Bug 14580

Summary: python-pillow and python-imaging new security issue CVE-2014-3007
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: olchal, rverschelde, shlomif, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/622614/
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisory
Source RPM: python-pillow, python-imaging CVE:
Status comment:

Description David Walser 2014-11-17 05:36:49 CET 
The fix for CVE-2014-1932 (Bug 13075) was incomplete and assigned CVE-2014-3007.

It was fixed upstream in python-pillow 2.5.0, so Cauldron is not affected.

python-pillow has been patched in Mageia 4 and uploaded to updates_testing.

python-imaging has been patched in Mageia 3 and uploaded to updates_testing.

Advisory:
========================

Updated python-imaging and python-pillow packages fix security vulnerability:

Python Image Library (PIL) 1.1.7 and earlier and Pillow 2.3 might allow remote
attackers to execute arbitrary commands via shell metacharacters, due to an
incomplete fix for CVE-2014-1932 (CVE-2014-3007).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3007
https://bugzilla.redhat.com/show_bug.cgi?id=1094101
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737059
========================

Updated packages in core/updates_testing:
========================
python-imaging-1.1.7-7.3.mga3
python-imaging-devel-1.1.7-7.3.mga3
python-pillow-2.2.1-0.6.mga4
python-pillow-devel-2.2.1-0.6.mga4
python-pillow-doc-2.2.1-0.6.mga4
python-pillow-sane-2.2.1-0.6.mga4
python-pillow-tk-2.2.1-0.6.mga4
python-pillow-qt-2.2.1-0.6.mga4
python3-pillow-2.2.1-0.6.mga4
python3-pillow-devel-2.2.1-0.6.mga4
python3-pillow-doc-2.2.1-0.6.mga4
python3-pillow-sane-2.2.1-0.6.mga4
python3-pillow-tk-2.2.1-0.6.mga4
python3-pillow-qt-2.2.1-0.6.mga4

from SRPMS:
python-imaging-1.1.7-7.3.mga3.src.rpm
python-pillow-2.2.1-0.6.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-11-17 05:37:18 CET 
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=13075#c1

Whiteboard: (none) => MGA3TOO has_procedure

Comment 2 David Walser 2014-11-17 20:11:55 CET 
Testing complete using Claire's procedure from Comment 1, Mageia 3 i586 and Mageia 4 i586.

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK

Comment 3 olivier charles 2014-11-17 21:34:44 CET 
Testing python-imaging on Mageia3-64 real HW

Current packages :
----------------
- lib64python-devel-2.7.6-1.3.mga3.x86_64
- python-imaging-1.1.7-7.2.mga3.x86_64
- python-imaging-devel-1.1.7-7.2.mga3.x86_64

Followed Claire's procedure mentionned in comment 1
Made another test (piltest2.py):
import Image
im = Image.open("gmtest2.jpg")
im.save('gmt.png', "PNG")
im.save('gmt.bmp', "BMP")

To save a jpg image in png and bmp format.

Both tests went well.

Updated to testing packages:
---------------------------

- python-imaging-1.1.7-7.3.mga3.x86_64
- python-imaging-devel-1.1.7-7.3.mga3.x86_64

Reran both tests.

All good.

CC: (none) => olchal
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK

Comment 4 Shlomi Fish 2014-11-18 15:44:29 CET 
Works fine on MGA4-x86-64 inside a VM. Ran both tests.

Regards,

-- Shlomi Fish

CC: (none) => shlomif
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK

Comment 5 RĂ©mi Verschelde 2014-11-19 13:33:38 CET 
Validating, advisory uploaded.

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisory
CC: (none) => remi, sysadmin-bugs

Comment 6 Mageia Robot 2014-11-21 13:45:56 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0476.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2014-11-21 19:06:03 CET

URL: (none) => http://lwn.net/Vulnerabilities/622614/