CVE-2014-1933 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1933): The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes it easier for local users to conduct symlink attacks by listing the processes. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2014-1932 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1932): The (1) load_djpeg function in JpegImagePlugin.py, (2) Ghostscript function in EpsImagePlugin.py, (3) load function in IptcImagePlugin.py, and (4) _copy function in Image.py in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 do not properly create temporary files, which allow local users to overwrite arbitrary files and obtain sensitive information via a symlink attack on the temporary file.
I just added pillow-2.3.1 to the tree, but pillow-2.4.0 has been in the tree for a while and seems to have the same fix. Let's go and stabilize 2.4.0. You will also need to stabilize dev-python/sphinx-better-theme as a dependency. As for dev-python/imaging, it might be time to just mask the remaining blockers on bug 471488.
Arches, please test and mark stable: =dev-python/pillow-2.4.0 =dev-python/sphinx-better-theme-0.1.5 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
amd64 stable
x86 stable
Stable for HPPA.
alpha stable
arm stable
CVE-2014-1933 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1933): The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes it easier for local users to conduct symlink attacks by listing the processes. CVE-2014-1932 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1932): The (1) load_djpeg function in JpegImagePlugin.py, (2) Ghostscript function in EpsImagePlugin.py, (3) load function in IptcImagePlugin.py, and (4) _copy function in Image.py in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 do not properly create temporary files, which allow local users to overwrite arbitrary files and obtain sensitive information via a symlink attack on the temporary file.
ppc stable
ppc64 stable
ia64 stable
sparc stable. Maintainer(s), please cleanup. Security, please vote.
Arches, Thank you for your work Maintainer(s), please drop the vulnerable version. GLSA VOTE: Yes
pillow-2.3.1 is not vulnerable, so it does not need to be removed from the tree.
Also I would recommend keeping this bug open, or filing a new one for dev-python/imaging (PIL) until we can remove that from the tree.
YES too, request filed.
(In reply to Mike Gilbert from comment #16) > Also I would recommend keeping this bug open, or filing a new one for > dev-python/imaging (PIL) until we can remove that from the tree. Actually, it looks like we already had a new bug open for dev-python/imaging: bug 500956. However, since all the work for fixing this vulnerability in dev-python/imaging is being done here, I guess we will mark that bug as a duplicate of this one. Also note: while I understand that dev-python/pillow-2.3.1 was not vulnerable, it did not really fix the issue because it never went stable. So we keep <dev-python/pillow-2.4.0 in the summary because that was the first stable version to fix the issue.
*** Bug 500956 has been marked as a duplicate of this bug. ***
commit 581ffe810c1c7f40300a1cb969ac824d8de48cfb Author: Justin Lecher <jlec@gentoo.org> Date: Wed Nov 11 11:00:57 2015 +0100 Drop dev-python/imaging Package superceeded by dev-python/pillow and vulnerable for CVE-2014-{1932,1933} Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=507982 Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=508266 obsoletes: Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=452468 Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=479750 Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=536408 Signed-off-by: Justin Lecher <jlec@gentoo.org> https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=581ffe810c1c7f40300a1cb969ac824d8de48cfb
Tree is clean finally
dev-python/imaging is no longer in the tree.
This issue was resolved and addressed in GLSA 201612-52 at https://security.gentoo.org/glsa/201612-52 by GLSA coordinator Thomas Deutschmann (whissi).