Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 864747 - <dev-lang/python-{3.8.13_p6,3.9.13_p4,3.10.6_p2} <dev-python/pypy3-7.3.9_p5: cookie files created by {LWP,Mozilla}CookieJar.save() are world-readable
Summary: <dev-lang/python-{3.8.13_p6,3.9.13_p4,3.10.6_p2} <dev-python/pypy3-7.3.9_p5: ...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A4 [glsa+]
Keywords:
Depends on: 864741 864743 864745 864781
Blocks:
  Show dependency tree
 
Reported: 2022-08-10 06:08 UTC by Michał Górny
Modified: 2023-05-03 09:34 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-08-10 06:08:50 UTC
Quoting the backport PR:

```
Cookies can store sensitive information and should therefore be protected
against unauthorized third parties. This is also described in issue #79096.

The filesystem permissions are currently set to 644, everyone can read the
file. This commit changes the permissions to 600, only the creater of the file
can read and modify it. This improves security, because it reduces the attack
surface. Now the attacker needs control of the user that created the cookie or
a ways to circumvent the filesystems permissions.

This change is backwards incompatible. Systems that rely on world-readable
cookies will breake. However, one could argue that those are misconfigured in
the first place.
```

It was included in 3.11 but not older branches.  I suppose we should backport it.
Comment 1 Larry the Git Cow gentoo-dev 2022-08-10 07:53:03 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=18e9bfa49ff42a6e2f90e8f024d9c989434d4729

commit 18e9bfa49ff42a6e2f90e8f024d9c989434d4729
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2022-08-10 07:47:57 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2022-08-10 07:52:58 +0000

    dev-lang/python: Backport *CookieJar secfix to 3.10.6_p2
    
    Bug: https://bugs.gentoo.org/864747
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                |   1 +
 dev-lang/python/python-3.10.6_p2.ebuild | 408 ++++++++++++++++++++++++++++++++
 2 files changed, 409 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2022-08-10 08:52:54 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2bbfa55a2c003914439f48b32a7d9f543300ef82

commit 2bbfa55a2c003914439f48b32a7d9f543300ef82
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2022-08-10 08:48:29 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2022-08-10 08:52:51 +0000

    dev-lang/python: Backport *CookieJar secfix to 3.8.13_p6
    
    Bug: https://bugs.gentoo.org/864747
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                |   1 +
 dev-lang/python/python-3.8.13_p6.ebuild | 349 ++++++++++++++++++++++++++++++++
 2 files changed, 350 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d516b53713661a7321c26caf7a0ea5101f5a0023

commit d516b53713661a7321c26caf7a0ea5101f5a0023
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2022-08-10 08:43:10 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2022-08-10 08:52:50 +0000

    dev-lang/python: Backport *CookieJar secfix to 3.9.13_p4
    
    Bug: https://bugs.gentoo.org/864747
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                |   1 +
 dev-lang/python/python-3.9.13_p4.ebuild | 403 ++++++++++++++++++++++++++++++++
 2 files changed, 404 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2022-08-10 09:31:29 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=53de9a0c1a9392749b46e9b326516023b3dcbcdc

commit 53de9a0c1a9392749b46e9b326516023b3dcbcdc
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2022-08-10 09:28:47 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2022-08-10 09:28:47 +0000

    dev-python/pypy3: Backport secfixes to 7.3.9_p5
    
    Bug: https://bugs.gentoo.org/834533
    Bug: https://bugs.gentoo.org/838250
    Bug: https://bugs.gentoo.org/864747
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/pypy3/Manifest              |   1 +
 dev-python/pypy3/pypy3-7.3.9_p5.ebuild | 210 +++++++++++++++++++++++++++++++++
 2 files changed, 211 insertions(+)
Comment 4 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-08-10 15:56:36 UTC
Python 2.7 is affected too (in Lib/_*CookieJar.py).
Comment 5 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-08-25 07:42:32 UTC
cleanup done.
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-19 01:15:40 UTC
GLSA requested
Comment 7 Larry the Git Cow gentoo-dev 2023-05-03 09:32:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=721dfacf17914fe5f7bfa3d0b401379d6318f7b1

commit 721dfacf17914fe5f7bfa3d0b401379d6318f7b1
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-03 09:12:43 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-05-03 09:31:45 +0000

    [ GLSA 202305-02 ] Python, PyPy3: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/787260
    Bug: https://bugs.gentoo.org/793833
    Bug: https://bugs.gentoo.org/811165
    Bug: https://bugs.gentoo.org/834533
    Bug: https://bugs.gentoo.org/835443
    Bug: https://bugs.gentoo.org/838250
    Bug: https://bugs.gentoo.org/864747
    Bug: https://bugs.gentoo.org/876815
    Bug: https://bugs.gentoo.org/877851
    Bug: https://bugs.gentoo.org/878385
    Bug: https://bugs.gentoo.org/880629
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202305-02.xml | 107 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 107 insertions(+)