Message276649
Um, you know this still affects Python 2.7 right?
Yes, I realize that it's not going to be very practical to change the default installation path for 2.7, but that doesn't make the issue disappear, nor is that the only way to close the hole.
Which is to say, the 2.7 installer should be changed to tighten the permissions on the installation directory when doing an "all-users" install (even if the directory already exists, though in that case it might make sense for it to be optional).
(I suppose the same logic applies to any other version < 3.5 that's still getting security updates, too?)
P.S. Does this count as CVE-2012-5379, even though that was reported against ActiveState's distribution?
I'm pretty sure it's an instance of CWE-276 <https://cwe.mitre.org/data/definitions/276.html>, at any rate. |
|
Date |
User |
Action |
Args |
2016-09-16 00:30:25 | SamB | set | recipients:
+ SamB, tim.peters, loewis, mhammond, nnorwitz, georg.brandl, jaraco, pitrou, mel, dsmiller, norvellspearman, giampaolo.rodola, carlfk, tim.golden, ezio.melotti, r.david.murray, michael.foord, flox, fran.rogers, BreamoreBoy, Gynvael.Coldwind, eryksun, steve.dower, Friedrich.Spee.von.Langenfeld |
2016-09-16 00:30:24 | SamB | set | messageid: <1473985824.76.0.150548017953.issue1284316@psf.upfronthosting.co.za> |
2016-09-16 00:30:24 | SamB | link | issue1284316 messages |
2016-09-16 00:30:23 | SamB | create | |
|