ID CVE-2014-2667
Summary Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value.
References
Vulnerable Configurations
  • Python 3.2.0
    cpe:2.3:a:python:python:3.2.0
  • Python 3.2.1
    cpe:2.3:a:python:python:3.2.1
  • Python 3.2.2
    cpe:2.3:a:python:python:3.2.2
  • Python 3.2.3
    cpe:2.3:a:python:python:3.2.3
  • Python 3.2.4
    cpe:2.3:a:python:python:3.2.4
  • Python 3.2.5
    cpe:2.3:a:python:python:3.2.5
  • Python 3.2.6
    cpe:2.3:a:python:python:3.2.6
  • Python 3.3.0
    cpe:2.3:a:python:python:3.3.0
  • Python 3.3.1
    cpe:2.3:a:python:python:3.3.1
  • Python 3.3.2
    cpe:2.3:a:python:python:3.3.2
  • Python 3.3.3
    cpe:2.3:a:python:python:3.3.3
  • Python 3.3.4
    cpe:2.3:a:python:python:3.3.4
  • Python 3.3.5
    cpe:2.3:a:python:python:3.3.5
  • Python 3.3.6
    cpe:2.3:a:python:python:3.3.6
  • Python 3.4.0
    cpe:2.3:a:python:python:3.4.0
  • Python 3.4.1
    cpe:2.3:a:python:python:3.4.1
  • Python 3.4.2
    cpe:2.3:a:python:python:3.4.2
CVSS
Base: 3.3 (as of 17-11-2014 - 12:03)
Impact:
Exploitability:
CWE CWE-362
CAPEC
  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Access
VectorComplexityAuthentication
LOCAL MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL NONE
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2014-334.NASL
    description This python update fixes the following security issue : - bnc#871152: Fixed race condition with umask when creating directories with os.mkdirs (CVE-2014-2667).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 75344
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75344
    title openSUSE Security Update : python3 (openSUSE-SU-2014:0596-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2014-333.NASL
    description This python update fixes the following security and non-security issues : - bnc#869222: Fixed DoS when opening malicious archives (CVE-2013-7338). - bnc#863741: Fixed buffer overflow in socket.recvfrom_into (CVE-2014-1912). - bnc#871152: Fixed race condition with umask when creating directories with os.mkdirs (CVE-2014-2667). - bnc#637176: Fixed update multilib patch to handle home install scheme.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 75343
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75343
    title openSUSE Security Update : python3 (openSUSE-SU-2014:0597-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-16393.NASL
    description Fixes CVEs 2013-7338 and 2014-2667. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 79940
    published 2014-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79940
    title Fedora 20 : python3-3.3.2-19.fc20 (2014-16393)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-16479.NASL
    description Fixes CVEs 2013-7338 and 2014-2667. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 80368
    published 2015-01-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80368
    title Fedora 19 : python3-3.3.2-11.fc19 (2014-16479)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2015-076.NASL
    description Updated python3 packages fix security vulnerabilities : ZipExtFile.read goes into 100% CPU infinite loop on maliciously binary edited zips (CVE-2013-7338). A vulnerability was reported in Python's socket module, due to a boundary error within the sock_recvfrom_into() function, which could be exploited to cause a buffer overflow. This could be used to crash a Python application that uses the socket.recvfrom_info() function or, possibly, execute arbitrary code with the permissions of the user running vulnerable Python code (CVE-2014-1912). It was reported that a patch added to Python 3.2 caused a race condition where a file created could be created with world read/write permissions instead of the permissions dictated by the original umask of the process. This could allow a local attacker that could win the race to view and edit files created by a program using this call. Note that prior versions of Python, including 2.x, do not include the vulnerable _get_masked_mode() function that is used by os.makedirs() when exist_ok is set to True (CVE-2014-2667). Python are susceptible to arbitrary process memory reading by a user or adversary due to a bug in the _json module caused by insufficient bounds checking. The bug is caused by allowing the user to supply a negative value that is used an an array index, causing the scanstring function to access process memory outside of the string it is intended to access (CVE-2014-4616). The CGIHTTPServer Python module does not properly handle URL-encoded path separators in URLs. This may enable attackers to disclose a CGI script's source code or execute arbitrary scripts in the server's document root (CVE-2014-4650).
    last seen 2019-02-21
    modified 2018-08-03
    plugin id 82329
    published 2015-03-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82329
    title Mandriva Linux Security Advisory : python3 (MDVSA-2015:076)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201503-10.NASL
    description The remote host is affected by the vulnerability described in GLSA-201503-10 (Python: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Python. Please review the CVE identifiers referenced below for details. Impact : A context-dependent attacker may be able to execute arbitrary code or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-08-02
    plugin id 82009
    published 2015-03-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82009
    title GLSA-201503-10 : Python: Multiple vulnerabilities
refmap via4
confirm http://bugs.python.org/issue21082
gentoo GLSA-201503-10
mlist
  • [oss-security] 20140328 CVE request: os.makedirs(exist_ok=True) is not thread-safe in Python
  • [oss-security] 20140329 Re: [PSRT] CVE request: os.makedirs(exist_ok=True) is not thread-safe in Python
  • [oss-security] 20140330 Re: CVE request: os.makedirs(exist_ok=True) is not thread-safe in Python
suse
  • openSUSE-SU-2014:0596
  • openSUSE-SU-2014:0597
Last major update 17-11-2014 - 12:03
Published 15-11-2014 - 20:59
Last modified 30-06-2017 - 21:29
Back to Top