.gz
 17a89934ab3c1526fdfe4d7528a5b81081f293ef 709374 python2.7-examples_2.7.3~rc2-2_all.deb
 24b0fe4f2fe9e97a3219ad3af80901b3bb433f0f 298570 idle-python2.7_2.7.3~rc2-2_all.deb
 60f30eafc4cb071eb48b6810c05f8ddaa72adabc 6247190 python2.7-doc_2.7.3~rc2-2_all.deb
 8e933a0ac7a0428c8aa69d3cd8af11aba6ac8ca2 2714338 python2.7_2.7.3~rc2-2_amd64.deb
 65a7403a4ab87ada7623896becc1f9307ece97b6 1770024 python2.7-minimal_2.7.3~rc2-2_amd64.deb
 c073d69e7d89e03837889459b6233f0bed4e2a13 1191392 libpython2.7_2.7.3~rc2-2_amd64.deb
 2cffa43da460292919745549bbaccb071b626d49 29368158 python2.7-dev_2.7.3~rc2-2_amd64.deb
 528073475f4203a1efee66ccb6d4496364da9814 9559042 python2.7-dbg_2.7.3~rc2-2_amd64.deb
Checksums-Sha256: 
 2a3c2af0be99a2b69d140b8fc6eae7b94d0bf53528c710037e43a20411c6cc92 2085 python2.7_2.7.3~rc2-2.dsc
 48c0741c7510602f3d5fe3117ff9edcd9ffe3af0268abb1e8e442b9d797f2caa 250980 python2.7_2.7.3~rc2-2.diff.gz
 e51722fae9715934524a68ff9f679b8a5e208ef64824a70bd97f7b00e3a94442 709374 python2.7-examples_2.7.3~rc2-2_all.deb
 3f9658a0d39edddd93908637517770fc715f49243dfb2d777e653c2f1522b584 298570 idle-python2.7_2.7.3~rc2-2_all.deb
 7bbcad3fee4e1cde685493cab20eb86dc28da9a9de454d31b500e442ab87d07f 6247190 python2.7-doc_2.7.3~rc2-2_all.deb
 122dcdb0b34d99e3446ce783afbe41e16985bdbe502c69aa1b78a5d4cbc002de 2714338 python2.7_2.7.3~rc2-2_amd64.deb
 3c19ae0019bd85ee85c889032095756e3ef75f3acacb2dfdb0fd5bacc7227d42 1770024 python2.7-minimal_2.7.3~rc2-2_amd64.deb
 c5740443cee421fb9b880fca3c8df5161add7159ebfc2b1c6304bce87a064ac5 1191392 libpython2.7_2.7.3~rc2-2_amd64.deb
 827caf9b51c5e491dc335064954ad5e82dd6a9057e447bdf13a83367962d3a90 29368158 python2.7-dev_2.7.3~rc2-2_amd64.deb
 d513bac6c1539efd349d12fb61c6be966ab976ba4e35c6016656c9894c7a5d2d 9559042 python2.7-dbg_2.7.3~rc2-2_amd64.deb
Files: 
 c5c7ad7ec97cbf15475fa1fcbb8f4759 2085 python optional python2.7_2.7.3~rc2-2.dsc
 0fcb393a11e428d38a0cd52bb22e08fe 250980 python optional python2.7_2.7.3~rc2-2.diff.gz
 7ac8496a5028b37f314e008bad69b19c 709374 python optional python2.7-examples_2.7.3~rc2-2_all.deb
 fa20940199f6ef66c7ce3ae0ba8cdf41 298570 python optional idle-python2.7_2.7.3~rc2-2_all.deb
 16878bdd6f114cec5e1bb25d0872d52c 6247190 doc optional python2.7-doc_2.7.3~rc2-2_all.deb
 85192bce68a3a3a755d3ddcd7ea06aeb 2714338 python optional python2.7_2.7.3~rc2-2_amd64.deb
 cdff0bec7848df6395135cde029f2837 1770024 python optional python2.7-minimal_2.7.3~rc2-2_amd64.deb
 67363d0554e458a375ffa07185b7f195 1191392 libs optional libpython2.7_2.7.3~rc2-2_amd64.deb
 f85d5dae12a1654b248424430b9aa745 29368158 python optional python2.7-dev_2.7.3~rc2-2_amd64.deb
 bceacc6cbefdced4e0fe48dfa971475d 9559042 debug extra python2.7-dbg_2.7.3~rc2-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk99zkkACgkQStlRaw+TLJzaFQCgwNSiiwXTlyi5mWhA5lHOCXja
sUUAnRbPUJC54SE/k2S8JDRIbWS+JRSl
=Fc8Z
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 05 Jul 2012 07:40:21 GMT) Full text and rfc822 format available.

Bug unarchived. Request was from jmw@debian.org to control@bugs.debian.org. (Tue, 31 Jul 2012 12:00:11 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#650555; Package python2.7. (Tue, 31 Jul 2012 14:30:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. (Tue, 31 Jul 2012 14:30:03 GMT) Full text and rfc822 format available.

Message #24 received at 650555@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: 650555@bugs.debian.org
Subject: Re: python2.7: distutils creates .pypirc insecurely
Date: Tue, 31 Jul 2012 13:45:31 -0000
Package: python2.7

Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.6) - use target "stable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.

For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].

0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/650555/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 29 Aug 2012 07:28:55 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 25 09:18:49 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.