Quoting the backport PR: ``` Cookies can store sensitive information and should therefore be protected against unauthorized third parties. This is also described in issue #79096. The filesystem permissions are currently set to 644, everyone can read the file. This commit changes the permissions to 600, only the creater of the file can read and modify it. This improves security, because it reduces the attack surface. Now the attacker needs control of the user that created the cookie or a ways to circumvent the filesystems permissions. This change is backwards incompatible. Systems that rely on world-readable cookies will breake. However, one could argue that those are misconfigured in the first place. ``` It was included in 3.11 but not older branches. I suppose we should backport it.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=18e9bfa49ff42a6e2f90e8f024d9c989434d4729 commit 18e9bfa49ff42a6e2f90e8f024d9c989434d4729 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2022-08-10 07:47:57 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2022-08-10 07:52:58 +0000 dev-lang/python: Backport *CookieJar secfix to 3.10.6_p2 Bug: https://bugs.gentoo.org/864747 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.10.6_p2.ebuild | 408 ++++++++++++++++++++++++++++++++ 2 files changed, 409 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2bbfa55a2c003914439f48b32a7d9f543300ef82 commit 2bbfa55a2c003914439f48b32a7d9f543300ef82 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2022-08-10 08:48:29 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2022-08-10 08:52:51 +0000 dev-lang/python: Backport *CookieJar secfix to 3.8.13_p6 Bug: https://bugs.gentoo.org/864747 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.8.13_p6.ebuild | 349 ++++++++++++++++++++++++++++++++ 2 files changed, 350 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d516b53713661a7321c26caf7a0ea5101f5a0023 commit d516b53713661a7321c26caf7a0ea5101f5a0023 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2022-08-10 08:43:10 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2022-08-10 08:52:50 +0000 dev-lang/python: Backport *CookieJar secfix to 3.9.13_p4 Bug: https://bugs.gentoo.org/864747 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.9.13_p4.ebuild | 403 ++++++++++++++++++++++++++++++++ 2 files changed, 404 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=53de9a0c1a9392749b46e9b326516023b3dcbcdc commit 53de9a0c1a9392749b46e9b326516023b3dcbcdc Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2022-08-10 09:28:47 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2022-08-10 09:28:47 +0000 dev-python/pypy3: Backport secfixes to 7.3.9_p5 Bug: https://bugs.gentoo.org/834533 Bug: https://bugs.gentoo.org/838250 Bug: https://bugs.gentoo.org/864747 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-python/pypy3/Manifest | 1 + dev-python/pypy3/pypy3-7.3.9_p5.ebuild | 210 +++++++++++++++++++++++++++++++++ 2 files changed, 211 insertions(+)
Python 2.7 is affected too (in Lib/_*CookieJar.py).
cleanup done.
GLSA requested
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=721dfacf17914fe5f7bfa3d0b401379d6318f7b1 commit 721dfacf17914fe5f7bfa3d0b401379d6318f7b1 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-05-03 09:12:43 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-03 09:31:45 +0000 [ GLSA 202305-02 ] Python, PyPy3: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/787260 Bug: https://bugs.gentoo.org/793833 Bug: https://bugs.gentoo.org/811165 Bug: https://bugs.gentoo.org/834533 Bug: https://bugs.gentoo.org/835443 Bug: https://bugs.gentoo.org/838250 Bug: https://bugs.gentoo.org/864747 Bug: https://bugs.gentoo.org/876815 Bug: https://bugs.gentoo.org/877851 Bug: https://bugs.gentoo.org/878385 Bug: https://bugs.gentoo.org/880629 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202305-02.xml | 107 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 107 insertions(+)
