[issue13512] ~/.pypirc created insecurely

anatoly techtonik added the comment: CVE-2011-4944 -- nosy: +techtonik ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubs

[issue13512] ~/.pypirc created insecurely

Antoine Pitrou added the comment: Thank you Eric! -- ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mai

[issue13512] ~/.pypirc created insecurely

Changes by Éric Araujo : -- resolution: -> fixed stage: patch review -> committed/rejected status: open -> closed versions: +Python 3.4 ___ Python tracker ___ __

[issue13512] ~/.pypirc created insecurely

Roundup Robot added the comment: New changeset 4a2814f24a10 by Éric Araujo in branch '3.2': Create ~/.pypirc securely (#13512). http://hg.python.org/cpython/rev/4a2814f24a10 New changeset 10ab746f55fb by Éric Araujo in branch '3.3': Merge fixes for #13614, #13512 and #7719 from 3.2 http://hg.pyt

[issue13512] ~/.pypirc created insecurely

Éric Araujo added the comment: Will port to 3.2 soon. Release managers: there are CVE and ocert numbers for this; do we take that as indication that it should be fixed in security releases too or do we stand by our own assessment that it’s just a bugfix? -- _

[issue13512] ~/.pypirc created insecurely

Roundup Robot added the comment: New changeset f833e7ec4de1 by Éric Araujo in branch '2.7': Create ~/.pypirc securely (#13512). http://hg.python.org/cpython/rev/f833e7ec4de1 -- nosy: +python-dev ___ Python tracker

[issue13512] ~/.pypirc created insecurely

Éric Araujo added the comment: And I see that doko has applied the same patch for Debian and derivatives: http://patch-tracker.debian.org/patch/series/view/python2.7/2.7.3~rc2-2.1/pypirc-secure.diff Will commit today. Release managers: there are CVE and ocert numbers for this; do we take tha

[issue13512] ~/.pypirc created insecurely

Antoine Pitrou added the comment: I have a link to the Mageia patch: http://svnweb.mageia.org/packages/cauldron/python/current/SOURCES/python-2.7.3-upstream-pypirc-secure.patch?revision=261722&view=markup -- ___ Python tracker

[issue13512] ~/.pypirc created insecurely

Éric Araujo added the comment: Do you have links to those patches? -- ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubs

[issue13512] ~/.pypirc created insecurely

Antoine Pitrou added the comment: Eric, do you plan to fix this soon? Linux distributions have started patched their Pythons manually. -- nosy: +pitrou ___ Python tracker ___ _

[issue13512] ~/.pypirc created insecurely

Éric Araujo added the comment: Alright, I’ll commit normally to the stable and development versions, skipping the security-mode branches. -- type: security -> behavior ___ Python tracker _

[issue13512] ~/.pypirc created insecurely

Benjamin Peterson added the comment: On the other hand, it doesn't seem to be a very pressing issue, so let's wait for 2.7.4. -- ___ Python tracker ___

[issue13512] ~/.pypirc created insecurely

Benjamin Peterson added the comment: Check it in. It looks innocent enough to put in 2.7.3 final. -- ___ Python tracker ___ ___ Pytho

[issue13512] ~/.pypirc created insecurely

Barry A. Warsaw added the comment: I don't think it's worth fixing in Python 2.6, at least not in 2.6.8 which is ready for rc2 today. -- ___ Python tracker ___

[issue13512] ~/.pypirc created insecurely

Éric Araujo added the comment: Barry, Benjamin: I’d like to fix this but am not sure if it should apply to 2.6 and 3.1 too. It does not look like a major flaw (see for example the assessment on the Red Hat bug page). -- components: +Distutils2 keywords: +easy nosy: +alexis, benjamin.

[issue13512] ~/.pypirc created insecurely

Changes by Jakub Wilk : -- nosy: +jwilk ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/

[issue13512] ~/.pypirc created insecurely

Philip Jenvey added the comment: 2.5 is done http://mail.python.org/pipermail/python-committers/2011-October/001844.html -- ___ Python tracker ___ _

[issue13512] ~/.pypirc created insecurely

Éric Araujo added the comment: Thanks for the report Vincent. Philip, your patch looks good, except that the code cannot use the with statement due to PEP 291 (I’ll take care of that). 2.5 is also affected (the code is in the distutils.command.register module). I don’t think we can write a

[issue13512] ~/.pypirc created insecurely

Philip Jenvey added the comment: It probably still needs to catch OSErrors which my patch doesn't do -- ___ Python tracker ___ ___ Py

[issue13512] ~/.pypirc created insecurely

Philip Jenvey added the comment: Something along these lines (untested) should do it. 2.6 and 3.x need the fix as well -- keywords: +patch nosy: +pjenvey Added file: http://bugs.python.org/file23824/pypirc-secure.diff ___ Python tracker

[issue13512] ~/.pypirc created insecurely

New submission from Vincent Danen : A bug was reported in python's distutils in that ~/.pypirc was created insecurely by first creating and writing user/password information to the file, then chmod'ing it to 0600. Perhaps the file should be created (empty), chmod'd, and then written to or per