Bug 1063660 (CVE-2014-1933)

Summary: CVE-2014-1933 python-pillow, python-imaging: temporary file name exposure in process list
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jkurik, manisandro, miminar, steve.traylen, tsmetana
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-pillow 2.3.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-21 13:21:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1063663, 1089795    
Bug Blocks: 1063664    

Description Murray McAllister 2014-02-11 08:18:15 UTC 
Jakub Wilk discovered that temporary files created in the JpegImagePlugin.py and EpsImagePlugin.py files of the Python Imaging Library were passed to an external process. These could be viewed on the command line, allowing an attacker to obtain the name and possibly perform symbolic link attacks, allowing them to modify an arbitrary file accessible to the user running an application that uses the Python Imaging Library.

Further details are available in the original report:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737059
Comment 1 Murray McAllister 2014-02-11 08:20:39 UTC 
Created python26-imaging tracking bugs for this issue:

Affects: epel-5 [bug 1063663]
Comment 2 Murray McAllister 2014-02-11 08:21:35 UTC 
Related: CVE-2014-1932 / bug 1063658
Comment 3 Murray McAllister 2014-04-22 02:52:05 UTC 
python-pillow is also affected:

https://github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7
Comment 4 Murray McAllister 2014-04-22 02:53:37 UTC 
Created python-pillow tracking bugs for this issue:

Affects: fedora-all [bug 1089795]
Comment 5 Fedora Update System 2014-05-01 07:01:39 UTC 
python-pillow-2.0.0-13.gitd1c6db8.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2014-05-01 07:03:30 UTC 
python-pillow-2.2.1-4.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Tomas Hoger 2014-11-12 12:41:38 UTC 
This does not seem to be an issue by itself, it rather can make it easier to exploit CVE-2014-1932 (bug 1063658) issue.  A temporary file name is exposed in the process list as argument to external command spawned by PIL / pillow.  That can make it easier / possible for attacker to win the race between file existence check done by mktemp() and file creation.

The JpegImagePlugin.py case is not very interesting, as the affected code is in load_djpeg() function which is never called by PIL / pillow, and is undocumented API, hence unlikely to be used by external applications.

The EpsImagePlugin.py code is reached when loading PostScript file.  Additionally, the time between file name gets exposed and the file is created seems sufficient for attacker to win the race.  See also bug 1063658, comment 8.
Comment 8 Tomas Hoger 2014-11-12 12:49:28 UTC 
Note that this issue is fixed by the same patch as CVE-2014-1932, which replaces mktemp() by mkstemp().  mkstemp() creates temporary file safely rather than only returning temporary file name.  Therefore, exposure of the temporary file name in process list is no longer an issue.