pypirc created insecurely¶
Python 2.6 through 3.2 creates ~/.pypirc
configuration file with
world-readable permissions before changing them after data has been
written, which introduces a race condition that allows local users to
obtain a username and password by reading this file.
- Disclosure date: 2011-11-30 (Python issue bpo-13512 reported)
Fixed In¶
- Python 2.7.4 (2013-04-06) fixed by commit e5567cc (branch 2.6) (2012-07-03)
- Python 3.2.4 (2013-04-07) fixed by commit e5567cc (branch 2.6) (2012-07-03)
- Python 3.3.1 (2013-04-07) fixed by commit e5567cc (branch 2.6) (2012-07-03)
- Python 3.4.0 (2014-03-16) fixed by commit e5567cc (branch 2.6) (2012-07-03)
Python issue¶
~/.pypirc created insecurely.
- Python issue: bpo-13512
- Creation date: 2011-11-30
- Reporter: Vincent Danen
CVE-2011-4944¶
Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file.
- CVE ID: CVE-2011-4944
- Published: 2012-08-27
- CVSS Score: 1.9
Timeline¶
Timeline using the disclosure date 2011-11-30 as reference:
- 2011-11-30: Python issue bpo-13512 reported by Vincent Danen
- 2012-07-03 (+216 days): commit e5567cc (branch 2.6)
- 2012-08-27 (+271 days): CVE-2011-4944 published
- 2013-04-06 (+493 days): Python 2.7.4 released
- 2013-04-07 (+494 days): Python 3.2.4 released
- 2013-04-07 (+494 days): Python 3.3.1 released
- 2014-03-16: Python 3.4.0 released