Bug 1063658 - (CVE-2014-1932) CVE-2014-1932 python-pillow, python-imaging: insecure temporary file creation
CVE-2014-1932 python-pillow, python-imaging: insecure temporary file creation
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20140129,reported=2...
: Security
Depends On: 1063662 1089795
Blocks: 1063664
  Show dependency treegraph
 
Reported: 2014-02-11 03:15 EST by Murray McAllister
Modified: 2015-01-21 08:22 EST (History)
5 users (show)

See Also:
Fixed In Version: python-pillow 2.3.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-01-21 08:22:49 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Murray McAllister 2014-02-11 03:15:07 EST
Jakub Wilk discovered that temporary files were insecurely created (via mktemp()) in the IptcImagePlugin.py, Image.py, JpegImagePlugin.py, and EpsImagePlugin.py files of Python Imaging Library. A local attacker could use this flaw to perform a symbolic link attack to modify an arbitrary file accessible to the user running an application that uses the Python Imaging Library.

Further details are available in the original report:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737059
Comment 1 Murray McAllister 2014-02-11 03:19:36 EST
Created python26-imaging tracking bugs for this issue:

Affects: epel-5 [bug 1063662]
Comment 2 Murray McAllister 2014-02-11 03:21:14 EST
Related: CVE-2014-1933 / bug 1063660
Comment 3 Murray McAllister 2014-04-21 22:51:47 EDT
python-pillow is also affected:

https://github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7
Comment 4 Murray McAllister 2014-04-21 22:53:12 EDT
Created python-pillow tracking bugs for this issue:

Affects: fedora-all [bug 1089795]
Comment 5 Tomas Hoger 2014-11-10 17:41:33 EST
(In reply to Murray McAllister from comment #3)
> python-pillow is also affected:
> 
> https://github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7

Note that the above Pillow fix had a bug in the Image._dump() implementation.  When _dump() was called with no filename and with format specified and different form PPM, temporary file used was not the one created by tempfile.mkstemp(), but rather a file with a name matching temporary file name followed by dot and format (i.e. with appended extension as .jpg or .png added).  This could make it easier for a local attacker to exploit this case than the original code using tempfile.mktemp(), as it allows attacker to observe the actual temporary file name.

The regression was fixed in:

https://github.com/python-pillow/Pillow/pull/605
https://github.com/python-pillow/Pillow/commit/844ed441deb6b75d3048fa111977188ed47f0b76

The Pillow itself only calls _dump() with specified format from ImageShow.py and only on Windows or Mac OS platforms.
Comment 6 Sandro Mani 2014-11-10 18:58:13 EST
Should I reference this bug when creating updates for python-pillow-2.2.1-6.fc20, python-pillow-2.0.0-15.gitd1c6db8.fc19 (which fix the issue pointed out in comment #5)? Or #1089795?
Comment 7 Murray McAllister 2014-11-10 19:35:18 EST
(In reply to Sandro Mani from comment #6)
> Should I reference this bug when creating updates for
> python-pillow-2.2.1-6.fc20, python-pillow-2.0.0-15.gitd1c6db8.fc19 (which
> fix the issue pointed out in comment #5)? Or #1089795?

Hi, I think you need to refer to both of them. From <http://fedoraproject.org/wiki/Security_Tracking_Bugs>:

"The maintainer commits the fixes, builds packages and creates an update request. He refers to both parent bug and tracking bug. Bodhi is able to identify that the bug is a tracking bug and doesn't include it in the new package announce mail."
Comment 8 Tomas Hoger 2014-11-12 07:29:09 EST
A quick look at impact of each mktemp use:

* Image.py

mktemp() is used in _dump() function.  As the name starting with underscore suggests, it's internal function rather than public API expected to be used by the applications using PIL / pillow.

Impact depends on the dump file format.  If is format different from None and "PPM" is specified, an additional extension is appended to the name returned by mktemp().  This breaks the guarantee that the temporary file used did not exist at the time mktemp() was run, making it easier to exploit.

The _dump() can only be called by PIL / pillow with non-None format from Image.show(), a function to display image in external image viewer application, and only on Windows or Mac OS platform.  On Linux, format=None is used.

The _dump() is also called from GifImagePlugin.py and JpegImagePlugin.py, but only from non-default functions to save image to a given format - _save_netpbm() and _save_cjpeg() functions respectively.

* EpsImagePlugin.py

mktemp() is used in Ghostscript() to load images in post script format.  The gs (from the ghostscript package) must be available.

This case seems to be the easiest to exploit.  Temporary file name is exposed on the command line (see bug 1063660) of the gs command (and shell spawning it), and there's non-trivial delay between the name gets exposed, and the time gs actually creates the file.

* JpegImagePlugin.py

mktemp() is used in load_djpeg().  That is undocumented API, and never called by PIL/pillow.  Only applications that explicitly call it can be affected.

* IptcImagePlugin.py

mktemp() is used in load(), hence this can be triggered when loading image.  Exploitability should be similar to the _dump() case with format=None - chosen temporary file name is not exposed, and there's short delay between mktemp() call and file creation.
Comment 10 Fedora Update System 2014-11-22 07:39:29 EST
python-pillow-2.2.1-7.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2014-11-22 07:40:10 EST
python-pillow-2.0.0-16.gitd1c6db8.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.