Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 507982 (CVE-2014-1933)

Summary: <dev-python/pillow-2.4.0: insecure use of /tmp (CVE-2014-{1932,1933})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 471488, 471542, 471544, 488112, 508200, 512696, 512854, 512856, 512858, 512860, 512862, 512864, 551374, 599610    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2014-04-18 10:14:34 UTC
CVE-2014-1933 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1933):
  The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python 
  Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the 
  names of temporary files on the command line, which makes it easier for 
  local users to conduct symlink attacks by listing the processes.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Agostino Sarubbo gentoo-dev 2014-04-18 10:17:14 UTC
CVE-2014-1932 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1932):
  The (1) load_djpeg function in JpegImagePlugin.py, (2) Ghostscript function 
  in EpsImagePlugin.py, (3) load function in IptcImagePlugin.py, and (4) 
  _copy function in Image.py in Python Image Library (PIL) 1.1.7 and earlier 
  and Pillow before 2.3.1 do not properly create temporary files, which allow 
  local users to overwrite arbitrary files and obtain sensitive information 
  via a symlink attack on the temporary file.
Comment 2 Mike Gilbert gentoo-dev 2014-04-18 13:48:23 UTC
I just added pillow-2.3.1 to the tree, but pillow-2.4.0 has been in the tree for a while and seems to have the same fix. Let's go and stabilize 2.4.0.

You will also need to stabilize dev-python/sphinx-better-theme as a dependency.

As for dev-python/imaging, it might be time to just mask the remaining blockers on bug 471488.
Comment 3 Agostino Sarubbo gentoo-dev 2014-04-18 18:42:48 UTC
Arches, please test and mark stable:
=dev-python/pillow-2.4.0
=dev-python/sphinx-better-theme-0.1.5
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 4 Agostino Sarubbo gentoo-dev 2014-04-19 10:05:36 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-04-19 10:07:42 UTC
x86 stable
Comment 6 Jeroen Roovers gentoo-dev 2014-04-19 14:37:46 UTC
Stable for HPPA.
Comment 7 Agostino Sarubbo gentoo-dev 2014-04-21 10:50:55 UTC
alpha stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-04-22 12:28:25 UTC
arm stable
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2014-04-28 20:04:30 UTC
CVE-2014-1933 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1933):
  The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image
  Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of
  temporary files on the command line, which makes it easier for local users
  to conduct symlink attacks by listing the processes.

CVE-2014-1932 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1932):
  The (1) load_djpeg function in JpegImagePlugin.py, (2) Ghostscript function
  in EpsImagePlugin.py, (3) load function in IptcImagePlugin.py, and (4) _copy
  function in Image.py in Python Image Library (PIL) 1.1.7 and earlier and
  Pillow before 2.3.1 do not properly create temporary files, which allow
  local users to overwrite arbitrary files and obtain sensitive information
  via a symlink attack on the temporary file.
Comment 10 Agostino Sarubbo gentoo-dev 2014-05-10 14:02:19 UTC
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-05-11 08:06:22 UTC
ppc64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-05-13 15:21:46 UTC
ia64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2014-05-14 16:11:51 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 14 Yury German Gentoo Infrastructure gentoo-dev Security 2014-06-10 01:17:11 UTC
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version.

GLSA VOTE: Yes
Comment 15 Mike Gilbert gentoo-dev 2014-06-10 01:48:33 UTC
pillow-2.3.1 is not vulnerable, so it does not need to be removed from the tree.
Comment 16 Mike Gilbert gentoo-dev 2014-06-10 01:50:07 UTC
Also I would recommend keeping this bug open, or filing a new one for dev-python/imaging (PIL) until we can remove that from the tree.
Comment 17 Tobias Heinlein (RETIRED) gentoo-dev 2014-08-04 19:10:52 UTC
YES too, request filed.
Comment 18 Sean Amoss (RETIRED) gentoo-dev Security 2014-12-14 22:38:02 UTC
(In reply to Mike Gilbert from comment #16)
> Also I would recommend keeping this bug open, or filing a new one for
> dev-python/imaging (PIL) until we can remove that from the tree.

Actually, it looks like we already had a new bug open for dev-python/imaging: bug 500956. However, since all the work for fixing this vulnerability in dev-python/imaging is being done here, I guess we will mark that bug as a duplicate of this one.

Also note: while I understand that dev-python/pillow-2.3.1 was not vulnerable, it did not really fix the issue because it never went stable. So we keep <dev-python/pillow-2.4.0 in the summary because that was the first stable version to fix the issue.
Comment 19 Sean Amoss (RETIRED) gentoo-dev Security 2014-12-14 22:39:17 UTC
*** Bug 500956 has been marked as a duplicate of this bug. ***
Comment 20 Justin Lecher gentoo-dev 2015-11-11 10:06:34 UTC
commit 581ffe810c1c7f40300a1cb969ac824d8de48cfb
Author: Justin Lecher <jlec@gentoo.org>
Date:   Wed Nov 11 11:00:57 2015 +0100
    
    Drop dev-python/imaging
    
    Package superceeded by dev-python/pillow and vulnerable
    for CVE-2014-{1932,1933}
    
    Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=507982
    Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=508266
    
    obsoletes:
    Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=452468
    Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=479750
    Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=536408
    
    Signed-off-by: Justin Lecher <jlec@gentoo.org>
    
    https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=581ffe810c1c7f40300a1cb969ac824d8de48cfb
Comment 21 Justin Lecher gentoo-dev 2015-11-11 10:06:48 UTC
Tree is clean finally
Comment 22 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-11-11 07:11:14 UTC
dev-python/imaging is no longer in the tree.
Comment 23 GLSAMaker/CVETool Bot gentoo-dev 2016-12-31 14:25:52 UTC
This issue was resolved and addressed in
 GLSA 201612-52 at https://security.gentoo.org/glsa/201612-52
by GLSA coordinator Thomas Deutschmann (whissi).