Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 881132 (CVE-2012-5577, CVE-2012-5578) - CVE-2012-5577 CVE-2012-5578 python-keyring: insecure permissions on configuration file
Summary: CVE-2012-5577 CVE-2012-5578 python-keyring: insecure permissions on configura...
Keywords:
Status: CLOSED WORKSFORME
Alias: CVE-2012-5577, CVE-2012-5578
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 881137 881138
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-11-28 17:30 UTC by Vincent Danen
Modified: 2019-09-29 12:58 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2019-03-29 00:23:30 UTC
Embargoed:


Attachments (Terms of Use)

Description Vincent Danen 2012-11-28 17:30:09 UTC
It was reported [1],[2] that python-keyring would create its configuration file world-readable.  This was corrected upstream, however the first commit only changed the permissions of an existing configuration file [3], which is incomplete.  A new bug report [4] indicated which sets the permissions on the keyring storage directory to mode 0700, which would fully protect the files.  There are patches attached to [4] that correct this; they've not been pulled into upstream yet.

CVE-2012-5578 was assigned to the incomplete fix (via the first patch) of CVE-2012-5577.

By the looks of things, python-keyring 0.7 (the current version in Fedora and EPEL) uses standard umask settings when creating files and will use whichever filename/path is provided (it does not have a concept of these storage directories to store data).  So it suffers from the same flaw, just in a slight different way.  Probably the best place to fix it is here:

keyring/backend.py:

373     def _init_file(self):
374         """Init the password file, set the password for it.
375         """
...
406
407         config_file = open(self.file_path,'w')
408         config.write(config_file)


[1] https://bitbucket.org/kang/python-keyring-lib/issue/67/set-go-rwx-on-keyring_passcfg
[2] https://bugs.launchpad.net/ubuntu/+source/python-keyring/+bug/1031465
[3] https://bitbucket.org/kang/python-keyring-lib/changeset/049cd181470f1ee6c540e1d64acf1def7b1de0c1
[4] https://bitbucket.org/kang/python-keyring-lib/issue/76/insecure-database-file-permissions

Comment 1 Vincent Danen 2012-11-28 17:33:52 UTC
Created python-keyring tracking bugs for this issue

Affects: fedora-all [bug 881137]
Affects: epel-6 [bug 881138]


Note You need to log in before you can comment on or make changes to this bug.