Bug 1063658 (CVE-2014-1932) - CVE-2014-1932 python-pillow, python-imaging: insecure temporary file creation
Summary: CVE-2014-1932 python-pillow, python-imaging: insecure temporary file creation
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2014-1932
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1063662 1089795
Blocks: 1063664
TreeView+ depends on / blocked
 
Reported: 2014-02-11 08:15 UTC by Murray McAllister
Modified: 2019-09-29 13:13 UTC (History)
5 users (show)

Fixed In Version: python-pillow 2.3.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-01-21 13:22:49 UTC


Attachments (Terms of Use)

Description Murray McAllister 2014-02-11 08:15:07 UTC
Jakub Wilk discovered that temporary files were insecurely created (via mktemp()) in the IptcImagePlugin.py, Image.py, JpegImagePlugin.py, and EpsImagePlugin.py files of Python Imaging Library. A local attacker could use this flaw to perform a symbolic link attack to modify an arbitrary file accessible to the user running an application that uses the Python Imaging Library.

Further details are available in the original report:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737059

Comment 1 Murray McAllister 2014-02-11 08:19:36 UTC
Created python26-imaging tracking bugs for this issue:

Affects: epel-5 [bug 1063662]

Comment 2 Murray McAllister 2014-02-11 08:21:14 UTC
Related: CVE-2014-1933 / bug 1063660

Comment 3 Murray McAllister 2014-04-22 02:51:47 UTC
python-pillow is also affected:

https://github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7

Comment 4 Murray McAllister 2014-04-22 02:53:12 UTC
Created python-pillow tracking bugs for this issue:

Affects: fedora-all [bug 1089795]

Comment 5 Tomas Hoger 2014-11-10 22:41:33 UTC
(In reply to Murray McAllister from comment #3)
> python-pillow is also affected:
> 
> https://github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7

Note that the above Pillow fix had a bug in the Image._dump() implementation.  When _dump() was called with no filename and with format specified and different form PPM, temporary file used was not the one created by tempfile.mkstemp(), but rather a file with a name matching temporary file name followed by dot and format (i.e. with appended extension as .jpg or .png added).  This could make it easier for a local attacker to exploit this case than the original code using tempfile.mktemp(), as it allows attacker to observe the actual temporary file name.

The regression was fixed in:

https://github.com/python-pillow/Pillow/pull/605
https://github.com/python-pillow/Pillow/commit/844ed441deb6b75d3048fa111977188ed47f0b76

The Pillow itself only calls _dump() with specified format from ImageShow.py and only on Windows or Mac OS platforms.

Comment 6 Sandro Mani 2014-11-10 23:58:13 UTC
Should I reference this bug when creating updates for python-pillow-2.2.1-6.fc20, python-pillow-2.0.0-15.gitd1c6db8.fc19 (which fix the issue pointed out in comment #5)? Or #1089795?

Comment 7 Murray McAllister 2014-11-11 00:35:18 UTC
(In reply to Sandro Mani from comment #6)
> Should I reference this bug when creating updates for
> python-pillow-2.2.1-6.fc20, python-pillow-2.0.0-15.gitd1c6db8.fc19 (which
> fix the issue pointed out in comment #5)? Or #1089795?

Hi, I think you need to refer to both of them. From <http://fedoraproject.org/wiki/Security_Tracking_Bugs>:

"The maintainer commits the fixes, builds packages and creates an update request. He refers to both parent bug and tracking bug. Bodhi is able to identify that the bug is a tracking bug and doesn't include it in the new package announce mail."

Comment 8 Tomas Hoger 2014-11-12 12:29:09 UTC
A quick look at impact of each mktemp use:

* Image.py

mktemp() is used in _dump() function.  As the name starting with underscore suggests, it's internal function rather than public API expected to be used by the applications using PIL / pillow.

Impact depends on the dump file format.  If is format different from None and "PPM" is specified, an additional extension is appended to the name returned by mktemp().  This breaks the guarantee that the temporary file used did not exist at the time mktemp() was run, making it easier to exploit.

The _dump() can only be called by PIL / pillow with non-None format from Image.show(), a function to display image in external image viewer application, and only on Windows or Mac OS platform.  On Linux, format=None is used.

The _dump() is also called from GifImagePlugin.py and JpegImagePlugin.py, but only from non-default functions to save image to a given format - _save_netpbm() and _save_cjpeg() functions respectively.

* EpsImagePlugin.py

mktemp() is used in Ghostscript() to load images in post script format.  The gs (from the ghostscript package) must be available.

This case seems to be the easiest to exploit.  Temporary file name is exposed on the command line (see bug 1063660) of the gs command (and shell spawning it), and there's non-trivial delay between the name gets exposed, and the time gs actually creates the file.

* JpegImagePlugin.py

mktemp() is used in load_djpeg().  That is undocumented API, and never called by PIL/pillow.  Only applications that explicitly call it can be affected.

* IptcImagePlugin.py

mktemp() is used in load(), hence this can be triggered when loading image.  Exploitability should be similar to the _dump() case with format=None - chosen temporary file name is not exposed, and there's short delay between mktemp() call and file creation.

Comment 10 Fedora Update System 2014-11-22 12:39:29 UTC
python-pillow-2.2.1-7.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2014-11-22 12:40:10 UTC
python-pillow-2.0.0-16.gitd1c6db8.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.