Bugzilla – Bug 791482
VUL-1: CVE-2012-5578: python-keyring: insecure permissions for file creation
Last modified: 2015-09-01 14:40:05 UTC
Keyring files are being created world-readable with v <= 0.10. Original report by Marc Deslauriers can be found here [1]. Upstream report on available bitbucket.org [2] (patches included). [1] http://seclists.org/oss-sec/2012/q4/26 [2] https://bitbucket.org/kang/python-keyring-lib/issue/67/set-go-rwx- on-keyring_passcfg
Only affects SDK.
[1] should have actually been: http://seclists.org/oss-sec/2012/q4/308 I cannot edit the description anymore, unfortunately. [2] should be: https://bitbucket.org/kang/python-keyring-lib/issue/76/insecure-database- file-permissions Which also includes the necessary patches. Sorry for the mess.
python-keyring 0.2 (as used with SLE11 (SDK)) uses a static test_pass.cfg file. From the patch at [2] it looks like this appears to be fixed meanwhile too, but this has obviously not been the case from the very beginning: (python-keyring 0.2 on SLE11 (SDK)) 121 class FileKeyringTestCase(BackendBasicTestCase): [...] 124 def setUp(self): [...] 129 self.file_path = os.path.join(os.path.expanduser("~"), 130 self.keyring.filename()) Which is now (see [2]) turned into self.keyring.file_path = self.tmp_keyring_file = os.path.join( tempfile.mkdtemp(), "test_pass.cfg") This is a super minor issue given that 0) this is only affecting python-keyring's test-suite 1) the file is placed in /home anyway but I wanted to mention it.
Cloud uses updated versions, only the SDK is unfixed, leaving as VUL-1
assigning to maintainer of python-keyring. However, I think we can close this...
agreed. the only vulnerable version we have is in SLE11 SP1 (SP3 has an updated version) please reopen if we actually want the SLE11SP1 fix