Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2014-2667

Published: 16 November 2014

Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value.

Notes

AuthorNote
seth-arnold 
The upstream patch uses umask(0022) instead of umask(0) -- which
seems as bad as the original behaviour. We should see if there is an updated
patch when we prepare our packages that replaces the bad code.
mdeslaur 
introduced by the fix for http://bugs.python.org/issue9299
upstream commited a better fix than the proposed one in the bug
but it now changes behavour

Priority

Low

Status

Package Release Status
python2.7
Launchpad, Ubuntu, Debian 		artful Not vulnerable

bionic Not vulnerable

cosmic Not vulnerable

lucid Does not exist

precise Not vulnerable

quantal Not vulnerable

saucy Not vulnerable

trusty Not vulnerable

upstream Not vulnerable

utopic Not vulnerable

vivid Not vulnerable

wily Not vulnerable

xenial Not vulnerable

yakkety Not vulnerable

zesty Not vulnerable

python3.2
Launchpad, Ubuntu, Debian 		artful Does not exist

bionic Does not exist

cosmic Does not exist

lucid Does not exist

precise Ignored
(end of life)
quantal Ignored
(end of life)
saucy Does not exist

trusty Does not exist

upstream Needed

utopic Does not exist

vivid Does not exist

wily Does not exist

xenial Does not exist

yakkety Does not exist

zesty Does not exist

Patches:
upstream: http://hg.python.org/cpython/rev/9186f4a18584e

python3.4
Launchpad, Ubuntu, Debian 		artful Does not exist

bionic Does not exist

cosmic Does not exist

lucid Does not exist

precise Does not exist

quantal Does not exist

saucy Does not exist

trusty
Released (3.4.3-1ubuntu1~14.04)
upstream Needed

utopic Not vulnerable
(3.4.2-1)
vivid Not vulnerable
(3.4.3-3)
wily Not vulnerable
(3.4.3-7)
xenial Does not exist

yakkety Does not exist

zesty Does not exist

Patches:

upstream: http://hg.python.org/cpython/rev/c24dd53ab4b9

References

Bugs

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Further reading