[issue1284316] Win32: Security problem with default installation directory
Samuel Bronson
report at bugs.python.org
Thu Sep 15 20:30:24 EDT 2016
Samuel Bronson added the comment:
Um, you know this still affects Python 2.7 right?
Yes, I realize that it's not going to be very practical to change the default installation path for 2.7, but that doesn't make the issue disappear, nor is that the only way to close the hole.
Which is to say, the 2.7 installer should be changed to tighten the permissions on the installation directory when doing an "all-users" install (even if the directory already exists, though in that case it might make sense for it to be optional).
(I suppose the same logic applies to any other version < 3.5 that's still getting security updates, too?)
P.S. Does this count as CVE-2012-5379, even though that was reported against ActiveState's distribution?
I'm pretty sure it's an instance of CWE-276 <https://cwe.mitre.org/data/definitions/276.html>, at any rate.
----------
nosy: +SamB
versions: +Python 2.7
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue1284316>
_______________________________________
More information about the Python-bugs-list
mailing list