oss-sec mailing list archives
CVE request: os.makedirs(exist_ok=True) is not thread-safe in Python
From: "Vincent Danen" <vdanen () redhat com>
Date: Fri, 28 Mar 2014 16:23:01 -0600
Cc'ing security () python org so that they are aware of the CVE assignment (so please keep them in the cc). Just copying and pasting from the Red Hat bug: It was reported [1] that a patch added to Python 3.2 [2] caused a race condition where a file created could be created with world read/write permissions instead of the permissions dictated by the original umask of the process. This could allow a local attacker that could win the race to view and edit files created by a program using this call. Note that prior versions of Python, including 2.x, do not include the vulnerable _get_masked_mode() function that is used by os.makedirs() when exist_ok is set to True. [1] http://bugs.python.org/issue21082 [2] http://bugs.python.org/issue9299 Our bug is here: https://bugzilla.redhat.com/show_bug.cgi?id=1082177 Could a CVE be assigned to this issue please? Thank you. -- Vincent Danen / Red Hat Security Response Team
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE request: os.makedirs(exist_ok=True) is not thread-safe in Python Vincent Danen (Mar 28)
- Re: [PSRT] CVE request: os.makedirs(exist_ok=True) is not thread-safe in Python Victor Stinner (Mar 29)
- Re: CVE request: os.makedirs(exist_ok=True) is not thread-safe in Python cve-assign (Mar 30)