oss-sec mailing list archives
Re: CVE Request: Python keyring
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 27 Nov 2012 00:32:10 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/22/2012 06:38 AM, Matthias Weckbecker wrote:
Hi Marc, On Monday 19 November 2012 17:09:07 Marc Deslauriers wrote:On 12-11-16 11:14 AM, Marc Deslauriers wrote:Hello, Python keyring before 0.10 created keyring files world-readable by default.[...]Could a CVE please be assigned to this issue?Actually, that fix only changes the permissions on database files that were migrated from previous versions, it doesn't fix permissions on newly created database files. It would appear python-keyring still creates new database files with inappropriate permissions.New bug report seems to be at [1], I assume. Has there already been a CVE assigned actually? [1] http://bitbucket.org/kang/python-keyring-lib/issue/76/insecure-database-file-permissions
(with patches attached too)
Marc.Thanks, Matthias
Please use CVE-2012-5578 for this issue, Python keyring 0.10 new keyring creation file permissions, due to partial fix for CVE-2012-5577. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQtGx6AAoJEBYNRVNeJnmTGvsQANYU3Qp5iLgLUznJwvJjBS4m uVR7tkwGBvBiIDyQHwenFxHlTyQyeNqFptAs7wVKwvbBTAjIhltASP6kvFASR9EP PKGPYqyHpNokxf4KSHT2/X9dBe2nqEbFgn0WouMYSVqBWTjxhMi7fFhpWu25nirC uwEYn3SnuyCfg9aSLTVxRKq49hMSp6Wh1bkyxAqpDrKyB1K72yNQkDMhhI4RXDmW sFLKb/kNDQ3IH5SXdnp3PRFtgSmRy8h7Yq5P7OusTi+it9vSRtb/pN4OWEonCLc5 ueI4MOVtvi57ppuQbn53BmjnqqtvUgxP0DnzRC0fP9mw7EkN5LXYrOLxhMYjoKoy Q+myrUYcypRQAZbfiX9FsBsTja9aOOyyqNHodiG1IWmuCjPaVIt7L90yh3d/jmRH ccrdsI/jXlw9cZR/pHRgM5BpFibe+baBuJo8zQIBVZutQj6nTKgEBwi/xjY5ubH/ hEZPhFGZKpPKYvdr0Nnc3SapEpNl+WdTggBZuhJLpY9cRHStjxHb4QWhfZrfeezN evbwlRARADVKEBjXfu5/GSouweoaX0Mdd9s2tTOrPVfQNoDUM7yDDhROiT2IK1lE SYcZZ2H8dMQAWRW19UHVEMGIvUS5k+Xqu3fxibyycDvbgEc/S7n3PKsrVpn+s96G WdYifVcXHKIMDXUO1ICC =Zzx9 -----END PGP SIGNATURE-----
Current thread:
- CVE Request: Python keyring Marc Deslauriers (Oct 05)
- Re: CVE Request: Python keyring Raphael Geissert (Oct 30)
- Re: CVE Request: Python keyring Kurt Seifried (Oct 31)
- <Possible follow-ups>
- CVE Request: Python keyring Marc Deslauriers (Nov 16)
- Re: CVE Request: Python keyring Marc Deslauriers (Nov 19)
- Re: CVE Request: Python keyring Matthias Weckbecker (Nov 22)
- Re: CVE Request: Python keyring Kurt Seifried (Nov 26)
- Re: CVE Request: Python keyring Marc Deslauriers (Nov 19)
- Re: CVE Request: Python keyring Kurt Seifried (Nov 26)
- Re: CVE Request: Python keyring Raphael Geissert (Oct 30)