.. _os-makedirs-not-thread-safe:

os.makedirs() not thread-safe
=============================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=CVE-2014-2667>`_.

``os.makedirs(exist_ok=True)`` is not thread-safe: umask is set temporary
to ``0``, serious security problem.

The fix removes the directory mode check from ``os.makedirs()``.

The ``exist_ok`` parameter was added to Python 3.2.0 (commit
5a22b651173f142a600625a036fcf36484ade237).

Dates:

* Disclosure date: **2014-03-28** (Python issue bpo-21082 reported)

Fixed In
--------

* Python **3.2.6** (2014-10-12) fixed by `commit ee5f1c1 (branch 3.2) <https://github.com/python/cpython/commit/ee5f1c13d1ea21c628068fdf142823177f5526c2>`_ (2014-04-01)
* Python **3.3.6** (2014-10-12) fixed by `commit ee5f1c1 (branch 3.2) <https://github.com/python/cpython/commit/ee5f1c13d1ea21c628068fdf142823177f5526c2>`_ (2014-04-01)
* Python **3.4.1** (2014-05-18) fixed by `commit ee5f1c1 (branch 3.2) <https://github.com/python/cpython/commit/ee5f1c13d1ea21c628068fdf142823177f5526c2>`_ (2014-04-01)
* Python **3.5.0** (2015-09-12) fixed by `commit ee5f1c1 (branch 3.2) <https://github.com/python/cpython/commit/ee5f1c13d1ea21c628068fdf142823177f5526c2>`_ (2014-04-01)

Python issue
------------

os.makedirs(exist_ok=True) is not thread-safe: umask is set temporary to 0, serious security problem.

* Python issue: `bpo-21082 <https://bugs.python.org/issue21082>`_
* Creation date: 2014-03-28
* Reporter: Ryan Lortie

CVE-2014-2667
-------------

Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value.

* CVE ID: `CVE-2014-2667 <https://nvd.nist.gov/vuln/detail/CVE-2014-2667/>`_
* Published: 2014-11-16
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 3.3

Timeline
--------

Timeline using the disclosure date **2014-03-28** as reference:

* 2014-03-28: `Python issue bpo-21082 <https://bugs.python.org/issue21082>`_ reported by Ryan Lortie
* 2014-04-01 (**+4 days**): `commit ee5f1c1 (branch 3.2) <https://github.com/python/cpython/commit/ee5f1c13d1ea21c628068fdf142823177f5526c2>`_
* 2014-05-18 (**+51 days**): Python 3.4.1 released
* 2014-10-12 (**+198 days**): Python 3.2.6 released
* 2014-10-12 (**+198 days**): Python 3.3.6 released
* 2014-11-16 (**+233 days**): CVE-2014-2667 published
* 2015-09-12: Python 3.5.0 released