~/crypted_pass.cfg created with insecure permissions

Bug #1031465 reported by Jamie Strandboge
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-keyring (Ubuntu)
Fix Released
Undecided
Marc Deslauriers
Oneiric
Fix Released
Undecided
Marc Deslauriers
Precise
Fix Released
Undecided
Marc Deslauriers
Quantal
Fix Released
Undecided
Marc Deslauriers
Raring
Fix Released
Undecided
Marc Deslauriers

Bug Description

When an application uses python-keyring, the ~/crypted_pass.cfg file is created if it doesn't already exist. This file is created with 664 permissions and should be created with 600 permissions.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :
Changed in python-keyring (Ubuntu):
status: New → Triaged
visibility: private → public
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :
Changed in python-keyring (Ubuntu Oneiric):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in python-keyring (Ubuntu Quantal):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in python-keyring (Ubuntu Raring):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in python-keyring (Ubuntu Precise):
status: New → Confirmed
Changed in python-keyring (Ubuntu Oneiric):
status: New → Confirmed
Changed in python-keyring (Ubuntu Quantal):
status: New → Confirmed
Changed in python-keyring (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-keyring - 0.9.2-1ubuntu1

---------------
python-keyring (0.9.2-1ubuntu1) raring; urgency=low

  * SECURITY UPDATE: insecure default file permissions (LP: #1031465)
    - debian/patches/file_permissions.patch: set appropriate file
      permissions on database file.
    - CVE number pending
  * debian/patches/fix_migration.patch: fix migration code so old databases
    get upgraded when a key is read. (LP: #1042754)
  * debian/patches/fix_unlock.patch: fix unlocking an existing keyring.
 -- Marc Deslauriers <email address hidden> Mon, 19 Nov 2012 09:40:11 -0500

Changed in python-keyring (Ubuntu Raring):
status: Triaged → Fix Released
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Actually, the upstream patch is incomplete...it only fixes permissions for files it has migrated.

Changed in python-keyring (Ubuntu Raring):
status: Fix Released → Confirmed
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-keyring - 0.9.2-1ubuntu2

---------------
python-keyring (0.9.2-1ubuntu2) raring; urgency=low

  * debian/patches/file_permissions.patch: replaced with better patch that
    sets appropriate permissions on directory, and works with newly created
    database files too. (LP: #1031465)
 -- Marc Deslauriers <email address hidden> Mon, 19 Nov 2012 13:38:23 -0500

Changed in python-keyring (Ubuntu Raring):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-keyring - 0.9.2-0ubuntu0.12.04.2

---------------
python-keyring (0.9.2-0ubuntu0.12.04.2) precise-security; urgency=low

  * SECURITY UPDATE: CryptedFileKeyring format is insecure (LP: #1004845)
    - Rebuild python-keyring 0.9.2 from Ubuntu 12.10 as a security update
      for Ubuntu 12.04.
    - debian/patches/crypto_compat.patch: include PBKDF2() directly to be
      compatible with the older version of python-crypto in Ubuntu 12.04.
    - CVE-2012-4571
  * SECURITY UPDATE: insecure default file permissions (LP: #1031465)
    - debian/patches/file_permissions.patch: set appropriate permissions on
      database directory.
    - CVE number pending
  * debian/patches/fix_migration.patch: fix migration code so old
    databases get upgraded when a key is read. (LP: #1042754)
  * debian/patches/fix_unlock.patch: fix unlocking an existing keyring.
 -- Marc Deslauriers <email address hidden> Mon, 19 Nov 2012 12:50:49 -0500

Changed in python-keyring (Ubuntu Precise):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-keyring - 0.9.2-1ubuntu0.2

---------------
python-keyring (0.9.2-1ubuntu0.2) quantal-security; urgency=low

  * SECURITY UPDATE: insecure default file permissions (LP: #1031465)
    - debian/patches/file_permissions.patch: set appropriate permissions on
      database directory.
    - CVE number pending
  * debian/patches/fix_migration.patch: fix migration code so old databases
    get upgraded when a key is read. (LP: #1042754)
  * debian/patches/fix_unlock.patch: fix unlocking an existing keyring.
 -- Marc Deslauriers <email address hidden> Mon, 19 Nov 2012 11:41:19 -0500

Changed in python-keyring (Ubuntu Quantal):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-keyring - 0.9.2-0ubuntu0.11.10.2

---------------
python-keyring (0.9.2-0ubuntu0.11.10.2) oneiric-security; urgency=low

  * SECURITY UPDATE: CryptedFileKeyring format is insecure (LP: #1004845)
    - Rebuild python-keyring 0.9.2 from Ubuntu 12.10 as a security update
      for Ubuntu 11.10.
    - debian/patches/crypto_compat.patch: include PBKDF2() directly to be
      compatible with the older version of python-crypto in Ubuntu 11.10.
    - debian/control, debian/rules, debian/*install: get rid of
      python3-keyring binary package as it didn't ship in Ubuntu 11.10.
    - CVE-2012-4571
  * SECURITY UPDATE: insecure default file permissions (LP: #1031465)
    - debian/patches/file_permissions.patch: set appropriate permissions on
      database directory.
    - CVE number pending
  * debian/patches/fix_migration.patch: fix migration code so old
    databases get upgraded when a key is read. (LP: #1042754)
  * debian/patches/fix_unlock.patch: fix unlocking an existing keyring.
 -- Marc Deslauriers <email address hidden> Mon, 19 Nov 2012 12:54:34 -0500

Changed in python-keyring (Ubuntu Oneiric):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.