CVE-2014-2667

Python 3.2-3.5 - Race Condition in _get_masked_mode Function

Title source: llm

Description

Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value.

References (8)

Core 8

Core References

Mailing List mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2014/03/28/15

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-updates/2014-05/msg00008.html

Third Party Advisory vendor-advisory x_refsource_gentoo

https://security.gentoo.org/glsa/201503-10

Mailing List mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2014/03/30/4

Vendor Advisory x_refsource_confirm

http://bugs.python.org/issue21082

Mailing List mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2014/03/29/5

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-updates/2014-05/msg00007.html

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html

Scores

EPSS 0.0006

EPSS Percentile 18.8%

Details

CWE

CWE-362

Status published

Products (17)

python/python 3.2.0

python/python 3.2.1

python/python 3.2.2

python/python 3.2.3

python/python 3.2.4

python/python 3.2.5

python/python 3.2.6

python/python 3.3.0

python/python 3.3.1

python/python 3.3.2

... and 7 more

Published Nov 16, 2014

Tracked Since Feb 18, 2026