From: Éric Araujo Date: Tue, 3 Jul 2012 05:23:46 +0000 (-0400) Subject: Create ~/.pypirc securely (#13512). X-Git-Tag: v2.7.4rc1~720 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e5567ccc863cadb68f5e57a2760e021e0d3807cf;p=thirdparty%2FPython%2Fcpython.git Create ~/.pypirc securely (#13512). There was a window between the write and the chmod where the user’s password would be exposed, depending on default permissions. Philip Jenvey’s patch fixes it. --- diff --git a/Lib/distutils/config.py b/Lib/distutils/config.py index afa403f2daae..9d8b30ea30c6 100644 --- a/Lib/distutils/config.py +++ b/Lib/distutils/config.py @@ -42,7 +42,7 @@ class PyPIRCCommand(Command): def _store_pypirc(self, username, password): """Creates a default .pypirc file.""" rc = self._get_rc_file() - f = open(rc, 'w') + f = os.fdopen(os.open(rc, os.O_CREAT | os.O_WRONLY, 0600), 'w') try: f.write(DEFAULT_PYPIRC % (username, password)) finally: diff --git a/Misc/ACKS b/Misc/ACKS index fed05535d900..548279a7b107 100644 --- a/Misc/ACKS +++ b/Misc/ACKS @@ -412,6 +412,7 @@ Bill Janssen Thomas Jarosch Drew Jenkins Flemming Kjær Jensen +Philip Jenvey Jiba Orjan Johansen Fredrik Johansson diff --git a/Misc/NEWS b/Misc/NEWS index 063a6dbf3efb..baea13ae0085 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -14,6 +14,9 @@ Core and Builtins longer raised due to a read system call returning EINTR from within these methods. +- Issue #13512: Create ~/.pypirc securely (CVE-2011-4944). Initial patch by + Philip Jenvey, tested by Mageia and Debian. + - Issue #7719: Make distutils ignore ``.nfs*`` files instead of choking later on. Initial patch by SilentGhost and Jeff Ramnani.