Red Hat Bugzilla – Bug 1094101
CVE-2014-3007 python-pillow, python-imaging: command injection issue
Last modified: 2015-11-27 16:10:59 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2014-3007 to the following vulnerability: Name: CVE-2014-3007 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3007 Assigned: 20140427 Reference: http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-1932.html Reference: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737059 Python Image Library (PIL) 1.1.7 and earlier and Pillow 2.3 might allow remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors related to CVE-2014-1932, possibly JpegImagePlugin.py. This may be fixed via the CVE-2014-1932 fix (note the addition of quotes in the os.system() call in https://github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7)
There are multiple places where PIL / pillow used os.system to execute external commands: * Image.show - Used to spawn external image viewer. Command consists of program name and a temporary file name. There is no issue here. * GifImagePlugin, _save_netpbm() - Affected is function for saving Image to a GIF files. This function is not called by PIL / pillow. Can only be an issue if explicitly called by an application using PIL / pillow, and if the output file name is untrusted. * JpegImagePlugin, _save_cjpeg() - Similar to _save_netpbm() described above - not called by PIL / pillow, only issue if untrusted file name is used. * JpegImagePlugin, load_djpeg() - This issue can be triggered by an image file being loaded, if it has malicious file name. Affected function is not called by PIL / pillow and is not documented as public API. Applications using PIL / pillow may call it directly, but that does not seem too likely. (In reply to Murray McAllister from comment #0) > This may be fixed via the CVE-2014-1932 fix (note the addition of quotes in > the os.system() call in > https://github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7) That commit is not sufficient to address this issue. It only covers load_djpeg, and the fix itself is insufficient. Problem was addressed upstream by changing the code to use Python subprocess module instead of os.system to run external commands. Upstream pull requests: https://github.com/python-pillow/Pillow/pull/731 https://github.com/python-pillow/Pillow/pull/748 The most relevant commits are: https://github.com/python-pillow/Pillow/commit/34317edd8ace0f09d510b1b551034eab0a368c1b https://github.com/python-pillow/Pillow/commit/a301d061fbff5c5ec4e6e1ae82a361deb295b7b6
The above patches were applied to Pillow in upstream version 2.5.0.
Created python-pillow tracking bugs for this issue: Affects: fedora-all [bug 1163343]
Created python26-imaging tracking bugs for this issue: Affects: epel-5 [bug 1163344]
python-pillow-2.2.1-7.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
python-pillow-2.0.0-16.gitd1c6db8.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Statement: The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw in the packages python-imaging, python-pillow.