Message276649
| Author |
SamB |
| Recipients |
BreamoreBoy, Friedrich.Spee.von.Langenfeld, Gynvael.Coldwind, SamB, carlfk, dsmiller, eryksun, ezio.melotti, flox, fran.rogers, georg.brandl, giampaolo.rodola, jaraco, loewis, mel, mhammond, michael.foord, nnorwitz, norvellspearman, pitrou, r.david.murray, steve.dower, tim.golden, tim.peters |
| Date |
2016年09月16日.00:30:23 |
| SpamBayes Score |
-1.0 |
| Marked as misclassified |
Yes |
| Message-id |
<1473985824.76.0.150548017953.issue1284316@psf.upfronthosting.co.za> |
| In-reply-to |
| Content |
Um, you know this still affects Python 2.7 right?
Yes, I realize that it's not going to be very practical to change the default installation path for 2.7, but that doesn't make the issue disappear, nor is that the only way to close the hole.
Which is to say, the 2.7 installer should be changed to tighten the permissions on the installation directory when doing an "all-users" install (even if the directory already exists, though in that case it might make sense for it to be optional).
(I suppose the same logic applies to any other version < 3.5 that's still getting security updates, too?)
P.S. Does this count as CVE-2012-5379, even though that was reported against ActiveState's distribution?
I'm pretty sure it's an instance of CWE-276 <https://cwe.mitre.org/data/definitions/276.html>, at any rate. |
|
History
|
|---|
| Date |
User |
Action |
Args |
| 2016年09月16日 00:30:25 | SamB | set | recipients:
+ SamB, tim.peters, loewis, mhammond, nnorwitz, georg.brandl, jaraco, pitrou, mel, dsmiller, norvellspearman, giampaolo.rodola, carlfk, tim.golden, ezio.melotti, r.david.murray, michael.foord, flox, fran.rogers, BreamoreBoy, Gynvael.Coldwind, eryksun, steve.dower, Friedrich.Spee.von.Langenfeld |
| 2016年09月16日 00:30:24 | SamB | set | messageid: <1473985824.76.0.150548017953.issue1284316@psf.upfronthosting.co.za> |
| 2016年09月16日 00:30:24 | SamB | link | issue1284316 messages |
| 2016年09月16日 00:30:23 | SamB | create |
|