Ubuntu

~/crypted_pass.cfg created with insecure permissions

Reported by Jamie Strandboge on 2012-07-31
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-keyring (Ubuntu)
Undecided
Marc Deslauriers
Oneiric
Undecided
Marc Deslauriers
Precise
Undecided
Marc Deslauriers
Quantal
Undecided
Marc Deslauriers
Raring
Undecided
Marc Deslauriers

Bug Description

When an application uses python-keyring, the ~/crypted_pass.cfg file is created if it doesn't already exist. This file is created with 664 permissions and should be created with 600 permissions.

Changed in python-keyring (Ubuntu):
status: New → Triaged
visibility: private → public
Changed in python-keyring (Ubuntu Oneiric):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in python-keyring (Ubuntu Quantal):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in python-keyring (Ubuntu Raring):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in python-keyring (Ubuntu Precise):
status: New → Confirmed
Changed in python-keyring (Ubuntu Oneiric):
status: New → Confirmed
Changed in python-keyring (Ubuntu Quantal):
status: New → Confirmed
Changed in python-keyring (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-keyring - 0.9.2-1ubuntu1

---------------
python-keyring (0.9.2-1ubuntu1) raring; urgency=low

  * SECURITY UPDATE: insecure default file permissions (LP: #1031465)
    - debian/patches/file_permissions.patch: set appropriate file
      permissions on database file.
    - CVE number pending
  * debian/patches/fix_migration.patch: fix migration code so old databases
    get upgraded when a key is read. (LP: #1042754)
  * debian/patches/fix_unlock.patch: fix unlocking an existing keyring.
 -- Marc Deslauriers <email address hidden> Mon, 19 Nov 2012 09:40:11 -0500

Changed in python-keyring (Ubuntu Raring):
status: Triaged → Fix Released
Marc Deslauriers (mdeslaur) wrote :

Actually, the upstream patch is incomplete...it only fixes permissions for files it has migrated.

Changed in python-keyring (Ubuntu Raring):
status: Fix Released → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-keyring - 0.9.2-1ubuntu2

---------------
python-keyring (0.9.2-1ubuntu2) raring; urgency=low

  * debian/patches/file_permissions.patch: replaced with better patch that
    sets appropriate permissions on directory, and works with newly created
    database files too. (LP: #1031465)
 -- Marc Deslauriers <email address hidden> Mon, 19 Nov 2012 13:38:23 -0500

Changed in python-keyring (Ubuntu Raring):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-keyring - 0.9.2-0ubuntu0.12.04.2

---------------
python-keyring (0.9.2-0ubuntu0.12.04.2) precise-security; urgency=low

  * SECURITY UPDATE: CryptedFileKeyring format is insecure (LP: #1004845)
    - Rebuild python-keyring 0.9.2 from Ubuntu 12.10 as a security update
      for Ubuntu 12.04.
    - debian/patches/crypto_compat.patch: include PBKDF2() directly to be
      compatible with the older version of python-crypto in Ubuntu 12.04.
    - CVE-2012-4571
  * SECURITY UPDATE: insecure default file permissions (LP: #1031465)
    - debian/patches/file_permissions.patch: set appropriate permissions on
      database directory.
    - CVE number pending
  * debian/patches/fix_migration.patch: fix migration code so old
    databases get upgraded when a key is read. (LP: #1042754)
  * debian/patches/fix_unlock.patch: fix unlocking an existing keyring.
 -- Marc Deslauriers <email address hidden> Mon, 19 Nov 2012 12:50:49 -0500

Changed in python-keyring (Ubuntu Precise):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-keyring - 0.9.2-1ubuntu0.2

---------------
python-keyring (0.9.2-1ubuntu0.2) quantal-security; urgency=low

  * SECURITY UPDATE: insecure default file permissions (LP: #1031465)
    - debian/patches/file_permissions.patch: set appropriate permissions on
      database directory.
    - CVE number pending
  * debian/patches/fix_migration.patch: fix migration code so old databases
    get upgraded when a key is read. (LP: #1042754)
  * debian/patches/fix_unlock.patch: fix unlocking an existing keyring.
 -- Marc Deslauriers <email address hidden> Mon, 19 Nov 2012 11:41:19 -0500

Changed in python-keyring (Ubuntu Quantal):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-keyring - 0.9.2-0ubuntu0.11.10.2

---------------
python-keyring (0.9.2-0ubuntu0.11.10.2) oneiric-security; urgency=low

  * SECURITY UPDATE: CryptedFileKeyring format is insecure (LP: #1004845)
    - Rebuild python-keyring 0.9.2 from Ubuntu 12.10 as a security update
      for Ubuntu 11.10.
    - debian/patches/crypto_compat.patch: include PBKDF2() directly to be
      compatible with the older version of python-crypto in Ubuntu 11.10.
    - debian/control, debian/rules, debian/*install: get rid of
      python3-keyring binary package as it didn't ship in Ubuntu 11.10.
    - CVE-2012-4571
  * SECURITY UPDATE: insecure default file permissions (LP: #1031465)
    - debian/patches/file_permissions.patch: set appropriate permissions on
      database directory.
    - CVE number pending
  * debian/patches/fix_migration.patch: fix migration code so old
    databases get upgraded when a key is read. (LP: #1042754)
  * debian/patches/fix_unlock.patch: fix unlocking an existing keyring.
 -- Marc Deslauriers <email address hidden> Mon, 19 Nov 2012 12:54:34 -0500

Changed in python-keyring (Ubuntu Oneiric):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers