Bug 1094101 (CVE-2014-3007)
Summary: | CVE-2014-3007 python-pillow, python-imaging: command injection issue | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Murray McAllister <mmcallis> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | miminar, steve.traylen, tsmetana |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | python-pillow 2.5.0 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-06-16 09:04:13 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1163343, 1163344 | ||
Bug Blocks: | 1063664 |
Description
Murray McAllister
2014-05-05 05:34:50 UTC
There are multiple places where PIL / pillow used os.system to execute external commands: * Image.show - Used to spawn external image viewer. Command consists of program name and a temporary file name. There is no issue here. * GifImagePlugin, _save_netpbm() - Affected is function for saving Image to a GIF files. This function is not called by PIL / pillow. Can only be an issue if explicitly called by an application using PIL / pillow, and if the output file name is untrusted. * JpegImagePlugin, _save_cjpeg() - Similar to _save_netpbm() described above - not called by PIL / pillow, only issue if untrusted file name is used. * JpegImagePlugin, load_djpeg() - This issue can be triggered by an image file being loaded, if it has malicious file name. Affected function is not called by PIL / pillow and is not documented as public API. Applications using PIL / pillow may call it directly, but that does not seem too likely. (In reply to Murray McAllister from comment #0) > This may be fixed via the CVE-2014-1932 fix (note the addition of quotes in > the os.system() call in > https://github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7) That commit is not sufficient to address this issue. It only covers load_djpeg, and the fix itself is insufficient. Problem was addressed upstream by changing the code to use Python subprocess module instead of os.system to run external commands. Upstream pull requests: https://github.com/python-pillow/Pillow/pull/731 https://github.com/python-pillow/Pillow/pull/748 The most relevant commits are: https://github.com/python-pillow/Pillow/commit/34317edd8ace0f09d510b1b551034eab0a368c1b https://github.com/python-pillow/Pillow/commit/a301d061fbff5c5ec4e6e1ae82a361deb295b7b6 The above patches were applied to Pillow in upstream version 2.5.0. Created python-pillow tracking bugs for this issue: Affects: fedora-all [bug 1163343] Created python26-imaging tracking bugs for this issue: Affects: epel-5 [bug 1163344] python-pillow-2.2.1-7.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. python-pillow-2.0.0-16.gitd1c6db8.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. Statement: The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw in the packages python-imaging, python-pillow. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2014-3007 |