CVE-2014-2667: os.makedirs() not thread-safe

os.makedirs(exist_ok=True) is not thread-safe: umask is set temporary to 0, serious security problem.

The fix removes the directory mode check from os.makedirs().

The exist_ok parameter was added to Python 3.2.0 (commit 5a22b651173f142a600625a036fcf36484ade237).

  • Disclosure date: 2014-03-28 (Python issue #21082 reported)

Fixed In

Python issue

os.makedirs(exist_ok=True) is not thread-safe: umask is set temporary to 0, serious security problem.

  • Python issue: issue #21082
  • Creation date: 2014-03-28
  • Reporter: Ryan Lortie

CVE-2014-2667

Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value.

Timeline

Timeline using the disclosure date 2014-03-28 as reference:

  • 2014-03-28: Python issue #21082 reported by Ryan Lortie
  • 2014-04-01 (+4 days): commit ee5f1c1
  • 2014-05-18 (+51 days): Python 3.4.1 released
  • 2014-10-11 (+197 days): Python 3.2.6 released
  • 2014-10-11 (+197 days): Python 3.3.6 released
  • 2014-11-16 (+233 days): CVE-2014-2667 published
  • 2015-09-09: Python 3.5.0 released