classification
Title: ~/.pypirc created insecurely
Type: behavior Stage: resolved
Components: Distutils, Distutils2 Versions: Python 3.4, Python 3.3, Python 3.2, Python 2.7, 3rd party
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: eric.araujo Nosy List: Vincent.Danen, alexis, barry, benjamin.peterson, eric.araujo, jwilk, loewis, pitrou, pjenvey, python-dev, tarek, techtonik
Priority: high Keywords: easy, patch

Created on 2011-11-30 23:23 by Vincent.Danen, last changed 2013-02-18 22:45 by techtonik. This issue is now closed.

Files
File name Uploaded Description Edit
pypirc-secure.diff pjenvey, 2011-12-01 01:07 review
Messages (19)
msg148697 - (view) Author: Vincent Danen (Vincent.Danen) Date: 2011-11-30 23:23
A bug was reported in python's distutils in that ~/.pypirc was created insecurely by first creating and writing user/password information to the file, then chmod'ing it to 0600.

Perhaps the file should be created (empty), chmod'd, and then written to or perhaps tempfile.mkstemp() could be used to create the file and then move it in-place.

On systems where /home/user is 0700 by default this isn't a problem, but there is a race condition that could possibly (although the window would be small) to expose credentials in a home directory that is 0755, for instance.

I searched and couldn't find a similar report here, so decided to make upstream aware of the bug reported to Debian.

References:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=650555
https://bugzilla.redhat.com/show_bug.cgi?id=758905
msg148699 - (view) Author: Philip Jenvey (pjenvey) * (Python committer) Date: 2011-12-01 01:07
Something along these lines (untested) should do it. 2.6 and 3.x need the fix as well
msg148700 - (view) Author: Philip Jenvey (pjenvey) * (Python committer) Date: 2011-12-01 01:09
It probably still needs to catch OSErrors which my patch doesn't do
msg148724 - (view) Author: Éric Araujo (eric.araujo) * (Python committer) Date: 2011-12-01 14:12
Thanks for the report Vincent.  Philip, your patch looks good, except that the code cannot use the with statement due to PEP 291 (I’ll take care of that).  2.5 is also affected (the code is in the distutils.command.register module).

I don’t think we can write a test for this bug.

Barry, Martin, do you think this important enough for the versions in security mode?  (I’ve forgotten whether 2.5 is still in security mode or not, and can’t find the info online).
msg148729 - (view) Author: Philip Jenvey (pjenvey) * (Python committer) Date: 2011-12-01 17:41
2.5 is done http://mail.python.org/pipermail/python-committers/2011-October/001844.html
msg156109 - (view) Author: Éric Araujo (eric.araujo) * (Python committer) Date: 2012-03-16 23:40
Barry, Benjamin: I’d like to fix this but am not sure if it should apply to 2.6 and 3.1 too.  It does not look like a major flaw (see for example the assessment on the Red Hat bug page).
msg156177 - (view) Author: Barry A. Warsaw (barry) * (Python committer) Date: 2012-03-17 17:10
I don't think it's worth fixing in Python 2.6, at least not in 2.6.8 which is ready for rc2 today.
msg156224 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2012-03-18 02:07
Check it in. It looks innocent enough to put in 2.7.3 final.
msg156225 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2012-03-18 02:12
On the other hand, it doesn't seem to be a very pressing issue, so let's wait for 2.7.4.
msg156226 - (view) Author: Éric Araujo (eric.araujo) * (Python committer) Date: 2012-03-18 02:20
Alright, I’ll commit normally to the stable and development versions, skipping the security-mode branches.
msg163117 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2012-06-18 19:58
Eric, do you plan to fix this soon? Linux distributions have started patched their Pythons manually.
msg163724 - (view) Author: Éric Araujo (eric.araujo) * (Python committer) Date: 2012-06-24 06:28
Do you have links to those patches?
msg163762 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2012-06-24 10:35
I have a link to the Mageia patch:

http://svnweb.mageia.org/packages/cauldron/python/current/SOURCES/python-2.7.3-upstream-pypirc-secure.patch?revision=261722&view=markup
msg163816 - (view) Author: Éric Araujo (eric.araujo) * (Python committer) Date: 2012-06-24 18:03
And I see that doko has applied the same patch for Debian and derivatives: http://patch-tracker.debian.org/patch/series/view/python2.7/2.7.3~rc2-2.1/pypirc-secure.diff  Will commit today.

Release managers: there are CVE and ocert numbers for this; do we take that as indication that it should be fixed in security releases too or do we stand by our own assessment?
msg164573 - (view) Author: Roundup Robot (python-dev) Date: 2012-07-03 05:23
New changeset f833e7ec4de1 by Éric Araujo in branch '2.7':
Create ~/.pypirc securely (#13512).
http://hg.python.org/cpython/rev/f833e7ec4de1
msg164576 - (view) Author: Éric Araujo (eric.araujo) * (Python committer) Date: 2012-07-03 05:27
Will port to 3.2 soon.

Release managers: there are CVE and ocert numbers for this; do we take that as indication that it should be fixed in security releases too or do we stand by our own assessment that it’s just a bugfix?
msg177194 - (view) Author: Roundup Robot (python-dev) Date: 2012-12-09 03:57
New changeset 4a2814f24a10 by Éric Araujo in branch '3.2':
Create ~/.pypirc securely (#13512).
http://hg.python.org/cpython/rev/4a2814f24a10

New changeset 10ab746f55fb by Éric Araujo in branch '3.3':
Merge fixes for #13614, #13512 and #7719 from 3.2
http://hg.python.org/cpython/rev/10ab746f55fb

New changeset b10c1c6f869f by Éric Araujo in branch 'default':
Merge fixes for #13614, #13512 and #7719 from 3.3
http://hg.python.org/cpython/rev/b10c1c6f869f
msg177212 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2012-12-09 13:03
Thank you Eric!
msg182344 - (view) Author: anatoly techtonik (techtonik) Date: 2013-02-18 22:45
CVE-2011-4944
History
Date User Action Args
2013-02-18 22:45:20techtoniksetnosy: + techtonik
messages: + msg182344
2012-12-09 13:03:57pitrousetmessages: + msg177212
2012-12-09 04:06:08eric.araujosetstatus: open -> closed
stage: patch review -> resolved
resolution: fixed
versions: + Python 3.4
2012-12-09 03:57:21python-devsetmessages: + msg177194
2012-07-03 05:27:11eric.araujosetmessages: + msg164576
2012-07-03 05:23:53python-devsetnosy: + python-dev
messages: + msg164573
2012-06-24 18:03:26eric.araujosetpriority: normal -> high

messages: + msg163816
2012-06-24 10:35:51pitrousetmessages: + msg163762
2012-06-24 06:28:06eric.araujosetmessages: + msg163724
2012-06-18 19:58:52pitrousetnosy: + pitrou
messages: + msg163117
2012-03-18 02:20:25eric.araujosettype: security -> behavior
messages: + msg156226
2012-03-18 02:12:57benjamin.petersonsetmessages: + msg156225
2012-03-18 02:07:55benjamin.petersonsetmessages: + msg156224
2012-03-17 17:10:10barrysetmessages: + msg156177
2012-03-16 23:40:44eric.araujosetversions: + 3rd party
nosy: + alexis, benjamin.peterson

messages: + msg156109

components: + Distutils2
keywords: + easy
2012-03-16 16:50:47jwilksetnosy: + jwilk
2011-12-01 17:41:30pjenveysetmessages: + msg148729
2011-12-01 14:12:41eric.araujosetversions: + Python 3.2, Python 3.3
nosy: + loewis, barry

messages: + msg148724

assignee: tarek -> eric.araujo
stage: patch review
2011-12-01 01:09:46pjenveysetmessages: + msg148700
2011-12-01 01:07:01pjenveysetfiles: + pypirc-secure.diff

nosy: + pjenvey
messages: + msg148699

keywords: + patch
2011-11-30 23:23:22Vincent.Danencreate