Author SamB
Recipients BreamoreBoy, Friedrich.Spee.von.Langenfeld, Gynvael.Coldwind, SamB, carlfk, dsmiller, eryksun, ezio.melotti, flox, fran.rogers, georg.brandl, giampaolo.rodola, jaraco, loewis, mel, mhammond, michael.foord, nnorwitz, norvellspearman, pitrou, r.david.murray, steve.dower, tim.golden, tim.peters
Date 2016-09-16.00:30:23
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1473985824.76.0.150548017953.issue1284316@psf.upfronthosting.co.za>
In-reply-to
Content
Um, you know this still affects Python 2.7 right?

Yes, I realize that it's not going to be very practical to change the default installation path for 2.7, but that doesn't make the issue disappear, nor is that the only way to close the hole.

Which is to say, the 2.7 installer should be changed to tighten the permissions on the installation directory when doing an "all-users" install (even if the directory already exists, though in that case it might make sense for it to be optional).

(I suppose the same logic applies to any other version < 3.5 that's still getting security updates, too?)


P.S. Does this count as CVE-2012-5379, even though that was reported against ActiveState's distribution?

I'm pretty sure it's an instance of CWE-276 <https://cwe.mitre.org/data/definitions/276.html>, at any rate.
History
Date User Action Args
2016-09-16 00:30:25SamBsetrecipients: + SamB, tim.peters, loewis, mhammond, nnorwitz, georg.brandl, jaraco, pitrou, mel, dsmiller, norvellspearman, giampaolo.rodola, carlfk, tim.golden, ezio.melotti, r.david.murray, michael.foord, flox, fran.rogers, BreamoreBoy, Gynvael.Coldwind, eryksun, steve.dower, Friedrich.Spee.von.Langenfeld
2016-09-16 00:30:24SamBsetmessageid: <1473985824.76.0.150548017953.issue1284316@psf.upfronthosting.co.za>
2016-09-16 00:30:24SamBlinkissue1284316 messages
2016-09-16 00:30:23SamBcreate