Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 29 Mar 2014 09:19:32 +0100
From: Victor Stinner <victor.stinner@...il.com>
To: Vincent Danen <vdanen@...hat.com>
Cc: OSS Security List <oss-security@...ts.openwall.com>, 
	"security@...hon.org" <security@...hon.org>
Subject: Re: [PSRT] CVE request: os.makedirs(exist_ok=True) is not thread-safe
 in Python

Hi,

I changed the title of the issue to "os.makedirs(exist_ok=True) is not
thread-safe: umask is set temporary to 0, serious security problem". So the
vulnerability requires an application using exist_ok=True, a
second vulnerability to inject arbitrary code, and at least another thread.
Since umask() is restored the line after umask(0) and CPython has a GIL,
the window to exploit the vulnerability is very short (leess than a second,
closer to 5 ms). This vulnerability looks theorical to me, so I'm not ok to
call it "serious", but it would be nice to fix it.

Hum, I didn't check if umask() releases the GIL.

Victor

Le vendredi 28 mars 2014, Vincent Danen <vdanen@...hat.com> a écrit :

> Cc'ing security@...hon.org <javascript:;> so that they are aware of the
> CVE assignment (so please keep them in the cc).  Just copying and pasting
> from the Red Hat bug:
>
>
> It was reported [1] that a patch added to Python 3.2 [2] caused a race
> condition where a file created could be created with world read/write
> permissions instead of the permissions dictated by the original umask of
> the process.  This could allow a local attacker that could win the race to
> view and edit files created by a program using this call.
>
> Note that prior versions of Python, including 2.x, do not include the
> vulnerable _get_masked_mode() function that is used by os.makedirs() when
> exist_ok is set to True.
>
>
> [1] http://bugs.python.org/issue21082
> [2] http://bugs.python.org/issue9299
>
>
> Our bug is here: https://bugzilla.redhat.com/show_bug.cgi?id=1082177
>
> Could a CVE be assigned to this issue please?  Thank you.
>
> --
> Vincent Danen / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ