The fix for CVE-2014-1932 (Bug 13075) was incomplete and assigned CVE-2014-3007. It was fixed upstream in python-pillow 2.5.0, so Cauldron is not affected. python-pillow has been patched in Mageia 4 and uploaded to updates_testing. python-imaging has been patched in Mageia 3 and uploaded to updates_testing. Advisory: ======================== Updated python-imaging and python-pillow packages fix security vulnerability: Python Image Library (PIL) 1.1.7 and earlier and Pillow 2.3 might allow remote attackers to execute arbitrary commands via shell metacharacters, due to an incomplete fix for CVE-2014-1932 (CVE-2014-3007). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3007 https://bugzilla.redhat.com/show_bug.cgi?id=1094101 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737059 ======================== Updated packages in core/updates_testing: ======================== python-imaging-1.1.7-7.3.mga3 python-imaging-devel-1.1.7-7.3.mga3 python-pillow-2.2.1-0.6.mga4 python-pillow-devel-2.2.1-0.6.mga4 python-pillow-doc-2.2.1-0.6.mga4 python-pillow-sane-2.2.1-0.6.mga4 python-pillow-tk-2.2.1-0.6.mga4 python-pillow-qt-2.2.1-0.6.mga4 python3-pillow-2.2.1-0.6.mga4 python3-pillow-devel-2.2.1-0.6.mga4 python3-pillow-doc-2.2.1-0.6.mga4 python3-pillow-sane-2.2.1-0.6.mga4 python3-pillow-tk-2.2.1-0.6.mga4 python3-pillow-qt-2.2.1-0.6.mga4 from SRPMS: python-imaging-1.1.7-7.3.mga3.src.rpm python-pillow-2.2.1-0.6.mga4.src.rpm Reproducible: Steps to Reproduce:
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=13075#c1
Whiteboard: (none) => MGA3TOO has_procedure
Testing complete using Claire's procedure from Comment 1, Mageia 3 i586 and Mageia 4 i586.
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK
Testing python-imaging on Mageia3-64 real HW Current packages : ---------------- - lib64python-devel-2.7.6-1.3.mga3.x86_64 - python-imaging-1.1.7-7.2.mga3.x86_64 - python-imaging-devel-1.1.7-7.2.mga3.x86_64 Followed Claire's procedure mentionned in comment 1 Made another test (piltest2.py): import Image im = Image.open("gmtest2.jpg") im.save('gmt.png', "PNG") im.save('gmt.bmp', "BMP") To save a jpg image in png and bmp format. Both tests went well. Updated to testing packages: --------------------------- - python-imaging-1.1.7-7.3.mga3.x86_64 - python-imaging-devel-1.1.7-7.3.mga3.x86_64 Reran both tests. All good.
CC: (none) => olchalWhiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK
Works fine on MGA4-x86-64 inside a VM. Ran both tests. Regards, -- Shlomi Fish
CC: (none) => shlomifWhiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
Validating, advisory uploaded.
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisoryCC: (none) => remi, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0476.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/622614/