pypirc created insecurely

Warning

This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.

Python 2.6 through 3.2 creates ~/.pypirc configuration file with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file.

Dates:

• Disclosure date: 2011-11-30 (Python issue bpo-13512 reported)

Fixed In

• Python 2.7.4 (2013-04-06) fixed by commit e5567cc (branch 2.6) (2012-07-03)
• Python 3.2.4 (2013-04-06) fixed by commit e5567cc (branch 2.6) (2012-07-03)
• Python 3.3.1 (2013-04-06) fixed by commit e5567cc (branch 2.6) (2012-07-03)
• Python 3.4.0 (2014-03-16) fixed by commit e5567cc (branch 2.6) (2012-07-03)

Python issue

~/.pypirc created insecurely.

• Python issue: bpo-13512
• Creation date: 2011-11-30
• Reporter: Vincent Danen

CVE-2011-4944

Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file.

• CVE ID: CVE-2011-4944
• Published: 2012-08-27
• CVSS Score: 1.9

Timeline

Timeline using the disclosure date 2011-11-30 as reference:

• 2011-11-30: Python issue bpo-13512 reported by Vincent Danen
• 2012-07-03 (+216 days): commit e5567cc (branch 2.6)
• 2012-08-27 (+271 days): CVE-2011-4944 published
• 2013-04-06 (+493 days): Python 2.7.4 released
• 2013-04-06 (+493 days): Python 3.2.4 released
• 2013-04-06 (+493 days): Python 3.3.1 released
• 2014-03-16: Python 3.4.0 released