Red Hat Bugzilla – Bug 1063660
CVE-2014-1933 python-pillow, python-imaging: temporary file name exposure in process list
Last modified: 2015-01-21 08:21:04 EST
Jakub Wilk discovered that temporary files created in the JpegImagePlugin.py and EpsImagePlugin.py files of the Python Imaging Library were passed to an external process. These could be viewed on the command line, allowing an attacker to obtain the name and possibly perform symbolic link attacks, allowing them to modify an arbitrary file accessible to the user running an application that uses the Python Imaging Library.
Further details are available in the original report:
Created python26-imaging tracking bugs for this issue:
Affects: epel-5 [bug 1063663]
Related: CVE-2014-1932 / bug 1063658
python-pillow is also affected:
Created python-pillow tracking bugs for this issue:
Affects: fedora-all [bug 1089795]
python-pillow-2.0.0-13.gitd1c6db8.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
python-pillow-2.2.1-4.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
This does not seem to be an issue by itself, it rather can make it easier to exploit CVE-2014-1932 (bug 1063658) issue. A temporary file name is exposed in the process list as argument to external command spawned by PIL / pillow. That can make it easier / possible for attacker to win the race between file existence check done by mktemp() and file creation.
The JpegImagePlugin.py case is not very interesting, as the affected code is in load_djpeg() function which is never called by PIL / pillow, and is undocumented API, hence unlikely to be used by external applications.
The EpsImagePlugin.py code is reached when loading PostScript file. Additionally, the time between file name gets exposed and the file is created seems sufficient for attacker to win the race. See also bug 1063658, comment 8.
Note that this issue is fixed by the same patch as CVE-2014-1932, which replaces mktemp() by mkstemp(). mkstemp() creates temporary file safely rather than only returning temporary file name. Therefore, exposure of the temporary file name in process list is no longer an issue.