Bug 13075

Summary: python-pillow and python-imaging new security issues CVE-2014-1932 and CVE-2014-1933
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mageia, makowski.mageia, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/593109/
Whiteboard: MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Source RPM: python-pillow, python-imaging CVE:
Status comment:

Description David Walser 2014-03-23 15:12:15 CET 
Multiple insecure use of /tmp vulnerabilities in PIL were reported to Debian:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737059

The fixes are also included in that bug report.

The fixed upstream version of python-pillow 2.3.1 has been released and uploaded to Cauldron.

python-pillow has been patched in Mageia 4 and uploaded to updates_testing.

python-imaging has been patched in Mageia 3 and uploaded to updates_testing.

Advisory:
========================

Updated python-imaging and python-pillow packages fix security vulnerabilities:

Jakub Wilk discovered that temporary files were insecurely created (via
mktemp()) in the IptcImagePlugin.py, Image.py, JpegImagePlugin.py, and
EpsImagePlugin.py files of Python Imaging Library. A local attacker could use
this flaw to perform a symbolic link attack to modify an arbitrary file
accessible to the user running an application that uses the Python Imaging
Library (CVE-2014-1932).

Jakub Wilk discovered that temporary files created in the JpegImagePlugin.py
and EpsImagePlugin.py files of the Python Imaging Library were passed to an
external process. These could be viewed on the command line, allowing an
attacker to obtain the name and possibly perform symbolic link attacks,
allowing them to modify an arbitrary file accessible to the user running an
application that uses the Python Imaging Library (CVE-2014-1933).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1932
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1933
https://bugzilla.redhat.com/show_bug.cgi?id=1063658
https://bugzilla.redhat.com/show_bug.cgi?id=1063660
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737059
========================

Updated packages in core/updates_testing:
========================
python-imaging-1.1.7-7.1.mga3
python-imaging-devel-1.1.7-7.1.mga3
python-pillow-2.2.1-0.4.mga4
python-pillow-devel-2.2.1-0.4.mga4
python-pillow-doc-2.2.1-0.4.mga4
python-pillow-sane-2.2.1-0.4.mga4
python-pillow-tk-2.2.1-0.4.mga4
python-pillow-qt-2.2.1-0.4.mga4
python3-pillow-2.2.1-0.4.mga4
python3-pillow-devel-2.2.1-0.4.mga4
python3-pillow-doc-2.2.1-0.4.mga4
python3-pillow-sane-2.2.1-0.4.mga4
python3-pillow-tk-2.2.1-0.4.mga4
python3-pillow-qt-2.2.1-0.4.mga4

from SRPMS:
python-imaging-1.1.7-7.1.mga3.src.rpm
python-pillow-2.2.1-0.4.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-03-23 15:12:28 CET

CC: (none) => makowski.mageia
Whiteboard: (none) => MGA3TOO

Comment 1 claire robinson 2014-04-03 15:53:34 CEST 
Procedure: from http://pillow.readthedocs.org/en/latest/handbook/tutorial.html

python-imaging (mga3)...

from __future__ import print_function
import Image
im = Image.open("test.jpg")
print(im.format, im.size, im.mode)
im.show()


python-pillow (mga4)...

from __future__ import print_function
from PIL import Image
im = Image.open("test.jpg")
print(im.format, im.size, im.mode)
im.show()


With either..

$ python piltest.py 
JPEG (150, 150) RGB

shows image format, size and mode of file test.jpg and then displays it.

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 2 claire robinson 2014-04-03 15:57:25 CEST 
Same script can be used with python3-pillow..

$ python3 piltest.py 
JPEG (150, 150) RGB
Comment 3 claire robinson 2014-04-03 16:01:57 CEST 
Testing complete mga4 64 and mga3 32

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga3-32-ok mga4-64-ok

Comment 4 claire robinson 2014-04-03 16:05:37 CEST 
testing complete mga4 32

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok

Comment 5 claire robinson 2014-04-03 16:08:07 CEST 
Testing complete mga3 64

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Comment 6 claire robinson 2014-04-03 16:19:23 CEST 
Validating. 

Separate advisories uploaded for 3 & 4 as 13075.mga3.adv and 13075.mga4.adv

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 7 Damien Lallement 2014-04-03 17:19:29 CEST 
http://advisories.mageia.org/MGASA-2014-0158.html
http://advisories.mageia.org/MGASA-2014-0159.html

Status: NEW => RESOLVED
CC: (none) => mageia
Resolution: (none) => FIXED

David Walser 2014-04-04 17:30:31 CEST

URL: (none) => http://lwn.net/Vulnerabilities/593109/