Bug 1063660 (CVE-2014-1933) - CVE-2014-1933 python-pillow, python-imaging: temporary file name exposure in process list
Summary: CVE-2014-1933 python-pillow, python-imaging: temporary file name exposure in ...
Alias: CVE-2014-1933
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1063663 1089795
Blocks: 1063664
TreeView+ depends on / blocked
Reported: 2014-02-11 08:18 UTC by Murray McAllister
Modified: 2019-09-29 13:13 UTC (History)
5 users (show)

Fixed In Version: python-pillow 2.3.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-01-21 13:21:04 UTC

Attachments (Terms of Use)

Description Murray McAllister 2014-02-11 08:18:15 UTC
Jakub Wilk discovered that temporary files created in the JpegImagePlugin.py and EpsImagePlugin.py files of the Python Imaging Library were passed to an external process. These could be viewed on the command line, allowing an attacker to obtain the name and possibly perform symbolic link attacks, allowing them to modify an arbitrary file accessible to the user running an application that uses the Python Imaging Library.

Further details are available in the original report:

Comment 1 Murray McAllister 2014-02-11 08:20:39 UTC
Created python26-imaging tracking bugs for this issue:

Affects: epel-5 [bug 1063663]

Comment 2 Murray McAllister 2014-02-11 08:21:35 UTC
Related: CVE-2014-1932 / bug 1063658

Comment 3 Murray McAllister 2014-04-22 02:52:05 UTC
python-pillow is also affected:


Comment 4 Murray McAllister 2014-04-22 02:53:37 UTC
Created python-pillow tracking bugs for this issue:

Affects: fedora-all [bug 1089795]

Comment 5 Fedora Update System 2014-05-01 07:01:39 UTC
python-pillow-2.0.0-13.gitd1c6db8.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2014-05-01 07:03:30 UTC
python-pillow-2.2.1-4.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Tomas Hoger 2014-11-12 12:41:38 UTC
This does not seem to be an issue by itself, it rather can make it easier to exploit CVE-2014-1932 (bug 1063658) issue.  A temporary file name is exposed in the process list as argument to external command spawned by PIL / pillow.  That can make it easier / possible for attacker to win the race between file existence check done by mktemp() and file creation.

The JpegImagePlugin.py case is not very interesting, as the affected code is in load_djpeg() function which is never called by PIL / pillow, and is undocumented API, hence unlikely to be used by external applications.

The EpsImagePlugin.py code is reached when loading PostScript file.  Additionally, the time between file name gets exposed and the file is created seems sufficient for attacker to win the race.  See also bug 1063658, comment 8.

Comment 8 Tomas Hoger 2014-11-12 12:49:28 UTC
Note that this issue is fixed by the same patch as CVE-2014-1932, which replaces mktemp() by mkstemp().  mkstemp() creates temporary file safely rather than only returning temporary file name.  Therefore, exposure of the temporary file name in process list is no longer an issue.

Note You need to log in before you can comment on or make changes to this bug.