Ubuntu.comUB:CVE-2024-4030CVE-2024-4030
On Windows a directory returned by tempfile.mkdtemp() would not always have
permissions set to restrict reading and writing to the temporary directory
by other users, instead usually inheriting the correct permissions from the
default location. Alternate configurations or users without a profile
directory may not have the intended permissions. If youβre not using
Windows or havenβt changed the temporary directory location then you arenβt
affected by this vulnerability. On other platforms the returned directory
is consistently readable and writable only by the current user. This issue
was caused by Python not supporting Unix permissions on Windows. The fix
adds support for Unix β700β for the mkdir function on Windows which is used
by mkdtemp() to ensure the newly created directory has the proper
permissions.
Bugs
Notes
| Author | Note |
|---|---|
| rodrigo-zaiden | only affects python in Windows |
References
github.com/python/cpython/commit/81939dad77001556c527485d31a2d0f4a759033e
github.com/python/cpython/commit/8ed546679524140d8282175411fd141fe7df070d
launchpad.net/bugs/cve/CVE-2024-4030
mail.python.org/archives/list/[email protected]/thread/PRGS5OR3N3PNPT4BMV2VAGN5GMUI5636/
nvd.nist.gov/vuln/detail/CVE-2024-4030
security-tracker.debian.org/tracker/CVE-2024-4030
www.cve.org/CVERecord?id=CVE-2024-4030
Related
