CVE-2011-4944
Priority
Low
Description
Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions
before changing them after data has been written, which introduces a race
condition that allows local users to obtain a username and password by
reading this file.
before changing them after data has been written, which introduces a race
condition that allows local users to obtain a username and password by
reading this file.
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4944
http://www.openwall.com/lists/oss-security/2012/03/27
http://www.ubuntu.com/usn/usn-1592-1
http://www.ubuntu.com/usn/usn-1596-1
http://www.ubuntu.com/usn/usn-1613-1
http://www.ubuntu.com/usn/usn-1613-2
http://www.ubuntu.com/usn/usn-1615-1
http://www.ubuntu.com/usn/usn-1616-1
http://www.openwall.com/lists/oss-security/2012/03/27
http://www.ubuntu.com/usn/usn-1592-1
http://www.ubuntu.com/usn/usn-1596-1
http://www.ubuntu.com/usn/usn-1613-1
http://www.ubuntu.com/usn/usn-1613-2
http://www.ubuntu.com/usn/usn-1615-1
http://www.ubuntu.com/usn/usn-1616-1
Bugs
Notes
tyhicks> Code in Lib/distutils/command/register.py in 2.4 and 2.5
Assigned-to
jdstrand
Package
| Upstream: | pending (2.7.3~rc2-2) |
| Ubuntu 8.04 LTS (Hardy Heron): | DNE |
| Ubuntu 10.04 LTS (Lucid Lynx): | DNE |
| Ubuntu 11.10 (Oneiric Ocelot): | released (2.7.2-5ubuntu1.1) |
| Ubuntu 12.04 LTS (Precise Pangolin): | not-affected (2.7.3~rc2-2) |
| Ubuntu 12.10 (Quantal Quetzal): | not-affected |
| Ubuntu 13.04 (Raring Ringtail): | not-affected |
Patches:
| Upstream: | http://hg.python.org/cpython/rev/f833e7ec4de1/ |
Package
| Upstream: | needed |
| Ubuntu 8.04 LTS (Hardy Heron): | DNE |
| Ubuntu 10.04 LTS (Lucid Lynx): | released (2.6.5-1ubuntu6.1) |
| Ubuntu 11.10 (Oneiric Ocelot): | released (2.6.7-4ubuntu1.1) |
| Ubuntu 12.04 LTS (Precise Pangolin): | DNE |
| Ubuntu 12.10 (Quantal Quetzal): | DNE |
| Ubuntu 13.04 (Raring Ringtail): | DNE |
Patches:
| Upstream: | http://bugs.python.org/file23824/pypirc-secure.diff |
Package
| Upstream: | needed |
| Ubuntu 8.04 LTS (Hardy Heron): | released (2.5.2-2ubuntu6.2) |
| Ubuntu 10.04 LTS (Lucid Lynx): | DNE |
| Ubuntu 11.10 (Oneiric Ocelot): | DNE |
| Ubuntu 12.04 LTS (Precise Pangolin): | DNE |
| Ubuntu 12.10 (Quantal Quetzal): | DNE |
| Ubuntu 13.04 (Raring Ringtail): | DNE |
Package
| Upstream: | needed |
| Ubuntu 8.04 LTS (Hardy Heron): | released (2.4.5-1ubuntu4.4) |
| Ubuntu 10.04 LTS (Lucid Lynx): | DNE |
| Ubuntu 11.10 (Oneiric Ocelot): | DNE |
| Ubuntu 12.04 LTS (Precise Pangolin): | DNE |
| Ubuntu 12.10 (Quantal Quetzal): | DNE |
| Ubuntu 13.04 (Raring Ringtail): | DNE |
Package
| Upstream: | needed |
| Ubuntu 8.04 LTS (Hardy Heron): | DNE |
| Ubuntu 10.04 LTS (Lucid Lynx): | DNE |
| Ubuntu 11.10 (Oneiric Ocelot): | released (3.2.2-0ubuntu1.1) |
| Ubuntu 12.04 LTS (Precise Pangolin): | released (3.2.3-0ubuntu3.2) |
| Ubuntu 12.10 (Quantal Quetzal): | released (3.2.3-6ubuntu3.1) |
| Ubuntu 13.04 (Raring Ringtail): | DNE |
Patches:
| Upstream: | http://bugs.python.org/file23824/pypirc-secure.diff |
Package
| Upstream: | needed |
| Ubuntu 8.04 LTS (Hardy Heron): | DNE |
| Ubuntu 10.04 LTS (Lucid Lynx): | DNE |
| Ubuntu 11.10 (Oneiric Ocelot): | DNE |
| Ubuntu 12.04 LTS (Precise Pangolin): | DNE |
| Ubuntu 12.10 (Quantal Quetzal): | needed |
| Ubuntu 13.04 (Raring Ringtail): | needed |
Patches:
| Upstream: | http://bugs.python.org/file23.34/pypirc-secure.diff |
Package
| Upstream: | needed |
| Ubuntu 8.04 LTS (Hardy Heron): | DNE |
| Ubuntu 10.04 LTS (Lucid Lynx): | released (3.1.2-0ubuntu3.2) |
| Ubuntu 11.10 (Oneiric Ocelot): | DNE |
| Ubuntu 12.04 LTS (Precise Pangolin): | DNE |
| Ubuntu 12.10 (Quantal Quetzal): | DNE |
| Ubuntu 13.04 (Raring Ringtail): | DNE |
Patches:
| Upstream: | http://bugs.python.org/file23824/pypirc-secure.diff |