oss-sec mailing list archives
Re: [PSRT] CVE request: os.makedirs(exist_ok=True) is not thread-safe in Python
From: Victor Stinner <victor.stinner () gmail com>
Date: Sat, 29 Mar 2014 09:19:32 +0100
Hi, I changed the title of the issue to "os.makedirs(exist_ok=True) is not thread-safe: umask is set temporary to 0, serious security problem". So the vulnerability requires an application using exist_ok=True, a second vulnerability to inject arbitrary code, and at least another thread. Since umask() is restored the line after umask(0) and CPython has a GIL, the window to exploit the vulnerability is very short (leess than a second, closer to 5 ms). This vulnerability looks theorical to me, so I'm not ok to call it "serious", but it would be nice to fix it. Hum, I didn't check if umask() releases the GIL. Victor Le vendredi 28 mars 2014, Vincent Danen <vdanen () redhat com> a écrit :
Cc'ing security () python org <javascript:;> so that they are aware of the CVE assignment (so please keep them in the cc). Just copying and pasting from the Red Hat bug: It was reported [1] that a patch added to Python 3.2 [2] caused a race condition where a file created could be created with world read/write permissions instead of the permissions dictated by the original umask of the process. This could allow a local attacker that could win the race to view and edit files created by a program using this call. Note that prior versions of Python, including 2.x, do not include the vulnerable _get_masked_mode() function that is used by os.makedirs() when exist_ok is set to True. [1] http://bugs.python.org/issue21082 [2] http://bugs.python.org/issue9299 Our bug is here: https://bugzilla.redhat.com/show_bug.cgi?id=1082177 Could a CVE be assigned to this issue please? Thank you. -- Vincent Danen / Red Hat Security Response Team
Current thread:
- CVE request: os.makedirs(exist_ok=True) is not thread-safe in Python Vincent Danen (Mar 28)
- Re: [PSRT] CVE request: os.makedirs(exist_ok=True) is not thread-safe in Python Victor Stinner (Mar 29)
- Re: CVE request: os.makedirs(exist_ok=True) is not thread-safe in Python cve-assign (Mar 30)