Multiple insecure use of /tmp vulnerabilities in PIL were reported to Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737059 The fixes are also included in that bug report. The fixed upstream version of python-pillow 2.3.1 has been released and uploaded to Cauldron. python-pillow has been patched in Mageia 4 and uploaded to updates_testing. python-imaging has been patched in Mageia 3 and uploaded to updates_testing. Advisory: ======================== Updated python-imaging and python-pillow packages fix security vulnerabilities: Jakub Wilk discovered that temporary files were insecurely created (via mktemp()) in the IptcImagePlugin.py, Image.py, JpegImagePlugin.py, and EpsImagePlugin.py files of Python Imaging Library. A local attacker could use this flaw to perform a symbolic link attack to modify an arbitrary file accessible to the user running an application that uses the Python Imaging Library (CVE-2014-1932). Jakub Wilk discovered that temporary files created in the JpegImagePlugin.py and EpsImagePlugin.py files of the Python Imaging Library were passed to an external process. These could be viewed on the command line, allowing an attacker to obtain the name and possibly perform symbolic link attacks, allowing them to modify an arbitrary file accessible to the user running an application that uses the Python Imaging Library (CVE-2014-1933). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1932 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1933 https://bugzilla.redhat.com/show_bug.cgi?id=1063658 https://bugzilla.redhat.com/show_bug.cgi?id=1063660 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737059 ======================== Updated packages in core/updates_testing: ======================== python-imaging-1.1.7-7.1.mga3 python-imaging-devel-1.1.7-7.1.mga3 python-pillow-2.2.1-0.4.mga4 python-pillow-devel-2.2.1-0.4.mga4 python-pillow-doc-2.2.1-0.4.mga4 python-pillow-sane-2.2.1-0.4.mga4 python-pillow-tk-2.2.1-0.4.mga4 python-pillow-qt-2.2.1-0.4.mga4 python3-pillow-2.2.1-0.4.mga4 python3-pillow-devel-2.2.1-0.4.mga4 python3-pillow-doc-2.2.1-0.4.mga4 python3-pillow-sane-2.2.1-0.4.mga4 python3-pillow-tk-2.2.1-0.4.mga4 python3-pillow-qt-2.2.1-0.4.mga4 from SRPMS: python-imaging-1.1.7-7.1.mga3.src.rpm python-pillow-2.2.1-0.4.mga4.src.rpm Reproducible: Steps to Reproduce:
CC: (none) => makowski.mageiaWhiteboard: (none) => MGA3TOO
Procedure: from http://pillow.readthedocs.org/en/latest/handbook/tutorial.html python-imaging (mga3)... from __future__ import print_function import Image im = Image.open("test.jpg") print(im.format, im.size, im.mode) im.show() python-pillow (mga4)... from __future__ import print_function from PIL import Image im = Image.open("test.jpg") print(im.format, im.size, im.mode) im.show() With either.. $ python piltest.py JPEG (150, 150) RGB shows image format, size and mode of file test.jpg and then displays it.
Whiteboard: MGA3TOO => MGA3TOO has_procedure
Same script can be used with python3-pillow.. $ python3 piltest.py JPEG (150, 150) RGB
Testing complete mga4 64 and mga3 32
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga3-32-ok mga4-64-ok
testing complete mga4 32
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok
Testing complete mga3 64
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Validating. Separate advisories uploaded for 3 & 4 as 13075.mga3.adv and 13075.mga4.adv Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
http://advisories.mageia.org/MGASA-2014-0158.html http://advisories.mageia.org/MGASA-2014-0159.html
Status: NEW => RESOLVEDCC: (none) => mageiaResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/593109/