Hello, I maybe find a security flaw on dev-python/pyzor 0.4.0-r1 under Gentoo. pyzor is used by spamassassin to detect SPAM. Here under something how trouble me : [root@www pyzor]$ls -la /usr/lib/python2.3/site-packages/pyzor/__init__.pyc -rw-rw-rw- 1 root root 28516 Jun 12 2004 /usr/lib/python2.3/site-packages/pyzor/__init__.pyc and [root@www pyzor]$ls -la /usr/lib/python2.3/site-packages/pyzor/client.pyc -rw-rw-rw- 1 root root 39884 Jun 12 2004 /usr/lib/python2.3/site-packages/pyzor/client.pyc This binaries could be overwriten by every local users, this could have effects on amavis, spamassassin. Maybe it is possible to execute arbitrary code or gain new privileges. Regards Reproducible: Always Steps to Reproduce: 1. 2. 3. Expected Results: Not world writable
Python please provide a fixed ebuild.
Actually reassigning.....
Python team: please confirm/fix
I can't seem to reproduce this problem. emerge pyzor doesn't generate the *.py[co] files in the current ebuilds and python sets the mode as 644 when writing the *.py[co] files. Reporter, please remove the *.py[co] files and see if you can reproduce this problem.
The only way I'm able to reproduce this problem is if I set umask=000 before importing pyzor for the first time.. So this looks to be a local problem. Romang, please make sure your umask is 022 and see if you can reproduce the problem. Just running umask should show the current umask. To reproduce it, just rm the .pyc file, start python and 'import pyzor'.
Reporter, please reopen if you can reproduce