pypirc created insecurely

Python 2.6 through 3.2 creates ~/.pypirc configuration file with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file.

Dates:

• Disclosure date: 2011-11-30 (Python issue bpo-13512 reported)

Fixed In

• Python 2.7.4 (2013-04-06) fixed by commit e5567cc (branch 2.6) (2012-07-03)
• Python 3.2.4 (2013-04-07) fixed by commit e5567cc (branch 2.6) (2012-07-03)
• Python 3.3.1 (2013-04-07) fixed by commit e5567cc (branch 2.6) (2012-07-03)
• Python 3.4.0 (2014-03-16) fixed by commit e5567cc (branch 2.6) (2012-07-03)

Python issue

~/.pypirc created insecurely.

• Python issue: bpo-13512
• Creation date: 2011-11-30
• Reporter: Vincent Danen

CVE-2011-4944

Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file.

• CVE ID: CVE-2011-4944
• Published: 2012-08-27
• CVSS Score: 1.9

Timeline

Timeline using the disclosure date 2011-11-30 as reference:

• 2011-11-30: Python issue bpo-13512 reported by Vincent Danen
• 2012-07-03 (+216 days): commit e5567cc (branch 2.6)
• 2012-08-27 (+271 days): CVE-2011-4944 published
• 2013-04-06 (+493 days): Python 2.7.4 released
• 2013-04-07 (+494 days): Python 3.2.4 released
• 2013-04-07 (+494 days): Python 3.3.1 released
• 2014-03-16: Python 3.4.0 released