python-pil: CVE-2014-1932 CVE-2014-1933

Debian Bug report logs - #737059
python-pil: CVE-2014-1932 CVE-2014-1933

Toggle useless messages

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: python-pil: insecure use of /tmp

Date: Wed, 29 Jan 2014 21:19:03 +0100

Package: python-pil
Version: 2.2.1-3.1
Severity: important
Tags: security

PIL/JpegImagePlugin.py contains this code:

    def load_djpeg(self):

        # ALTERNATIVE: handle JPEGs via the IJG command line utilities

        import tempfile, os
        file = tempfile.mktemp()
        os.system("djpeg %s >%s" % (self.filename, file))

From the tempfile.mktemp() docstring: “This function is unsafe and 
should not be used. The file name refers to a file that did not exist at 
some point, but by the time you get around to creating it, someone else 
may have beaten you to the punch.”

There are other uses of tempfile.mktemp() in the PIL codebase. They are 
most likely insecure too, but I haven't checked.

-- 
Jakub Wilk

Message #6 received at 737059@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>

To: 737059@bugs.debian.org

Subject: Re: Bug#737059: python-pil: insecure use of /tmp

Date: Mon, 10 Feb 2014 22:27:43 +0100

* Jakub Wilk <jwilk@debian.org>, 2014-01-29, 21:19:
>There are other uses of tempfile.mktemp() in the PIL codebase. They 
>are most likely insecure too, but I haven't checked.

I have now checked the rest, and they are all insecure.

In PIL/EpsImagePlugin.py:

    file = tempfile.mktemp()

    # Build ghostscript command
    command = ["gs",
               "-q",                    # quite mode
               "-g%dx%d" % size,        # set output geometry (pixels)
               "-r%d" % (72*scale),     # set input DPI (dots per inch)
               "-dNOPAUSE -dSAFER",     # don't pause between pages, safe mode
               "-sDEVICE=ppmraw",       # ppm driver
               "-sOutputFile=%s" % file,# output file
            ]

    # [...]

    # push data through ghostscript
    try:
        gs = subprocess.Popen(command, stdin=subprocess.PIPE, stdout=subprocess.PIPE)

In PIL/IptcImagePlugin.py:

        outfile = tempfile.mktemp()
        o = open(outfile, "wb")
        if encoding == "raw":
            # To simplify access to the extracted file,
            # prepend a PPM header
            o.write("P5\n%d %d\n255\n" % self.size)

In PIL/Image.py:

        if not file:
            file = tempfile.mktemp()
        self.load()
        if not format or format == "PPM":
            self.im.save_ppm(file)
        else:
            file = file + "." + format
            self.save(file, format)

-- 
Jakub Wilk

Message #13 received at 737059@bugs.debian.org (full text, mbox, reply):

From: Eric Soroos <eric-debian@soroos.net>

To: 737059@bugs.debian.org

Subject: Patch for 2.3.0

Date: Fri, 14 Mar 2014 16:49:38 -0700

Previous patch will not apply cleanly on 2.3.

This one applies cleanly: 
https://github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7

Thanks,

eric

Message #18 received at 737059@bugs.debian.org (full text, mbox, reply):

From: Eric Soroos <eric@soroos.net>

To: 737059@bugs.debian.org

Subject: Patch available

Date: Fri, 14 Mar 2014 16:17:08 -0700

[Message part 1 (text/plain, inline)]

There's a patch available for this issue: 
https://github.com/wiredfool/Pillow/commit/1e331e3e6a40141ca8eee4f5da9f74e895423b66

It's been merged into HEAD, and will be released shortly as 2.3.1.

eric

[cve.patch (text/x-patch, attachment)]

Message #25 received at 737059-close@bugs.debian.org (full text, mbox, reply):

From: Matthias Klose <doko@debian.org>

To: 737059-close@bugs.debian.org

Subject: Bug#737059: fixed in pillow 2.4.0-1

Date: Fri, 13 Jun 2014 09:38:41 +0000

Source: pillow
Source-Version: 2.4.0-1

We believe that the bug you reported is fixed in the latest version of
pillow, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 737059@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthias Klose <doko@debian.org> (supplier of updated pillow package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 16 Apr 2014 00:48:53 +0200
Source: pillow
Binary: python-pil python-pil-dbg python-pil.imagetk python-pil.imagetk-dbg python-sane python-sane-dbg python3-pil python3-pil-dbg python3-pil.imagetk python3-pil.imagetk-dbg python3-sane python3-sane-dbg python-pil-doc python-imaging
Architecture: source all amd64
Version: 2.4.0-1
Distribution: unstable
Urgency: medium
Maintainer: Matthias Klose <doko@debian.org>
Changed-By: Matthias Klose <doko@debian.org>
Description:
 python-imaging - Python Imaging Library compatibility layer
 python-pil - Python Imaging Library (Pillow fork)
 python-pil-dbg - Python Imaging Library (debug extension)
 python-pil-doc - Examples for the Python Imaging Library
 python-pil.imagetk - Python Imaging Library - ImageTk Module (Pillow fork)
 python-pil.imagetk-dbg - Python Imaging Library - ImageTk Module (debug extension)
 python-sane - Python Imaging Library - SANE interface (Pillow fork)
 python-sane-dbg - Python Imaging Library - SANE interface (debug extension)
 python3-pil - Python Imaging Library (Python3)
 python3-pil-dbg - Python Imaging Library (Python3 debug extension)
 python3-pil.imagetk - Python Imaging Library - ImageTk Module (Python3)
 python3-pil.imagetk-dbg - Python Imaging Library - ImageTk Module (Python3 debug extension)
 python3-sane - Python Imaging Library - SANE interface (Python3)
 python3-sane-dbg - Python Imaging Library - SANE interface (Python3 debug extension)
Closes: 737059 745714 746051
Changes:
 pillow (2.4.0-1) unstable; urgency=medium
 .
   * New upstream version.
     - Fix configuration on non-linux platforms. Closes: #745714.
     - CVE-2014-1932, CVE-2014-1933: Fix insecure use of /tmp. Closes: #737059.
   * Fix detection of Tk. Closes: #746051.
Checksums-Sha1:
 ecc79de5504d3d0acfc35a693e543eb010e8212e 2176 pillow_2.4.0-1.dsc
 67f6a072132c1343bbb547570d1e572f8c523f37 6339287 pillow_2.4.0.orig.tar.gz
 4674f00773127eddd4bcf71732740afa06207c16 13060 pillow_2.4.0-1.debian.tar.xz
 ea6757f089d58d303bee162772398557cc40d343 18446 python-pil-doc_2.4.0-1_all.deb
 4996b2bf0ed6e5dfd95590b4330aedd8fc14898d 9046 python-imaging_2.4.0-1_all.deb
 64fb270b6581bfaafbe3c84ab1cda969a0fc09bf 312596 python-pil_2.4.0-1_amd64.deb
 aec5f1856c24821600b2cdcb5aea2afc5ddecb6f 406840 python-pil-dbg_2.4.0-1_amd64.deb
 ec5bdacc7da5402e3d4f7a384d4251d219703d2d 12840 python-pil.imagetk_2.4.0-1_amd64.deb
 eb9bdfcb5950d0fb8329bdb05f4961af006f3696 12978 python-pil.imagetk-dbg_2.4.0-1_amd64.deb
 de32eaf2445ced4ca92dc8c9c4e6b1fa6dee2dff 24008 python-sane_2.4.0-1_amd64.deb
 394cadfb9de90e44a591ae0c333503d8b6dc856a 28564 python-sane-dbg_2.4.0-1_amd64.deb
 1e0f9e9727d2ed899147051638daa89ffbea9ca2 314472 python3-pil_2.4.0-1_amd64.deb
 9d745335aecf9f337e34d3a96582618deaf54c2c 431192 python3-pil-dbg_2.4.0-1_amd64.deb
 b6da20dd8b4a3ca825c9e23d677b65fcc0cf9c1c 13000 python3-pil.imagetk_2.4.0-1_amd64.deb
 039a8e2167c861981bf2178438922e56f4b5a6f6 13154 python3-pil.imagetk-dbg_2.4.0-1_amd64.deb
 f3604c9ac9b7b9b1a043a0dc776412aa9db6f03e 19818 python3-sane_2.4.0-1_amd64.deb
 92a215a91c04155c0847e5e96edd4170bd235494 30930 python3-sane-dbg_2.4.0-1_amd64.deb
Checksums-Sha256:
 fd0c1e52295a3b3dc98bd8dbb4da401e1ef407461c047eb67d003c50bef5be3a 2176 pillow_2.4.0-1.dsc
 2084ff42836d9db55022794d559f9bb27ff1204c9b67bf2921e3010832821879 6339287 pillow_2.4.0.orig.tar.gz
 44e5e1b96c419d7f0f323ec6740f6401e8a04b3f7e5212904f33659e1280f955 13060 pillow_2.4.0-1.debian.tar.xz
 53fc80db77fa0acd7b3aec6c6a78ef4ab370d7215590cfc4837d4429cad7c42c 18446 python-pil-doc_2.4.0-1_all.deb
 6dd75768a0f3eb3fa8e0ad52509236b3e38f88c21c9aace821ab790f14f97cb8 9046 python-imaging_2.4.0-1_all.deb
 3a606343ef3391a3e45f94de58194f25f9b54295cfe2dc0fea49c58a9a10f587 312596 python-pil_2.4.0-1_amd64.deb
 8aed0224851e0a52ea41e7a427d3a4e6da80fde363732cea9e9d0572695baa93 406840 python-pil-dbg_2.4.0-1_amd64.deb
 217b8f3098f0c7cfb1e1edf92aaa27d624120ce5bb670963369d173589076a57 12840 python-pil.imagetk_2.4.0-1_amd64.deb
 537f8b4ed7e0cd07e5ec896948c147ef6a81d7ea59658e8bbef00dd7c7623d73 12978 python-pil.imagetk-dbg_2.4.0-1_amd64.deb
 35ff0cb4c20f6c2fbeef4d1a04eb3488baddafdf14263964f245d500956f076e 24008 python-sane_2.4.0-1_amd64.deb
 29bfabd082ee169dedcf95a05d4bc73838016b7e62fbd912e9fc761731cca27d 28564 python-sane-dbg_2.4.0-1_amd64.deb
 d9895daf4a3dcaa8af743e96f82f38ad289562798cd2eaaf9f1c7a2e956a72d1 314472 python3-pil_2.4.0-1_amd64.deb
 2b14049a75c6afcff526d9c16b3bfa51d0504499fe42f8629420793d4624206a 431192 python3-pil-dbg_2.4.0-1_amd64.deb
 c31cf8aa9bd7b58969b2a83c59900ea07b378ab335d1a6a368a22121a7023939 13000 python3-pil.imagetk_2.4.0-1_amd64.deb
 df08bf758d41eb5c0603273b48ef641423b93dc3890d51f3e1516208cc0590b6 13154 python3-pil.imagetk-dbg_2.4.0-1_amd64.deb
 c1be9d9ddd48b6293d09a9b51ea1d7c44d6ae175e1de0105fc673258dafa2c3b 19818 python3-sane_2.4.0-1_amd64.deb
 e0658577b02f3d5e8b6c72c0001fe9a2f3d72e24e665ce7490f06c76b25015c9 30930 python3-sane-dbg_2.4.0-1_amd64.deb
Files:
 0d721729ce560d2aa595bd82a3af627b 18446 doc optional python-pil-doc_2.4.0-1_all.deb
 247d9dfabda516689c2bf13ee56fb5e6 9046 python optional python-imaging_2.4.0-1_all.deb
 3675091893763e477e865449e74760fc 312596 python optional python-pil_2.4.0-1_amd64.deb
 57dc22fd136a9690faecc819d24c86ae 406840 debug extra python-pil-dbg_2.4.0-1_amd64.deb
 3a1de8a463138381ec0a747f49e18130 12840 python optional python-pil.imagetk_2.4.0-1_amd64.deb
 241fec6b764e58176cd0f95166325f52 12978 debug extra python-pil.imagetk-dbg_2.4.0-1_amd64.deb
 21fb295cb2772a79e697903f98fee28d 24008 python optional python-sane_2.4.0-1_amd64.deb
 7ddaab9dc138e7885fdc0264d93f312e 28564 debug extra python-sane-dbg_2.4.0-1_amd64.deb
 3680881652cb5711902a88a5ee4b5e81 314472 python optional python3-pil_2.4.0-1_amd64.deb
 03aa866ea4dd2af8a26e8aa272b2a520 431192 debug extra python3-pil-dbg_2.4.0-1_amd64.deb
 e9e918bcd3a9382daa85a7ba43aa3ebb 13000 python optional python3-pil.imagetk_2.4.0-1_amd64.deb
 f3a5a9333be6902b24eeef397d1543b5 13154 debug extra python3-pil.imagetk-dbg_2.4.0-1_amd64.deb
 2f2e52900319ef8cddd4a330bb451e52 19818 python optional python3-sane_2.4.0-1_amd64.deb
 37560276ae374270f09f4890a19b8caf 30930 debug extra python3-sane-dbg_2.4.0-1_amd64.deb
 570628f19672455f7538fc686383684d 2176 python optional pillow_2.4.0-1.dsc
 d55fc57475cf255c9e9215de154b7ac4 6339287 python optional pillow_2.4.0.orig.tar.gz
 f5ba617e10055dbc8dd9a30d358bc35c 13060 python optional pillow_2.4.0-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlOauCQACgkQStlRaw+TLJzkRACgwpMPxFCdn4pP2Ajdzdo8T4Zh
Zv4An2rplB/4Iu6ZhvUUAa1ZAWXfXxbC
=uLlz
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.