CVE-2014-2667

Name	CVE-2014-2667
Description	Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
python2.7 (PTS)	jessie, jessie (lts)	2.7.9-2-ds1-1+deb8u12	fixed
	stretch (security)	2.7.13-2+deb9u6	fixed
	stretch (lts), stretch	2.7.13-2+deb9u9	fixed
	buster (security), buster, buster (lts)	2.7.16-2+deb10u4	fixed
	bullseye	2.7.18-8+deb11u1	fixed
python3.4 (PTS)	jessie, jessie (lts)	3.4.2-1+deb8u19	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency
python2.5	source	(unstable)	(not affected)
python2.6	source	(unstable)	(not affected)
python2.7	source	(unstable)	(not affected)
python3.1	source	(unstable)	(unfixed)
python3.2	source	(unstable)	(unfixed)	low
python3.3	source	(unstable)	(unfixed)
python3.4	source	(unstable)	3.4.1-1

Notes

[squeeze] - python3.1 <no-dsa> (Minor issue)
[wheezy] - python3.2 <no-dsa> (Minor issue)
- python2.5 <not-affected> (Only affects Python 3.x)
- python2.6 <not-affected> (Only affects Python 3.x)
- python2.7 <not-affected> (Only affects Python 3.x)