Bug 1082177 (CVE-2014-2667)

Summary: CVE-2014-2667 python: os.makedirs(exist_ok=True) is not thread-safe in Python 3.x
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amcnabb, bkabrda, carnil, derks, dmalcolm, drieden, extras-orphan, ivazqueznet, jberan, jeffrey.ness, jkurik, jonathansteffan, jorton, katzj, mmaslano, mmcgrath, ncoghlan, nobody+bgollahe, python-maint, tdawson, tomspur, tradej
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-03 21:07:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1083594    
Bug Blocks: 1082178    

Description Vincent Danen 2014-03-28 22:19:00 UTC
It was reported [1] that a patch added to Python 3.2 [2] caused a race condition where a file created could be created with world read/write permissions instead of the permissions dictated by the original umask of the process.  This could allow a local attacker that could win the race to view and edit files created by a program using this call.

Note that prior versions of Python, including 2.x, do not include the vulnerable _get_masked_mode() function that is used by os.makedirs() when exist_ok is set to True.


[1] http://bugs.python.org/issue21082
[2] http://bugs.python.org/issue9299

Comment 1 Vincent Danen 2014-03-28 22:25:59 UTC
CVE request:

http://openwall.com/lists/oss-security/2014/03/28/15

Comment 2 Vincent Danen 2014-03-28 22:26:33 UTC
Statement:

Not vulnerable. This issue did not affect the versions of python as shipped with Red Hat Enterprise Linux 5 and 6.

Comment 3 Murray McAllister 2014-03-31 06:08:08 UTC
MITRE assigned CVE-2014-2667 to this issue:

http://seclists.org/oss-sec/2014/q1/700

Comment 4 Stefan Cornelius 2014-04-02 14:15:48 UTC
Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1083594]

Comment 6 Fedora Update System 2014-12-12 04:23:28 UTC
python3-3.3.2-19.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2015-01-06 06:16:35 UTC
python3-3.3.2-11.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.