Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 29 Mar 2014 09:19:32 +0100
From: Victor Stinner <victor.stinner@...il.com>
To: Vincent Danen <vdanen@...hat.com>
Cc: OSS Security List <oss-security@...ts.openwall.com>, 
	"security@...hon.org" <security@...hon.org>
Subject: Re: [PSRT] CVE request: os.makedirs(exist_ok=True) is not thread-safe
 in Python

Hi,

I changed the title of the issue to "os.makedirs(exist_ok=True) is not
thread-safe: umask is set temporary to 0, serious security problem". So the
vulnerability requires an application using exist_ok=True, a
second vulnerability to inject arbitrary code, and at least another thread.
Since umask() is restored the line after umask(0) and CPython has a GIL,
the window to exploit the vulnerability is very short (leess than a second,
closer to 5 ms). This vulnerability looks theorical to me, so I'm not ok to
call it "serious", but it would be nice to fix it.

Hum, I didn't check if umask() releases the GIL.

Victor

Le vendredi 28 mars 2014, Vincent Danen <vdanen@...hat.com> a écrit :

> Cc'ing security@...hon.org <javascript:;> so that they are aware of the
> CVE assignment (so please keep them in the cc).  Just copying and pasting
> from the Red Hat bug:
>
>
> It was reported [1] that a patch added to Python 3.2 [2] caused a race
> condition where a file created could be created with world read/write
> permissions instead of the permissions dictated by the original umask of
> the process.  This could allow a local attacker that could win the race to
> view and edit files created by a program using this call.
>
> Note that prior versions of Python, including 2.x, do not include the
> vulnerable _get_masked_mode() function that is used by os.makedirs() when
> exist_ok is set to True.
>
>
> [1] http://bugs.python.org/issue21082
> [2] http://bugs.python.org/issue9299
>
>
> Our bug is here: https://bugzilla.redhat.com/show_bug.cgi?id=1082177
>
> Could a CVE be assigned to this issue please?  Thank you.
>
> --
> Vincent Danen / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.