Bug 864747

Summary:	<dev-lang/python-{3.8.13_p6,3.9.13_p4,3.10.6_p2} <dev-python/pypy3-7.3.9_p5: cookie files created by {LWP,Mozilla}CookieJar.save() are world-readable
Product:	Gentoo Security	Reporter:	Michał Górny <mgorny>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	python
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
See Also:	https://github.com/python/cpython/pull/93636
Whiteboard:	A4 [glsa+]
Package list:		Runtime testing required:	---
Bug Depends on:	864741, 864743, 864745, 864781
Bug Blocks:

Description Michał Górny archtester

2022-08-10 06:08:50 UTC

Quoting the backport PR:

```
Cookies can store sensitive information and should therefore be protected
against unauthorized third parties. This is also described in issue #79096.

The filesystem permissions are currently set to 644, everyone can read the
file. This commit changes the permissions to 600, only the creater of the file
can read and modify it. This improves security, because it reduces the attack
surface. Now the attacker needs control of the user that created the cookie or
a ways to circumvent the filesystems permissions.

This change is backwards incompatible. Systems that rely on world-readable
cookies will breake. However, one could argue that those are misconfigured in
the first place.
```

It was included in 3.11 but not older branches.  I suppose we should backport it.

Comment 1 Larry the Git Cow gentoo-dev

2022-08-10 07:53:03 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=18e9bfa49ff42a6e2f90e8f024d9c989434d4729

commit 18e9bfa49ff42a6e2f90e8f024d9c989434d4729
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2022-08-10 07:47:57 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2022-08-10 07:52:58 +0000

    dev-lang/python: Backport *CookieJar secfix to 3.10.6_p2
    
    Bug: https://bugs.gentoo.org/864747
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                |   1 +
 dev-lang/python/python-3.10.6_p2.ebuild | 408 ++++++++++++++++++++++++++++++++
 2 files changed, 409 insertions(+)

Comment 2 Larry the Git Cow gentoo-dev

2022-08-10 08:52:54 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2bbfa55a2c003914439f48b32a7d9f543300ef82

commit 2bbfa55a2c003914439f48b32a7d9f543300ef82
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2022-08-10 08:48:29 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2022-08-10 08:52:51 +0000

    dev-lang/python: Backport *CookieJar secfix to 3.8.13_p6
    
    Bug: https://bugs.gentoo.org/864747
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                |   1 +
 dev-lang/python/python-3.8.13_p6.ebuild | 349 ++++++++++++++++++++++++++++++++
 2 files changed, 350 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d516b53713661a7321c26caf7a0ea5101f5a0023

commit d516b53713661a7321c26caf7a0ea5101f5a0023
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2022-08-10 08:43:10 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2022-08-10 08:52:50 +0000

    dev-lang/python: Backport *CookieJar secfix to 3.9.13_p4
    
    Bug: https://bugs.gentoo.org/864747
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                |   1 +
 dev-lang/python/python-3.9.13_p4.ebuild | 403 ++++++++++++++++++++++++++++++++
 2 files changed, 404 insertions(+)

Comment 3 Larry the Git Cow gentoo-dev

2022-08-10 09:31:29 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=53de9a0c1a9392749b46e9b326516023b3dcbcdc

commit 53de9a0c1a9392749b46e9b326516023b3dcbcdc
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2022-08-10 09:28:47 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2022-08-10 09:28:47 +0000

    dev-python/pypy3: Backport secfixes to 7.3.9_p5
    
    Bug: https://bugs.gentoo.org/834533
    Bug: https://bugs.gentoo.org/838250
    Bug: https://bugs.gentoo.org/864747
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/pypy3/Manifest              |   1 +
 dev-python/pypy3/pypy3-7.3.9_p5.ebuild | 210 +++++++++++++++++++++++++++++++++
 2 files changed, 211 insertions(+)

Comment 4 Michał Górny archtester

2022-08-10 15:56:36 UTC

Python 2.7 is affected too (in Lib/_*CookieJar.py).

Comment 5 Michał Górny archtester

2022-08-25 07:42:32 UTC

cleanup done.

Comment 6 John Helmert III archtester

2022-11-19 01:15:40 UTC

GLSA requested

Comment 7 Larry the Git Cow gentoo-dev

2023-05-03 09:32:00 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=721dfacf17914fe5f7bfa3d0b401379d6318f7b1

commit 721dfacf17914fe5f7bfa3d0b401379d6318f7b1
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-03 09:12:43 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-05-03 09:31:45 +0000

    [ GLSA 202305-02 ] Python, PyPy3: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/787260
    Bug: https://bugs.gentoo.org/793833
    Bug: https://bugs.gentoo.org/811165
    Bug: https://bugs.gentoo.org/834533
    Bug: https://bugs.gentoo.org/835443
    Bug: https://bugs.gentoo.org/838250
    Bug: https://bugs.gentoo.org/864747
    Bug: https://bugs.gentoo.org/876815
    Bug: https://bugs.gentoo.org/877851
    Bug: https://bugs.gentoo.org/878385
    Bug: https://bugs.gentoo.org/880629
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202305-02.xml | 107 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 107 insertions(+)