CVE-2011-4944: pypirc created insecurely

Python 2.6 through 3.2 creates ~/.pypirc configuration file with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file.

  • Disclosure date: 2011-11-30 (Python issue #13512 reported)

Fixed In

Python issue

~/.pypirc created insecurely.

  • Python issue: issue #13512
  • Creation date: 2011-11-30
  • Reporter: Vincent Danen

CVE-2011-4944

Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file.

Timeline

Timeline using the disclosure date 2011-11-30 as reference:

  • 2011-11-30: Python issue #13512 reported by Vincent Danen
  • 2012-07-03 (+216 days): commit e5567cc
  • 2012-08-27 (+271 days): CVE-2011-4944 published
  • 2013-04-06 (+493 days): Python 2.7.4 released
  • 2013-04-07 (+494 days): Python 3.2.4 released
  • 2013-04-07 (+494 days): Python 3.3.1 released
  • 2014-03-16: Python 3.4.0 released