From b07ed2a1e445efde54fc64cb8c37e0f4f7fe53e5 Mon Sep 17 00:00:00 2001 From: Natalia <124304+nessita@users.noreply.github.com> Date: Wed, 21 Jan 2026 18:03:20 -0300 Subject: [5.2.x] Fixed CVE-2026-25674 -- Prevented potentially incorrect permissions on file system object creation. This fix introduces `safe_makedirs()` in the `os` utils as a safer alternative to `os.makedirs()` that avoids umask-related race conditions in multi-threaded environments. This is a workaround for https://github.com/python/cpython/issues/86533 and the solution is based on the fix being proposed for CPython. Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com> Co-authored-by: Zackery Spytz Refs CVE-2020-24583 and #31921. Thanks Tarek Nakkouch for the report, and Jake Howard, Jacob Walls, and Shai Berger for reviews. Backport of 019e44f67a8dace67b786e2818938c8691132988 from main. --- docs/releases/4.2.29.txt | 15 +++++++++++++++ docs/releases/5.2.12.txt | 15 +++++++++++++++ 2 files changed, 30 insertions(+) (limited to 'docs') diff --git a/docs/releases/4.2.29.txt b/docs/releases/4.2.29.txt index b780264929..71170a5763 100644 --- a/docs/releases/4.2.29.txt +++ b/docs/releases/4.2.29.txt @@ -28,3 +28,18 @@ the previous behavior of ``URLField.to_python()``. This issue has severity "moderate" according to the :ref:`Django security policy `. + +CVE-2026-25674: Potential incorrect permissions on newly created file system objects +==================================================================================== + +Django's file-system storage and file-based cache backends used the process +``umask`` to control permissions when creating directories. In multi-threaded +environments, one thread's temporary umask change can affect other threads' +file and directory creation, resulting in file system objects being created +with unintended permissions. + +Django now applies the requested permissions via :func:`~os.chmod` after +:func:`~os.mkdir`, removing the dependency on the process-wide umask. + +This issue has severity "low" according to the :ref:`Django security policy +`. diff --git a/docs/releases/5.2.12.txt b/docs/releases/5.2.12.txt index be2c7bc807..177bfd1ced 100644 --- a/docs/releases/5.2.12.txt +++ b/docs/releases/5.2.12.txt @@ -30,6 +30,21 @@ the previous behavior of ``URLField.to_python()``. This issue has severity "moderate" according to the :ref:`Django security policy `. +CVE-2026-25674: Potential incorrect permissions on newly created file system objects +==================================================================================== + +Django's file-system storage and file-based cache backends used the process +``umask`` to control permissions when creating directories. In multi-threaded +environments, one thread's temporary umask change can affect other threads' +file and directory creation, resulting in file system objects being created +with unintended permissions. + +Django now applies the requested permissions via :func:`~os.chmod` after +:func:`~os.mkdir`, removing the dependency on the process-wide umask. + +This issue has severity "low" according to the :ref:`Django security policy +`. + Bugfixes ======== -- cgit v1.3