oss-sec mailing list archives
Re: CVE request: os.makedirs(exist_ok=True) is not thread-safe in Python
From: cve-assign () mitre org
Date: Sun, 30 Mar 2014 17:14:20 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
def _get_masked_mode(mode): mask = umask(0) umask(mask)
Use CVE-2014-2667 for this vulnerability in Python.
http://bugs.python.org/issue21082#msg215028 http://bugs.python.org/file34649/get_masked_mode.patch
(note that Victor's patch is of course not an actual fix, only a mitigation; if someone is relying on a stricter umask they will still be vulnerable to this)
There is no CVE assignment yet for any distribution's Python package that applied this patch, and therefore has a different (but less severe) vulnerability. It is conceivable that nothing has yet been shipped with that patch.
http://bugs.python.org/issue21082#msg215026
The shell command "umask" calls umask(022) to get the current umask, and then call umask() with result of the first call.
There is no CVE assignment yet for any shell, or other program, that uses the umask(022) approach in a multithreaded environment. There is perhaps an open question of how (or if) the current umask should be determined. For example, calling umask(022) is arguably a vulnerability in some cases, calling umask(0777) could possibly cause other undesirable behavior during races, simply not checking the umask and providing false data to the user is problematic as well, etc.
http://bugs.python.org/issue21082#msg215034
We can probably document that makedirs(exists_ok=True) leaves the directory permission unchanged if the directory already exist,
There is no CVE assignment for the issue of whether the permissions of an existing directory after makedirs(exists_ok=True) are consistent with the previous permissions, consistent with the current umask, or randomly selected (?) from between those two options. Also, there is no CVE assignment for whether a permission mismatch should be an error condition. Unless there were documentation that was directly misleading, this seems to be mainly a usability question. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTOIfRAAoJEKllVAevmvms+4kIAJLmRN07eDk816DJSoAWrpqy 1czVEMGsaVaeWJBKAelsuLSWR/m/lDZnzbpOnfqwdYujefiiYY2+idPdx7WAYM59 AmAYdri7f5YojYlLAYrdtGfJgInaAhG+9isvEZWqzRp2//iBzx1mhWduV/47U+JQ YBeW1k5tpc8iK1vxRPlIGXc0fwiD5/zE1gm8LUmAkjIjBV4sXOBoJaREyzl5gbvF Nnuv3bxfVvjwjHHzSZmQPr0En01EygAr71aM6mf0gN61pwg1O13P2ucj1aCsK8GP G9eWGcmK7aaNp0ZGOGfqlQv2pMkt4Wf5QXVmG2ICKrkh4gww76thL0b3Ult9+3Y= =zUkt -----END PGP SIGNATURE-----
Current thread:
- CVE request: os.makedirs(exist_ok=True) is not thread-safe in Python Vincent Danen (Mar 28)
- Re: [PSRT] CVE request: os.makedirs(exist_ok=True) is not thread-safe in Python Victor Stinner (Mar 29)
- Re: CVE request: os.makedirs(exist_ok=True) is not thread-safe in Python cve-assign (Mar 30)