Bug 1063660 (CVE-2014-1933)
Summary: | CVE-2014-1933 python-pillow, python-imaging: temporary file name exposure in process list | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Murray McAllister <mmcallis> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | jkurik, manisandro, miminar, steve.traylen, tsmetana |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | python-pillow 2.3.1 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-01-21 13:21:04 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1063663, 1089795 | ||
Bug Blocks: | 1063664 |
Description
Murray McAllister
2014-02-11 08:18:15 UTC
Created python26-imaging tracking bugs for this issue: Affects: epel-5 [bug 1063663] Related: CVE-2014-1932 / bug 1063658 python-pillow is also affected: https://github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7 Created python-pillow tracking bugs for this issue: Affects: fedora-all [bug 1089795] python-pillow-2.0.0-13.gitd1c6db8.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. python-pillow-2.2.1-4.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. This does not seem to be an issue by itself, it rather can make it easier to exploit CVE-2014-1932 (bug 1063658) issue. A temporary file name is exposed in the process list as argument to external command spawned by PIL / pillow. That can make it easier / possible for attacker to win the race between file existence check done by mktemp() and file creation. The JpegImagePlugin.py case is not very interesting, as the affected code is in load_djpeg() function which is never called by PIL / pillow, and is undocumented API, hence unlikely to be used by external applications. The EpsImagePlugin.py code is reached when loading PostScript file. Additionally, the time between file name gets exposed and the file is created seems sufficient for attacker to win the race. See also bug 1063658, comment 8. Note that this issue is fixed by the same patch as CVE-2014-1932, which replaces mktemp() by mkstemp(). mkstemp() creates temporary file safely rather than only returning temporary file name. Therefore, exposure of the temporary file name in process list is no longer an issue. |