Ubuntu
python-keyring package

~/crypted_pass.cfg created with insecure permissions

Bug #1031465 reported by Jamie Strandboge on 2012-07-31

260

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	python-keyring (Ubuntu)	Fix Released	Undecided	Marc Deslauriers
	Oneiric	Fix Released	Undecided	Marc Deslauriers
	Precise	Fix Released	Undecided	Marc Deslauriers
	Quantal	Fix Released	Undecided	Marc Deslauriers
	Raring	Fix Released	Undecided	Marc Deslauriers

Bug Description

When an application uses python-keyring, the ~/crypted_pass.cfg file is created if it doesn't already exist. This file is created with 664 permissions and should be created with 600 permissions.

Related branches

lp:ubuntu/raring-proposed/python-keyring

lp:ubuntu/oneiric-security/python-keyring

lp:ubuntu/precise-security/python-keyring

lp:ubuntu/quantal-security/python-keyring

lp:debian/python-keyring

CVE References

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2012-08-03:

#1

Upstream bug:

https://bitbucket.org/kang/python-keyring-lib/issue/67/set-go-rwx-on-keyring_passcfg

Jamie Strandboge (jdstrand) on 2012-08-17

Changed in python-keyring (Ubuntu):
status:	New → Triaged
visibility:	private → public

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2012-11-16:

#2

Fixed in https://bitbucket.org/kang/python-keyring-lib/changeset/049cd181470f1ee6c540e1d64acf1def7b1de0c1 (0.10)

Marc Deslauriers (mdeslaur) on 2012-11-19

Changed in python-keyring (Ubuntu Oneiric):
assignee:	nobody → Marc Deslauriers (mdeslaur)
Changed in python-keyring (Ubuntu Quantal):
assignee:	nobody → Marc Deslauriers (mdeslaur)
Changed in python-keyring (Ubuntu Raring):
assignee:	nobody → Marc Deslauriers (mdeslaur)
Changed in python-keyring (Ubuntu Precise):
status:	New → Confirmed
Changed in python-keyring (Ubuntu Oneiric):
status:	New → Confirmed
Changed in python-keyring (Ubuntu Quantal):
status:	New → Confirmed
Changed in python-keyring (Ubuntu Precise):
assignee:	nobody → Marc Deslauriers (mdeslaur)

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-11-19:

#3

This bug was fixed in the package python-keyring - 0.9.2-1ubuntu1

---------------
python-keyring (0.9.2-1ubuntu1) raring; urgency=low

  * SECURITY UPDATE: insecure default file permissions (LP: #1031465)
    - debian/patches/file_permissions.patch: set appropriate file
      permissions on database file.
    - CVE number pending
  * debian/patches/fix_migration.patch: fix migration code so old databases
    get upgraded when a key is read. (LP: #1042754)
  * debian/patches/fix_unlock.patch: fix unlocking an existing keyring.
-- Marc Deslauriers <email address hidden> Mon, 19 Nov 2012 09:40:11 -0500

Changed in python-keyring (Ubuntu Raring):
status:	Triaged → Fix Released

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2012-11-19:

#4

Actually, the upstream patch is incomplete...it only fixes permissions for files it has migrated.

Changed in python-keyring (Ubuntu Raring):
status:	Fix Released → Confirmed

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2012-11-19:

#5

New upstream bug: https://bitbucket.org/kang/python-keyring-lib/issue/76/insecure-database-file-permissions

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-11-19:

#6

This bug was fixed in the package python-keyring - 0.9.2-1ubuntu2

---------------
python-keyring (0.9.2-1ubuntu2) raring; urgency=low

  * debian/patches/file_permissions.patch: replaced with better patch that
    sets appropriate permissions on directory, and works with newly created
    database files too. (LP: #1031465)
-- Marc Deslauriers <email address hidden> Mon, 19 Nov 2012 13:38:23 -0500

Changed in python-keyring (Ubuntu Raring):
status:	Confirmed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-11-20:

#7

This bug was fixed in the package python-keyring - 0.9.2-0ubuntu0.12.04.2

---------------
python-keyring (0.9.2-0ubuntu0.12.04.2) precise-security; urgency=low

  * SECURITY UPDATE: CryptedFileKeyring format is insecure (LP: #1004845)
    - Rebuild python-keyring 0.9.2 from Ubuntu 12.10 as a security update
      for Ubuntu 12.04.
    - debian/patches/crypto_compat.patch: include PBKDF2() directly to be
      compatible with the older version of python-crypto in Ubuntu 12.04.
    - CVE-2012-4571
  * SECURITY UPDATE: insecure default file permissions (LP: #1031465)
    - debian/patches/file_permissions.patch: set appropriate permissions on
      database directory.
    - CVE number pending
  * debian/patches/fix_migration.patch: fix migration code so old
    databases get upgraded when a key is read. (LP: #1042754)
  * debian/patches/fix_unlock.patch: fix unlocking an existing keyring.
-- Marc Deslauriers <email address hidden> Mon, 19 Nov 2012 12:50:49 -0500

Changed in python-keyring (Ubuntu Precise):
status:	Confirmed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-11-20:

#8

This bug was fixed in the package python-keyring - 0.9.2-1ubuntu0.2

---------------
python-keyring (0.9.2-1ubuntu0.2) quantal-security; urgency=low

  * SECURITY UPDATE: insecure default file permissions (LP: #1031465)
    - debian/patches/file_permissions.patch: set appropriate permissions on
      database directory.
    - CVE number pending
  * debian/patches/fix_migration.patch: fix migration code so old databases
    get upgraded when a key is read. (LP: #1042754)
  * debian/patches/fix_unlock.patch: fix unlocking an existing keyring.
-- Marc Deslauriers <email address hidden> Mon, 19 Nov 2012 11:41:19 -0500

Changed in python-keyring (Ubuntu Quantal):
status:	Confirmed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-11-20:

#9

This bug was fixed in the package python-keyring - 0.9.2-0ubuntu0.11.10.2

---------------
python-keyring (0.9.2-0ubuntu0.11.10.2) oneiric-security; urgency=low

  * SECURITY UPDATE: CryptedFileKeyring format is insecure (LP: #1004845)
    - Rebuild python-keyring 0.9.2 from Ubuntu 12.10 as a security update
      for Ubuntu 11.10.
    - debian/patches/crypto_compat.patch: include PBKDF2() directly to be
      compatible with the older version of python-crypto in Ubuntu 11.10.
    - debian/control, debian/rules, debian/*install: get rid of
      python3-keyring binary package as it didn't ship in Ubuntu 11.10.
    - CVE-2012-4571
  * SECURITY UPDATE: insecure default file permissions (LP: #1031465)
    - debian/patches/file_permissions.patch: set appropriate permissions on
      database directory.
    - CVE number pending
  * debian/patches/fix_migration.patch: fix migration code so old
    databases get upgraded when a key is read. (LP: #1042754)
  * debian/patches/fix_unlock.patch: fix unlocking an existing keyring.
-- Marc Deslauriers <email address hidden> Mon, 19 Nov 2012 12:54:34 -0500

Changed in python-keyring (Ubuntu Oneiric):
status:	Confirmed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.