os.makedirs(exist_ok=True) is not thread-safe: umask is set temporary to 0, serious security problem.
The fix removes the directory mode check from os.makedirs().
The exist_ok parameter was added to Python 3.2.0 (commit 5a22b651173f142a600625a036fcf36484ade237).
Dates:
Disclosure date: 2014-03-28 (Python issue bpo-21082 reported)
Python 3.2.6 (2014-10-12) fixed by commit ee5f1c1 (branch 3.2) (2014-04-01)
Python 3.3.6 (2014-10-12) fixed by commit ee5f1c1 (branch 3.2) (2014-04-01)
Python 3.4.1 (2014-05-18) fixed by commit ee5f1c1 (branch 3.2) (2014-04-01)
Python 3.5.0 (2015-09-12) fixed by commit ee5f1c1 (branch 3.2) (2014-04-01)
os.makedirs(exist_ok=True) is not thread-safe: umask is set temporary to 0, serious security problem.
Python issue: bpo-21082
Creation date: 2014-03-28
Reporter: Ryan Lortie
Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value.
CVE ID: CVE-2014-2667
Published: 2014-11-16
CVSS Score: 3.3
Timeline using the disclosure date 2014-03-28 as reference:
2014-03-28: Python issue bpo-21082 reported by Ryan Lortie
2014-04-01 (+4 days): commit ee5f1c1 (branch 3.2)
2014-05-18 (+51 days): Python 3.4.1 released
2014-10-12 (+198 days): Python 3.2.6 released
2014-10-12 (+198 days): Python 3.3.6 released
2014-11-16 (+233 days): CVE-2014-2667 published
2015-09-12: Python 3.5.0 released
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4