os.makedirs() not thread-safe

Warning

This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.

os.makedirs(exist_ok=True) is not thread-safe: umask is set temporary to 0, serious security problem.

The fix removes the directory mode check from os.makedirs().

The exist_ok parameter was added to Python 3.2.0 (commit 5a22b651173f142a600625a036fcf36484ade237).

Dates:

  • Disclosure date: 2014-03-28 (Python issue bpo-21082 reported)

Fixed In

Python issue

os.makedirs(exist_ok=True) is not thread-safe: umask is set temporary to 0, serious security problem.

  • Python issue: bpo-21082
  • Creation date: 2014-03-28
  • Reporter: Ryan Lortie

CVE-2014-2667

Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value.

Timeline

Timeline using the disclosure date 2014-03-28 as reference:

  • 2014-03-28: Python issue bpo-21082 reported by Ryan Lortie
  • 2014-04-01 (+4 days): commit ee5f1c1 (branch 3.2)
  • 2014-05-18 (+51 days): Python 3.4.1 released
  • 2014-10-12 (+198 days): Python 3.2.6 released
  • 2014-10-12 (+198 days): Python 3.3.6 released
  • 2014-11-16 (+233 days): CVE-2014-2667 published
  • 2015-09-12: Python 3.5.0 released