mailing list archives
Re: CVE request: os.makedirs(exist_ok=True) is not thread-safe in Python
From: cve-assign () mitre org
Date: Sun, 30 Mar 2014 17:14:20 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE-----
mask = umask(0)
Use CVE-2014-2667 for this vulnerability in Python.
(note that Victor's patch is of course not an actual fix, only a
mitigation; if someone is relying on a stricter umask they will still
be vulnerable to this)
There is no CVE assignment yet for any distribution's Python package
that applied this patch, and therefore has a different (but less
severe) vulnerability. It is conceivable that nothing has yet been
shipped with that patch.
The shell command "umask" calls umask(022) to get the current umask,
and then call umask() with result of the first call.
There is no CVE assignment yet for any shell, or other program, that
uses the umask(022) approach in a multithreaded environment. There is
perhaps an open question of how (or if) the current umask should be
determined. For example, calling umask(022) is arguably a
vulnerability in some cases, calling umask(0777) could possibly cause
other undesirable behavior during races, simply not checking the umask
and providing false data to the user is problematic as well, etc.
We can probably document that makedirs(exists_ok=True) leaves the
directory permission unchanged if the directory already exist,
There is no CVE assignment for the issue of whether the permissions of
an existing directory after makedirs(exists_ok=True) are consistent
with the previous permissions, consistent with the current umask, or
randomly selected (?) from between those two options. Also, there is
no CVE assignment for whether a permission mismatch should be an error
condition. Unless there were documentation that was directly
misleading, this seems to be mainly a usability question.
CVE assignment team, MITRE CVE Numbering Authority
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)
-----END PGP SIGNATURE-----