| Summary: | <dev-lang/python-{2.7.7,3.2.5-r5,3.3.5-r1}: "os._get_masked_mode()" Race Condition Security Issue (CVE-2014-2667) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | python |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://secunia.com/advisories/57672/ | ||
| Whiteboard: | A4 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
CVE-2014-2667 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2667): Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value. This issue was resolved and addressed in GLSA 201503-10 at https://security.gentoo.org/glsa/201503-10 by GLSA coordinator Kristian Fiskerstrand (K_F). |
From ${URL} : Description A security issue has been reported in Python, which can be exploited by malicious, local users to potentially disclose or manipulate certain data. The security issue is caused due to a race condition within the "os._get_masked_mode()" function (Lib/os.py), which can be exploited to cause certain application-created files to be world-accessible. The security issue is reported in versions 3.4, 3.3, and 3.2. Solution: No official solution is currently available. Provided and/or discovered by: Ryan Lortie within a bug ticket Original Advisory: Ryan Lortie: http://bugs.python.org/issue21082 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.