.. _pypirc-created-insecurely:

pypirc created insecurely
=========================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=CVE-2011-4944>`_.

Python 2.6 through 3.2 creates ``~/.pypirc`` configuration file with
world-readable permissions before changing them after data has been
written, which introduces a race condition that allows local users to
obtain a username and password by reading this file.

Dates:

* Disclosure date: **2011-11-30** (Python issue bpo-13512 reported)

Fixed In
--------

* Python **2.7.4** (2013-04-06) fixed by `commit e5567cc (branch 2.6) <https://github.com/python/cpython/commit/e5567ccc863cadb68f5e57a2760e021e0d3807cf>`_ (2012-07-03)
* Python **3.2.4** (2013-04-06) fixed by `commit e5567cc (branch 2.6) <https://github.com/python/cpython/commit/e5567ccc863cadb68f5e57a2760e021e0d3807cf>`_ (2012-07-03)
* Python **3.3.1** (2013-04-06) fixed by `commit e5567cc (branch 2.6) <https://github.com/python/cpython/commit/e5567ccc863cadb68f5e57a2760e021e0d3807cf>`_ (2012-07-03)
* Python **3.4.0** (2014-03-16) fixed by `commit e5567cc (branch 2.6) <https://github.com/python/cpython/commit/e5567ccc863cadb68f5e57a2760e021e0d3807cf>`_ (2012-07-03)

Python issue
------------

~/.pypirc created insecurely.

* Python issue: `bpo-13512 <https://bugs.python.org/issue13512>`_
* Creation date: 2011-11-30
* Reporter: Vincent Danen

CVE-2011-4944
-------------

Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file.

* CVE ID: `CVE-2011-4944 <https://nvd.nist.gov/vuln/detail/CVE-2011-4944/>`_
* Published: 2012-08-27
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 1.9

Timeline
--------

Timeline using the disclosure date **2011-11-30** as reference:

* 2011-11-30: `Python issue bpo-13512 <https://bugs.python.org/issue13512>`_ reported by Vincent Danen
* 2012-07-03 (**+216 days**): `commit e5567cc (branch 2.6) <https://github.com/python/cpython/commit/e5567ccc863cadb68f5e57a2760e021e0d3807cf>`_
* 2012-08-27 (**+271 days**): CVE-2011-4944 published
* 2013-04-06 (**+493 days**): Python 2.7.4 released
* 2013-04-06 (**+493 days**): Python 3.2.4 released
* 2013-04-06 (**+493 days**): Python 3.3.1 released
* 2014-03-16: Python 3.4.0 released