'Re: [oss-security] CVE Request: Python keyring'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request: Python keyring
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2012-11-27 7:32:10
Message-ID: 50B46C7A.2000505 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/22/2012 06:38 AM, Matthias Weckbecker wrote:
> Hi Marc,
> 
> On Monday 19 November 2012 17:09:07 Marc Deslauriers wrote:
>> On 12-11-16 11:14 AM, Marc Deslauriers wrote:
>>> Hello,
>>> 
>>> Python keyring before 0.10 created keyring files world-readable
>>> by default.
>>> 
> [...]
>>> 
>>> Could a CVE please be assigned to this issue?
>> 
>> Actually, that fix only changes the permissions on database files
>> that were migrated from previous versions, it doesn't fix
>> permissions on newly created database files.
>> 
>> It would appear python-keyring still creates new database files
>> with inappropriate permissions.
>> 
> 
> New bug report seems to be at [1], I assume. Has there already been
> a CVE assigned actually?
> 
> [1]
> http://bitbucket.org/kang/python-keyring-lib/issue/76/insecure-database-file-permissions
>
> 
(with patches attached too)
> 
>> Marc.
> 
> Thanks, Matthias

Please use CVE-2012-5578 for this issue, Python keyring 0.10 new
keyring creation file permissions, due to partial fix for CVE-2012-5577.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQtGx6AAoJEBYNRVNeJnmTGvsQANYU3Qp5iLgLUznJwvJjBS4m
uVR7tkwGBvBiIDyQHwenFxHlTyQyeNqFptAs7wVKwvbBTAjIhltASP6kvFASR9EP
PKGPYqyHpNokxf4KSHT2/X9dBe2nqEbFgn0WouMYSVqBWTjxhMi7fFhpWu25nirC
uwEYn3SnuyCfg9aSLTVxRKq49hMSp6Wh1bkyxAqpDrKyB1K72yNQkDMhhI4RXDmW
sFLKb/kNDQ3IH5SXdnp3PRFtgSmRy8h7Yq5P7OusTi+it9vSRtb/pN4OWEonCLc5
ueI4MOVtvi57ppuQbn53BmjnqqtvUgxP0DnzRC0fP9mw7EkN5LXYrOLxhMYjoKoy
Q+myrUYcypRQAZbfiX9FsBsTja9aOOyyqNHodiG1IWmuCjPaVIt7L90yh3d/jmRH
ccrdsI/jXlw9cZR/pHRgM5BpFibe+baBuJo8zQIBVZutQj6nTKgEBwi/xjY5ubH/
hEZPhFGZKpPKYvdr0Nnc3SapEpNl+WdTggBZuhJLpY9cRHStjxHb4QWhfZrfeezN
evbwlRARADVKEBjXfu5/GSouweoaX0Mdd9s2tTOrPVfQNoDUM7yDDhROiT2IK1lE
SYcZZ2H8dMQAWRW19UHVEMGIvUS5k+Xqu3fxibyycDvbgEc/S7n3PKsrVpn+s96G
WdYifVcXHKIMDXUO1ICC
=Zzx9
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic