Bug 1063660 - (CVE-2014-1933) CVE-2014-1933 python-pillow, python-imaging: temporary file name exposure in process list
CVE-2014-1933 python-pillow, python-imaging: temporary file name exposure in ...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1063663 1089795
Blocks: 1063664
  Show dependency treegraph
Reported: 2014-02-11 03:18 EST by Murray McAllister
Modified: 2015-01-21 08:21 EST (History)
5 users (show)

See Also:
Fixed In Version: python-pillow 2.3.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-01-21 08:21:04 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Murray McAllister 2014-02-11 03:18:15 EST
Jakub Wilk discovered that temporary files created in the JpegImagePlugin.py and EpsImagePlugin.py files of the Python Imaging Library were passed to an external process. These could be viewed on the command line, allowing an attacker to obtain the name and possibly perform symbolic link attacks, allowing them to modify an arbitrary file accessible to the user running an application that uses the Python Imaging Library.

Further details are available in the original report:
Comment 1 Murray McAllister 2014-02-11 03:20:39 EST
Created python26-imaging tracking bugs for this issue:

Affects: epel-5 [bug 1063663]
Comment 2 Murray McAllister 2014-02-11 03:21:35 EST
Related: CVE-2014-1932 / bug 1063658
Comment 3 Murray McAllister 2014-04-21 22:52:05 EDT
python-pillow is also affected:

Comment 4 Murray McAllister 2014-04-21 22:53:37 EDT
Created python-pillow tracking bugs for this issue:

Affects: fedora-all [bug 1089795]
Comment 5 Fedora Update System 2014-05-01 03:01:39 EDT
python-pillow-2.0.0-13.gitd1c6db8.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2014-05-01 03:03:30 EDT
python-pillow-2.2.1-4.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Tomas Hoger 2014-11-12 07:41:38 EST
This does not seem to be an issue by itself, it rather can make it easier to exploit CVE-2014-1932 (bug 1063658) issue.  A temporary file name is exposed in the process list as argument to external command spawned by PIL / pillow.  That can make it easier / possible for attacker to win the race between file existence check done by mktemp() and file creation.

The JpegImagePlugin.py case is not very interesting, as the affected code is in load_djpeg() function which is never called by PIL / pillow, and is undocumented API, hence unlikely to be used by external applications.

The EpsImagePlugin.py code is reached when loading PostScript file.  Additionally, the time between file name gets exposed and the file is created seems sufficient for attacker to win the race.  See also bug 1063658, comment 8.
Comment 8 Tomas Hoger 2014-11-12 07:49:28 EST
Note that this issue is fixed by the same patch as CVE-2014-1932, which replaces mktemp() by mkstemp().  mkstemp() creates temporary file safely rather than only returning temporary file name.  Therefore, exposure of the temporary file name in process list is no longer an issue.

Note You need to log in before you can comment on or make changes to this bug.