OpenSuSE has issued an advisory today (May 2): http://lists.opensuse.org/opensuse-updates/2014-05/msg00007.html Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Suggested advisory: ======================== Updated python3 packages fix security vulnerabilities (CVE-2014-2667): It was reported that a patch added to Python 3.2 caused a race condition where a file created could be created with world read/write permissions instead of the permissions dictated by the original umask of the process. This could allow a local attacker that could win the race to view and edit files created by a program using this call. Note that prior versions of Python, including 2.x, do not include the vulnerable _get_masked_mode() function that is used by os.makedirs() when exist_ok is set to True. References: http://lwn.net/Vulnerabilities/597185/ http://lists.opensuse.org/opensuse-updates/2014-05/msg00007.html ======================== Updated packages in core/updates_testing: ======================== python3-debuginfo-3.3.2-13.3.mga4.x86_64 python3-docs-3.3.2-13.3.mga4.noarch python3-3.3.2-13.3.mga4.i586 libpython3-devel-3.3.2-13.3.mga4.i586 tkinter3-apps-3.3.2-13.3.mga4.i586 tkinter3-apps-3.3.2-13.3.mga4.x86_64 tkinter3-3.3.2-13.3.mga4.i586 lib64python3-devel-3.3.2-13.3.mga4.x86_64 python3-debuginfo-3.3.2-13.3.mga4.i586 lib64python3.3-3.3.2-13.3.mga4.x86_64 python3-3.3.2-13.3.mga4.x86_64 libpython3.3-3.3.2-13.3.mga4.i586 tkinter3-3.3.2-13.3.mga4.x86_64 libpython3.3-3.3.0-4.8.mga3.i586 tkinter3-3.3.0-4.8.mga3.i586 python3-3.3.0-4.8.mga3.x86_64 tkinter3-3.3.0-4.8.mga3.x86_64 libpython3-devel-3.3.0-4.8.mga3.i586 lib64python3.3-3.3.0-4.8.mga3.x86_64 python3-debuginfo-3.3.0-4.8.mga3.i586 tkinter3-apps-3.3.0-4.8.mga3.x86_64 python3-docs-3.3.0-4.8.mga3.noarch lib64python3-devel-3.3.0-4.8.mga3.x86_64 tkinter3-apps-3.3.0-4.8.mga3.i586 python3-debuginfo-3.3.0-4.8.mga3.x86_64 python3-3.3.0-4.8.mga3.i586 From : python3-3.3.2-13.3.mga4.src python3-3.3.0-4.8.mga3.src
Assignee: makowski.mageia => qa-bugs
CC: (none) => remiVersion: Cauldron => 4Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Formatting changes. Advisory: ======================== Updated python3 packages fix security vulnerability: It was reported that a patch added to Python 3.2 caused a race condition where a file created could be created with world read/write permissions instead of the permissions dictated by the original umask of the process. This could allow a local attacker that could win the race to view and edit files created by a program using this call. Note that prior versions of Python, including 2.x, do not include the vulnerable _get_masked_mode() function that is used by os.makedirs() when exist_ok is set to True (CVE-2014-2667). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2667 http://lists.opensuse.org/opensuse-updates/2014-05/msg00007.html
CC: (none) => makowski.mageia
Created attachment 5153 [details] Proposed test case. Will this test case - written in bash and calling python3 - be fine to check the functionality of the os.makedirs() function?
CC: (none) => shlomif
According to the Novell bug, the exist_ok=3DTrue option has to be set in the os.makedirs() call for the bug to be triggered, and the issue was that there was a race condition in it setting the appropriate permissions on the created directory according to the umask. So, I'd add that option to the makedirs call and then instead of just testing for the existence of the directory, run ls -ld on the directory so you can see the permissions, and try it with a couple of different umask settings to make sure it looks like it's working correctly.
Created attachment 5154 [details] Improved test case Here is an improved test case: <rindolf> Luigi12_work: do you think this will be OK - http://pastie.org/9169076 ? * NyB (~archon@ppp-94-64-178-97.home.otenet.gr) has joined <Luigi12_work> rindolf: it's a good start. I'd add make the makedirs call be os.makedirs("pythton3-foo/bar/baz", exist_ok=3DTrue), and have it run ls -ld on the directory that it creates so you can see the permissions, then run it with a couple different umask settings, like 022 and 077 and see what you get <rindolf> Luigi12_work: ah. <rindolf> Luigi12_work: http://pastie.org/9169095 <Luigi12_work> rindolf: perfect :o) <Luigi12_work> the expected result would be it showing drwxr-xr-x the first time and drwx------ the second time
Attachment 5153 is obsolete: 0 => 1
Tested fine on MGA4-64 and MGA4-32. The procedure (has_procedure) is in the https://bugs.mageia.org/show_bug.cgi?id=13305#c5 . Now I'd like to test on MGA3-64 and MGA3-32.
Whiteboard: MGA3TOO => MGA3TOO MGA4-64-OK MGA4-32-OK has_procedure
OK on MGA3-32 and MGA3-64. Please validate and ship.
Whiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK has_procedure => MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-64-OK MGA3-32-OK has_procedure
Validating the update, thanks for your tests and test case Shlomi! Advisory uploaded, please push to 3 & 4 core/updates.
Keywords: (none) => validated_updateWhiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-64-OK MGA3-32-OK has_procedure => MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-64-OK MGA3-32-OK has_procedure advisoryCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0216.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED