It was reported [1] that a patch added to Python 3.2 [2] caused a race condition where a file created could be created with world read/write permissions instead of the permissions dictated by the original umask of the process. This could allow a local attacker that could win the race to view and edit files created by a program using this call. Note that prior versions of Python, including 2.x, do not include the vulnerable _get_masked_mode() function that is used by os.makedirs() when exist_ok is set to True. [1] http://bugs.python.org/issue21082 [2] http://bugs.python.org/issue9299
CVE request: http://openwall.com/lists/oss-security/2014/03/28/15
Statement: Not vulnerable. This issue did not affect the versions of python as shipped with Red Hat Enterprise Linux 5 and 6.
MITRE assigned CVE-2014-2667 to this issue: http://seclists.org/oss-sec/2014/q1/700
Created python3 tracking bugs for this issue: Affects: fedora-all [bug 1083594]
python3-3.3.2-19.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
python3-3.3.2-11.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.