Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 506084 (CVE-2014-2667) - <dev-lang/python-{2.7.7,3.2.5-r5,3.3.5-r1}: "os._get_masked_mode()" Race Condition Security Issue (CVE-2014-2667)
Summary: <dev-lang/python-{2.7.7,3.2.5-r5,3.3.5-r1}: "os._get_masked_mode()" Race Cond...
Alias: CVE-2014-2667
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: A4 [glsa]
Depends on:
Reported: 2014-03-28 15:07 UTC by Agostino Sarubbo
Modified: 2015-03-18 22:36 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-03-28 15:07:29 UTC
From ${URL} :


A security issue has been reported in Python, which can be exploited by malicious, local users to 
potentially disclose or manipulate certain data.

The security issue is caused due to a race condition within the "os._get_masked_mode()" function 
(Lib/, which can be exploited to cause certain application-created files to be world-accessible.

The security issue is reported in versions 3.4, 3.3, and 3.2.

No official solution is currently available.

Provided and/or discovered by:
Ryan Lortie within a bug ticket

Original Advisory:
Ryan Lortie:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2014-12-29 00:00:02 UTC
CVE-2014-2667 (
  Race condition in the _get_masked_mode function in Lib/ in Python 3.2
  through 3.5, when exist_ok is set to true and multiple threads are used,
  might allow local users to bypass intended file permissions by leveraging a
  separate application vulnerability before the umask has been set to the
  expected value.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2015-03-18 22:36:11 UTC
This issue was resolved and addressed in
 GLSA 201503-10 at
by GLSA coordinator Kristian Fiskerstrand (K_F).