oss-sec mailing list archives
Re: CVE request: distutils creates ~/.pypirc insecurely
From: Vincent Danen <vdanen () redhat com>
Date: Tue, 27 Mar 2012 12:30:22 -0600
* [2012-03-27 16:39:37 +0200] Jakub Wilk wrote:
* Vincent Danen <vdanen () redhat com>, 2012-03-27, 08:15:Standard flaw where a file that contains a username and password is written with insecure permissions. This only affects python 2.6 and higher.I see the vulnerable code in Python 2.3.7, 2.4.6 and 2.5.6, too.
Aha, thanks. I do see it as well in Lib/distutils/command/register.py where it offers to save the username/password. --Vincent Danen / Red Hat Security Response Team
Current thread:
- CVE request: distutils creates ~/.pypirc insecurely Vincent Danen (Mar 27)
- Re: CVE request: distutils creates ~/.pypirc insecurely Jakub Wilk (Mar 27)
- Re: CVE request: distutils creates ~/.pypirc insecurely Vincent Danen (Mar 27)
- Re: CVE request: distutils creates ~/.pypirc insecurely Kurt Seifried (Mar 27)
- Re: CVE request: distutils creates ~/.pypirc insecurely Vincent Danen (Mar 27)
- Re: CVE request: distutils creates ~/.pypirc insecurely Kurt Seifried (Mar 27)
- Re: CVE request: distutils creates ~/.pypirc insecurely Vincent Danen (Mar 27)
- Re: CVE request: distutils creates ~/.pypirc insecurely Vincent Danen (Mar 27)
- Re: CVE request: distutils creates ~/.pypirc insecurely Jakub Wilk (Mar 27)