A bug was reported in python's distutils in that ~/.pypirc was created insecurely by first creating and writing user/password information to the file, then chmod'ing it to 0600.

Perhaps the file should be created (empty), chmod'd, and then written to or perhaps tempfile.mkstemp() could be used to create the file and then move it in-place.

On systems where /home/user is 0700 by default this isn't a problem, but there is a race condition that could possibly (although the window would be small) to expose credentials in a home directory that is 0755, for instance.

I searched and couldn't find a similar report here, so decided to make upstream aware of the bug reported to Debian.

References:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=650555
https://bugzilla.redhat.com/show_bug.cgi?id=758905

Something along these lines (untested) should do it. 2.6 and 3.x need the fix as well

It probably still needs to catch OSErrors which my patch doesn't do

Thanks for the report Vincent.  Philip, your patch looks good, except that the code cannot use the with statement due to PEP 291 (I’ll take care of that).  2.5 is also affected (the code is in the distutils.command.register module).

I don’t think we can write a test for this bug.

Barry, Martin, do you think this important enough for the versions in security mode?  (I’ve forgotten whether 2.5 is still in security mode or not, and can’t find the info online).

2.5 is done http://mail.python.org/pipermail/python-committers/2011-October/001844.html

Barry, Benjamin: I’d like to fix this but am not sure if it should apply to 2.6 and 3.1 too.  It does not look like a major flaw (see for example the assessment on the Red Hat bug page).

I don't think it's worth fixing in Python 2.6, at least not in 2.6.8 which is ready for rc2 today.

Check it in. It looks innocent enough to put in 2.7.3 final.

On the other hand, it doesn't seem to be a very pressing issue, so let's wait for 2.7.4.

Alright, I’ll commit normally to the stable and development versions, skipping the security-mode branches.

Eric, do you plan to fix this soon? Linux distributions have started patched their Pythons manually.

Do you have links to those patches?

I have a link to the Mageia patch:

http://svnweb.mageia.org/packages/cauldron/python/current/SOURCES/python-2.7.3-upstream-pypirc-secure.patch?revision=261722&view=markup

And I see that doko has applied the same patch for Debian and derivatives: http://patch-tracker.debian.org/patch/series/view/python2.7/2.7.3~rc2-2.1/pypirc-secure.diff  Will commit today.

Release managers: there are CVE and ocert numbers for this; do we take that as indication that it should be fixed in security releases too or do we stand by our own assessment?

New changeset f833e7ec4de1 by Éric Araujo in branch '2.7':
Create ~/.pypirc securely (#13512).
http://hg.python.org/cpython/rev/f833e7ec4de1

Will port to 3.2 soon.

Release managers: there are CVE and ocert numbers for this; do we take that as indication that it should be fixed in security releases too or do we stand by our own assessment that it’s just a bugfix?

New changeset 4a2814f24a10 by Éric Araujo in branch '3.2':
Create ~/.pypirc securely (#13512).
http://hg.python.org/cpython/rev/4a2814f24a10

New changeset 10ab746f55fb by Éric Araujo in branch '3.3':
Merge fixes for #13614, #13512 and #7719 from 3.2
http://hg.python.org/cpython/rev/10ab746f55fb

New changeset b10c1c6f869f by Éric Araujo in branch 'default':
Merge fixes for #13614, #13512 and #7719 from 3.3
http://hg.python.org/cpython/rev/b10c1c6f869f

Thank you Eric!

CVE-2011-4944

messages: + msg163816

messages: + msg156109

components: + Distutils2
keywords: + easy

messages: + msg148724

assignee: tarek -> eric.araujo
stage: patch review

nosy: + pjenvey
messages: + msg148699

keywords: + patch