Summary: | <dev-lang/python-{2.6.6-r1,2.7.3-r1,3.2.3}: DoS or information disclosure (CVE-2011-4944,CVE-2012-2135) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | python |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
GLSAMaker/CVETool Bot
2012-08-24 22:43:02 UTC
CVE-2011-4944 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4944): Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file. 2.6: affects <=2.6.5. Nothing vulnerable in tree. 2.7: affects <=2.7.2. Nothing vulnerable in tree. 3.0: irrelevant. 3.1: affects 3.1.5, but that's masked for removal. 3.2: affects =3.2. Nothing vulnerable. 3.3: unaffected. @security team: worth a GLSA at this point? (In reply to Chris Reffett from comment #2) > 2.6: affects <=2.6.5. Nothing vulnerable in tree. > 2.7: affects <=2.7.2. Nothing vulnerable in tree. > 3.0: irrelevant. > 3.1: affects 3.1.5, but that's masked for removal. > 3.2: affects =3.2. Nothing vulnerable. > 3.3: unaffected. > > @security team: worth a GLSA at this point? As you said there is nothing to remove. The p.mask for 3.1.5 is enough. Covered by GLSA 201401-04 Closing as fixed |