Bug 1094101 (CVE-2014-3007) - CVE-2014-3007 python-pillow, python-imaging: command injection issue
Summary: CVE-2014-3007 python-pillow, python-imaging: command injection issue
Keywords:
Status: NEW
Alias: CVE-2014-3007
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1163343 1163344
Blocks: 1063664
TreeView+ depends on / blocked
 
Reported: 2014-05-05 05:34 UTC by Murray McAllister
Modified: 2019-09-29 13:16 UTC (History)
3 users (show)

Fixed In Version: python-pillow 2.5.0
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Murray McAllister 2014-05-05 05:34:50 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2014-3007 to
the following vulnerability:

Name: CVE-2014-3007
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3007
Assigned: 20140427
Reference: http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-1932.html
Reference: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737059

Python Image Library (PIL) 1.1.7 and earlier and Pillow 2.3 might
allow remote attackers to execute arbitrary commands via shell
metacharacters in unspecified vectors related to CVE-2014-1932,
possibly JpegImagePlugin.py.

This may be fixed via the CVE-2014-1932 fix (note the addition of quotes in the os.system() call in https://github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7)

Comment 1 Tomas Hoger 2014-11-12 14:06:26 UTC
There are multiple places where PIL / pillow used os.system to execute external commands:

* Image.show - Used to spawn external image viewer.  Command consists of program name and a temporary file name.  There is no issue here.

* GifImagePlugin, _save_netpbm() - Affected is function for saving Image to a GIF files.  This function is not called by PIL / pillow.  Can only be an issue if explicitly called by an application using PIL / pillow, and if the output file name is untrusted.

* JpegImagePlugin, _save_cjpeg() - Similar to _save_netpbm() described above - not called by PIL / pillow, only issue if untrusted file name is used.

* JpegImagePlugin, load_djpeg() - This issue can be triggered by an image file being loaded, if it has malicious file name.  Affected function is not called by PIL / pillow and is not documented as public API.  Applications using PIL / pillow may call it directly, but that does not seem too likely.

(In reply to Murray McAllister from comment #0)
> This may be fixed via the CVE-2014-1932 fix (note the addition of quotes in
> the os.system() call in
> https://github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7)

That commit is not sufficient to address this issue.  It only covers load_djpeg, and the fix itself is insufficient.  Problem was addressed upstream by changing the code to use Python subprocess module instead of os.system to run external commands.

Upstream pull requests:
https://github.com/python-pillow/Pillow/pull/731
https://github.com/python-pillow/Pillow/pull/748

The most relevant commits are:
https://github.com/python-pillow/Pillow/commit/34317edd8ace0f09d510b1b551034eab0a368c1b
https://github.com/python-pillow/Pillow/commit/a301d061fbff5c5ec4e6e1ae82a361deb295b7b6

Comment 2 Tomas Hoger 2014-11-12 14:25:22 UTC
The above patches were applied to Pillow in upstream version 2.5.0.

Comment 4 Tomas Hoger 2014-11-12 14:31:41 UTC
Created python-pillow tracking bugs for this issue:

Affects: fedora-all [bug 1163343]

Comment 5 Tomas Hoger 2014-11-12 14:31:43 UTC
Created python26-imaging tracking bugs for this issue:

Affects: epel-5 [bug 1163344]

Comment 6 Fedora Update System 2014-11-22 12:39:27 UTC
python-pillow-2.2.1-7.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2014-11-22 12:40:08 UTC
python-pillow-2.0.0-16.gitd1c6db8.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Ján Rusnačko 2015-01-21 13:27:25 UTC
Statement:

The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw in the packages python-imaging, python-pillow.


Note You need to log in before you can comment on or make changes to this bug.