Advisories » MGASA-2014-0216

Updated python3 packages fix security vulnerability

Publication date: 14 May 2014
Modification date: 14 May 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-2667

Description

It was reported that a patch added to Python 3.2 caused a race condition
where a file created could be created with world read/write permissions
instead of the permissions dictated by the original umask of the process.
This could allow a local attacker that could win the race to view and edit
files created by a program using this call. Note that prior versions of
Python, including 2.x, do not include the vulnerable _get_masked_mode()
function that is used by os.makedirs() when exist_ok is set to True
(CVE-2014-2667).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=13305
• http://lists.opensuse.org/opensuse-updates/2014-05/msg00007.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2667

SRPMS

3/core

• python3-3.3.0-4.8.mga3

4/core

• python3-3.3.2-13.3.mga4