Package: virtualenvwrapper Severity: important Tags: security Hello,
virtualenvwrapper creates ~/.virtualenvs and the scripts stored
therein with 0775 as permissions. This is a security
vulnerability for multi-user systems where more than one user is
in the same group.
The problematic part is (at least) in user_scripts.py:
PERMISSIONS = stat.S_IRWXU | stat.S_IRWXG | stat.S_IROTH | stat.S_IXOTH
This should be changed to S_IRGRP.
Because the directory ~/.virtualenvs is created per default when
using bash-completions (at least in Debian Wheezy), this affects
many users.
Regards
Simon
PS: Sorry for the typo in the original bug report.
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
signature.asc
Description: Digital signature
_______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
