Bug 13075 - python-pillow and python-imaging new security issues CVE-2014-1932 and CVE-2014-1933
: python-pillow and python-imaging new security issues CVE-2014-1932 and CVE-20...
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/593109/
: MGA3TOO has_procedure advisory mga3-3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-03-23 15:12 CET by David Walser
Modified: 2014-04-04 17:30 CEST (History)
3 users (show)

See Also:
Source RPM: python-pillow, python-imaging
CVE:
Status comment:


Attachments

Description David Walser 2014-03-23 15:12:15 CET
Multiple insecure use of /tmp vulnerabilities in PIL were reported to Debian:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737059

The fixes are also included in that bug report.

The fixed upstream version of python-pillow 2.3.1 has been released and uploaded to Cauldron.

python-pillow has been patched in Mageia 4 and uploaded to updates_testing.

python-imaging has been patched in Mageia 3 and uploaded to updates_testing.

Advisory:
========================

Updated python-imaging and python-pillow packages fix security vulnerabilities:

Jakub Wilk discovered that temporary files were insecurely created (via
mktemp()) in the IptcImagePlugin.py, Image.py, JpegImagePlugin.py, and
EpsImagePlugin.py files of Python Imaging Library. A local attacker could use
this flaw to perform a symbolic link attack to modify an arbitrary file
accessible to the user running an application that uses the Python Imaging
Library (CVE-2014-1932).

Jakub Wilk discovered that temporary files created in the JpegImagePlugin.py
and EpsImagePlugin.py files of the Python Imaging Library were passed to an
external process. These could be viewed on the command line, allowing an
attacker to obtain the name and possibly perform symbolic link attacks,
allowing them to modify an arbitrary file accessible to the user running an
application that uses the Python Imaging Library (CVE-2014-1933).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1932
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1933
https://bugzilla.redhat.com/show_bug.cgi?id=1063658
https://bugzilla.redhat.com/show_bug.cgi?id=1063660
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737059
========================

Updated packages in core/updates_testing:
========================
python-imaging-1.1.7-7.1.mga3
python-imaging-devel-1.1.7-7.1.mga3
python-pillow-2.2.1-0.4.mga4
python-pillow-devel-2.2.1-0.4.mga4
python-pillow-doc-2.2.1-0.4.mga4
python-pillow-sane-2.2.1-0.4.mga4
python-pillow-tk-2.2.1-0.4.mga4
python-pillow-qt-2.2.1-0.4.mga4
python3-pillow-2.2.1-0.4.mga4
python3-pillow-devel-2.2.1-0.4.mga4
python3-pillow-doc-2.2.1-0.4.mga4
python3-pillow-sane-2.2.1-0.4.mga4
python3-pillow-tk-2.2.1-0.4.mga4
python3-pillow-qt-2.2.1-0.4.mga4

from SRPMS:
python-imaging-1.1.7-7.1.mga3.src.rpm
python-pillow-2.2.1-0.4.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 claire robinson 2014-04-03 15:53:34 CEST
Procedure: from http://pillow.readthedocs.org/en/latest/handbook/tutorial.html

python-imaging (mga3)...

from __future__ import print_function
import Image
im = Image.open("test.jpg")
print(im.format, im.size, im.mode)
im.show()


python-pillow (mga4)...

from __future__ import print_function
from PIL import Image
im = Image.open("test.jpg")
print(im.format, im.size, im.mode)
im.show()


With either..

$ python piltest.py 
JPEG (150, 150) RGB

shows image format, size and mode of file test.jpg and then displays it.
Comment 2 claire robinson 2014-04-03 15:57:25 CEST
Same script can be used with python3-pillow..

$ python3 piltest.py 
JPEG (150, 150) RGB
Comment 3 claire robinson 2014-04-03 16:01:57 CEST
Testing complete mga4 64 and mga3 32
Comment 4 claire robinson 2014-04-03 16:05:37 CEST
testing complete mga4 32
Comment 5 claire robinson 2014-04-03 16:08:07 CEST
Testing complete mga3 64
Comment 6 claire robinson 2014-04-03 16:19:23 CEST
Validating. 

Separate advisories uploaded for 3 & 4 as 13075.mga3.adv and 13075.mga4.adv

Could sysadmin please push to 3 & 4 updates

Thanks

Note You need to log in before you can comment on or make changes to this bug.