Common Vulnerabilities and Exposures assigned an identifier CVE-2014-3007 to
the following vulnerability:
Python Image Library (PIL) 1.1.7 and earlier and Pillow 2.3 might
allow remote attackers to execute arbitrary commands via shell
metacharacters in unspecified vectors related to CVE-2014-1932,
This may be fixed via the CVE-2014-1932 fix (note the addition of quotes in the os.system() call in https://github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7)
There are multiple places where PIL / pillow used os.system to execute external commands:
* Image.show - Used to spawn external image viewer. Command consists of program name and a temporary file name. There is no issue here.
* GifImagePlugin, _save_netpbm() - Affected is function for saving Image to a GIF files. This function is not called by PIL / pillow. Can only be an issue if explicitly called by an application using PIL / pillow, and if the output file name is untrusted.
* JpegImagePlugin, _save_cjpeg() - Similar to _save_netpbm() described above - not called by PIL / pillow, only issue if untrusted file name is used.
* JpegImagePlugin, load_djpeg() - This issue can be triggered by an image file being loaded, if it has malicious file name. Affected function is not called by PIL / pillow and is not documented as public API. Applications using PIL / pillow may call it directly, but that does not seem too likely.
(In reply to Murray McAllister from comment #0)
> This may be fixed via the CVE-2014-1932 fix (note the addition of quotes in
> the os.system() call in
That commit is not sufficient to address this issue. It only covers load_djpeg, and the fix itself is insufficient. Problem was addressed upstream by changing the code to use Python subprocess module instead of os.system to run external commands.
Upstream pull requests:
The most relevant commits are:
The above patches were applied to Pillow in upstream version 2.5.0.
Created python-pillow tracking bugs for this issue:
Affects: fedora-all [bug 1163343]
Created python26-imaging tracking bugs for this issue:
Affects: epel-5 [bug 1163344]
python-pillow-2.2.1-7.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
python-pillow-2.0.0-16.gitd1c6db8.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw in the packages python-imaging, python-pillow.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):