CVE-2014-2667: os.makedirs() not thread-safe¶
os.makedirs(exist_ok=True) is not thread-safe: umask is set temporary
0, serious security problem.
The fix removes the directory mode check from
exist_ok parameter was added to Python 3.2.0 (commit
- Disclosure date: 2014-03-28 (Python issue bpo-21082 reported)
os.makedirs(exist_ok=True) is not thread-safe: umask is set temporary to 0, serious security problem.
- Python issue: bpo-21082
- Creation date: 2014-03-28
- Reporter: Ryan Lortie
Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value.
Timeline using the disclosure date 2014-03-28 as reference:
- 2014-03-28: Python issue bpo-21082 reported by Ryan Lortie
- 2014-04-01 (+4 days): commit ee5f1c1
- 2014-05-18 (+51 days): Python 3.4.1 released
- 2014-10-11 (+197 days): Python 3.2.6 released
- 2014-10-11 (+197 days): Python 3.3.6 released
- 2014-11-16 (+233 days): CVE-2014-2667 published
- 2015-09-09: Python 3.5.0 released