OpenSuSE has issued an advisory today (May 2):
Mageia 3 and Mageia 4 are also affected.
Steps to Reproduce:
Updated python3 packages fix security vulnerabilities (CVE-2014-2667):
It was reported that a patch added to Python 3.2 caused a race condition where a file created could be created with world read/write permissions instead of the permissions dictated by the original umask of the process. This could allow a local attacker that could win the race to view and edit files created by a program using this call. Note that prior versions of Python, including 2.x, do not include the vulnerable _get_masked_mode() function that is used by os.makedirs() when exist_ok is set to True.
Updated packages in core/updates_testing:
MGA4TOO, MGA3TOO =>
Updated python3 packages fix security vulnerability:
It was reported that a patch added to Python 3.2 caused a race condition
where a file created could be created with world read/write permissions
instead of the permissions dictated by the original umask of the process.
This could allow a local attacker that could win the race to view and edit
files created by a program using this call. Note that prior versions of
Python, including 2.x, do not include the vulnerable _get_masked_mode()
function that is used by os.makedirs() when exist_ok is set to True
Created attachment 5153 [details]
Proposed test case.
Will this test case - written in bash and calling python3 - be fine to check the functionality of the os.makedirs() function?
According to the Novell bug, the exist_ok=3DTrue option has to be set in the os.makedirs() call for the bug to be triggered, and the issue was that there was a race condition in it setting the appropriate permissions on the created directory according to the umask.
So, I'd add that option to the makedirs call and then instead of just testing for the existence of the directory, run ls -ld on the directory so you can see the permissions, and try it with a couple of different umask settings to make sure it looks like it's working correctly.
Created attachment 5154 [details]
Improved test case
Here is an improved test case:
<rindolf> Luigi12_work: do you think this will be OK - http://pastie.org/9169076 ?
* NyB (~email@example.com) has joined
<Luigi12_work> rindolf: it's a good start. I'd add make the makedirs call be os.makedirs("pythton3-foo/bar/baz", exist_ok=3DTrue), and have it run ls -ld on the directory that it creates so you can see the permissions, then run it with a couple different umask settings, like 022 and 077 and see what you get
<rindolf> Luigi12_work: ah.
<rindolf> Luigi12_work: http://pastie.org/9169095
<Luigi12_work> rindolf: perfect :o)
<Luigi12_work> the expected result would be it showing drwxr-xr-x the first time and drwx------ the second time
Attachment 5153 is obsolete:
Tested fine on MGA4-64 and MGA4-32. The procedure (has_procedure) is in the https://bugs.mageia.org/show_bug.cgi?id=13305#c5 .
Now I'd like to test on MGA3-64 and MGA3-32.
MGA3TOO MGA4-64-OK MGA4-32-OK has_procedure
OK on MGA3-32 and MGA3-64. Please validate and ship.
MGA3TOO MGA4-64-OK MGA4-32-OK has_procedure =>
MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-64-OK MGA3-32-OK has_procedure
Validating the update, thanks for your tests and test case Shlomi!
Advisory uploaded, please push to 3 & 4 core/updates.
MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-64-OK MGA3-32-OK has_procedure =>
MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-64-OK MGA3-32-OK has_procedure advisoryCC: