Red Hat Bugzilla – Bug 881132
CVE-2012-5577 CVE-2012-5578 python-keyring: insecure permissions on configuration file
Last modified: 2017-12-19 11:05:25 EST
It was reported , that python-keyring would create its configuration file world-readable. This was corrected upstream, however the first commit only changed the permissions of an existing configuration file , which is incomplete. A new bug report  indicated which sets the permissions on the keyring storage directory to mode 0700, which would fully protect the files. There are patches attached to  that correct this; they've not been pulled into upstream yet.
CVE-2012-5578 was assigned to the incomplete fix (via the first patch) of CVE-2012-5577.
By the looks of things, python-keyring 0.7 (the current version in Fedora and EPEL) uses standard umask settings when creating files and will use whichever filename/path is provided (it does not have a concept of these storage directories to store data). So it suffers from the same flaw, just in a slight different way. Probably the best place to fix it is here:
373 def _init_file(self):
374 """Init the password file, set the password for it.
407 config_file = open(self.file_path,'w')
Created python-keyring tracking bugs for this issue
Affects: fedora-all [bug 881137]
Affects: epel-6 [bug 881138]