Control: tags -1 + patch Hi Carl
On Wed, Dec 26, 2012 at 04:52:48PM +0100, Moritz Muehlenhoff wrote: > Package: python-keyring > Severity: grave > Tags: security > > Please see > > http://www.openwall.com/lists/oss-security/2012/11/16/2 > http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-5577.html > http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-5578.html Attached is the proposed debdiff for unstable with the patch prepared in Ubuntu raring for this. Do you have time to prepare the upload? I have not checked if Squeeze and Wheezy are affected too, but if Wheezy is affected there needs to be prepared a separate upload for t-p-u. An unblock of 0.9.2 at this stage of the freeze is not acceptable. Regards, Salvatore
diff -Nru python-keyring-0.9.2/debian/changelog python-keyring-0.9.2/debian/changelog --- python-keyring-0.9.2/debian/changelog 2012-07-30 23:08:49.000000000 +0200 +++ python-keyring-0.9.2/debian/changelog 2012-12-29 08:47:03.000000000 +0100 @@ -1,3 +1,12 @@ +python-keyring (0.9.2-1.1) unstable; urgency=low + + * Non-maintainer upload. + * Add 696736-Fix-insecure-permissions-on-database-files.patch + [SECURITY]: Fix insecure permissions on database files. Fix + CVE-2012-5577 and CVE-2012-5578. (Closes: #696736) (LP: #1031465) + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 29 Dec 2012 08:46:59 +0100 + python-keyring (0.9.2-1) unstable; urgency=low * New upstream release (Closes: #675379, #678682) diff -Nru python-keyring-0.9.2/debian/patches/696736-Fix-insecure-permissions-on-database-files.patch python-keyring-0.9.2/debian/patches/696736-Fix-insecure-permissions-on-database-files.patch --- python-keyring-0.9.2/debian/patches/696736-Fix-insecure-permissions-on-database-files.patch 1970-01-01 01:00:00.000000000 +0100 +++ python-keyring-0.9.2/debian/patches/696736-Fix-insecure-permissions-on-database-files.patch 2012-12-29 08:41:37.000000000 +0100 @@ -0,0 +1,56 @@ +Description: set appropriate file permissions on database file. +Bug: https://bitbucket.org/kang/python-keyring-lib/issue/67/set-go-rwx-on-keyring_passcfg +Bug: https://bitbucket.org/kang/python-keyring-lib/issue/76/insecure-database-file-permissions +Bug-Debian: http://bugs.debian.org/696736 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/python-keyring/+bug/1031465 +Forwarded: yes +Author: Marc Deslauriers <marc.deslauri...@canonical.com> +Reviewed-by: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2012-12-29 + +--- a/keyring/backend.py ++++ b/keyring/backend.py +@@ -6,6 +6,7 @@ + + import getpass + import os ++import stat + import sys + import ConfigParser + import base64 +@@ -406,6 +407,7 @@ + storage_root = os.path.dirname(self.file_path) + if storage_root and not os.path.isdir(storage_root): + os.makedirs(storage_root) ++ os.chmod(storage_root, stat.S_IWRITE | stat.S_IREAD | stat.S_IEXEC) + + + class UncryptedFileKeyring(BasicFileKeyring): +--- a/keyring/util/loc_compat.py ++++ b/keyring/util/loc_compat.py +@@ -1,5 +1,6 @@ + import os + import shutil ++import stat + import sys + + def relocate_file(old_location, new_location): +@@ -24,4 +25,6 @@ + # ensure the storage path exists + if not os.path.isdir(os.path.dirname(new_location)): + os.makedirs(os.path.dirname(new_location)) ++ os.chmod(os.path.dirname(new_location), ++ stat.S_IWRITE | stat.S_IREAD | stat.S_IEXEC) + shutil.move(old_location, new_location) +--- a/keyring/tests/test_backend.py ++++ b/keyring/tests/test_backend.py +@@ -343,7 +343,8 @@ + def setUp(self): + super(FileKeyringTests, self).setUp() + self.keyring = self.init_keyring() +- self.keyring.file_path = self.tmp_keyring_file = tempfile.mktemp() ++ self.keyring.file_path = self.tmp_keyring_file = os.path.join( ++ tempfile.mkdtemp(), "test_pass.cfg") + + def tearDown(self): + try: diff -Nru python-keyring-0.9.2/debian/patches/series python-keyring-0.9.2/debian/patches/series --- python-keyring-0.9.2/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ python-keyring-0.9.2/debian/patches/series 2012-12-29 08:41:30.000000000 +0100 @@ -0,0 +1 @@ +696736-Fix-insecure-permissions-on-database-files.patch
signature.asc
Description: Digital signature
