[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE Request: Python keyring
From: Kurt Seifried <kseifried () redhat ! com>
Date: 2012-11-27 7:32:10
Message-ID: 50B46C7A.2000505 () redhat ! com
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/22/2012 06:38 AM, Matthias Weckbecker wrote:
> Hi Marc,
>
> On Monday 19 November 2012 17:09:07 Marc Deslauriers wrote:
>> On 12-11-16 11:14 AM, Marc Deslauriers wrote:
>>> Hello,
>>>
>>> Python keyring before 0.10 created keyring files world-readable
>>> by default.
>>>
> [...]
>>>
>>> Could a CVE please be assigned to this issue?
>>
>> Actually, that fix only changes the permissions on database files
>> that were migrated from previous versions, it doesn't fix
>> permissions on newly created database files.
>>
>> It would appear python-keyring still creates new database files
>> with inappropriate permissions.
>>
>
> New bug report seems to be at [1], I assume. Has there already been
> a CVE assigned actually?
>
> [1]
> http://bitbucket.org/kang/python-keyring-lib/issue/76/insecure-database-file-permissions
>
>
(with patches attached too)
>
>> Marc.
>
> Thanks, Matthias
Please use CVE-2012-5578 for this issue, Python keyring 0.10 new
keyring creation file permissions, due to partial fix for CVE-2012-5577.
- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBAgAGBQJQtGx6AAoJEBYNRVNeJnmTGvsQANYU3Qp5iLgLUznJwvJjBS4m
uVR7tkwGBvBiIDyQHwenFxHlTyQyeNqFptAs7wVKwvbBTAjIhltASP6kvFASR9EP
PKGPYqyHpNokxf4KSHT2/X9dBe2nqEbFgn0WouMYSVqBWTjxhMi7fFhpWu25nirC
uwEYn3SnuyCfg9aSLTVxRKq49hMSp6Wh1bkyxAqpDrKyB1K72yNQkDMhhI4RXDmW
sFLKb/kNDQ3IH5SXdnp3PRFtgSmRy8h7Yq5P7OusTi+it9vSRtb/pN4OWEonCLc5
ueI4MOVtvi57ppuQbn53BmjnqqtvUgxP0DnzRC0fP9mw7EkN5LXYrOLxhMYjoKoy
Q+myrUYcypRQAZbfiX9FsBsTja9aOOyyqNHodiG1IWmuCjPaVIt7L90yh3d/jmRH
ccrdsI/jXlw9cZR/pHRgM5BpFibe+baBuJo8zQIBVZutQj6nTKgEBwi/xjY5ubH/
hEZPhFGZKpPKYvdr0Nnc3SapEpNl+WdTggBZuhJLpY9cRHStjxHb4QWhfZrfeezN
evbwlRARADVKEBjXfu5/GSouweoaX0Mdd9s2tTOrPVfQNoDUM7yDDhROiT2IK1lE
SYcZZ2H8dMQAWRW19UHVEMGIvUS5k+Xqu3fxibyycDvbgEc/S7n3PKsrVpn+s96G
WdYifVcXHKIMDXUO1ICC
=Zzx9
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic