oss-sec mailing list archives

CVE request: os.makedirs(exist_ok=True) is not thread-safe in Python

From: "Vincent Danen" <vdanen () redhat com>
Date: Fri, 28 Mar 2014 16:23:01 -0600

Cc'ing security () python org so that they are aware of the CVE assignment (so please keep them in the cc).  Just 
copying and pasting from the Red Hat bug:


It was reported [1] that a patch added to Python 3.2 [2] caused a race condition where a file created could be created 
with world read/write permissions instead of the permissions dictated by the original umask of the process.  This could 
allow a local attacker that could win the race to view and edit files created by a program using this call.

Note that prior versions of Python, including 2.x, do not include the vulnerable _get_masked_mode() function that is 
used by os.makedirs() when exist_ok is set to True.


[1] http://bugs.python.org/issue21082
[2] http://bugs.python.org/issue9299


Our bug is here: https://bugzilla.redhat.com/show_bug.cgi?id=1082177

Could a CVE be assigned to this issue please?  Thank you.

-- 
Vincent Danen / Red Hat Security Response Team

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

CVE request: os.makedirs(exist_ok=True) is not thread-safe in Python Vincent Danen (Mar 28)
- Re: [PSRT] CVE request: os.makedirs(exist_ok=True) is not thread-safe in Python Victor Stinner (Mar 29)
- Re: CVE request: os.makedirs(exist_ok=True) is not thread-safe in Python cve-assign (Mar 30)