Debian Bug report logs -
#737059
python-pil: CVE-2014-1932 CVE-2014-1933
Reported by: Jakub Wilk <jwilk@debian.org>
Date: Wed, 29 Jan 2014 20:21:06 UTC
Severity: important
Tags: fixed-upstream, security
Found in version pillow/2.2.1-3.1
Fixed in version pillow/2.4.0-1
Done: Matthias Klose <doko@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, jwilk@debian.org, Matthias Klose <doko@debian.org>
:
Bug#737059
; Package python-pil
.
(Wed, 29 Jan 2014 20:21:10 GMT) (full text, mbox, link).
Message #3 received at submit@bugs.debian.org (full text, mbox, reply):
Package: python-pil
Version: 2.2.1-3.1
Severity: important
Tags: security
PIL/JpegImagePlugin.py contains this code:
def load_djpeg(self):
# ALTERNATIVE: handle JPEGs via the IJG command line utilities
import tempfile, os
file = tempfile.mktemp()
os.system("djpeg %s >%s" % (self.filename, file))
From the tempfile.mktemp() docstring: “This function is unsafe and
should not be used. The file name refers to a file that did not exist at
some point, but by the time you get around to creating it, someone else
may have beaten you to the punch.”
There are other uses of tempfile.mktemp() in the PIL codebase. They are
most likely insecure too, but I haven't checked.
--
Jakub Wilk
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>
:
Bug#737059
; Package python-pil
.
(Mon, 10 Feb 2014 21:30:04 GMT) (full text, mbox, link).
Message #6 received at 737059@bugs.debian.org (full text, mbox, reply):
* Jakub Wilk <jwilk@debian.org>, 2014-01-29, 21:19:
>There are other uses of tempfile.mktemp() in the PIL codebase. They
>are most likely insecure too, but I haven't checked.
I have now checked the rest, and they are all insecure.
In PIL/EpsImagePlugin.py:
file = tempfile.mktemp()
# Build ghostscript command
command = ["gs",
"-q", # quite mode
"-g%dx%d" % size, # set output geometry (pixels)
"-r%d" % (72*scale), # set input DPI (dots per inch)
"-dNOPAUSE -dSAFER", # don't pause between pages, safe mode
"-sDEVICE=ppmraw", # ppm driver
"-sOutputFile=%s" % file,# output file
]
# [...]
# push data through ghostscript
try:
gs = subprocess.Popen(command, stdin=subprocess.PIPE, stdout=subprocess.PIPE)
In PIL/IptcImagePlugin.py:
outfile = tempfile.mktemp()
o = open(outfile, "wb")
if encoding == "raw":
# To simplify access to the extracted file,
# prepend a PPM header
o.write("P5\n%d %d\n255\n" % self.size)
In PIL/Image.py:
if not file:
file = tempfile.mktemp()
self.load()
if not format or format == "PPM":
self.im.save_ppm(file)
else:
file = file + "." + format
self.save(file, format)
--
Jakub Wilk
Changed Bug title to 'python-pil: CVE-2014-1932 CVE-2014-1933' from 'python-pil: insecure use of /tmp'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Tue, 11 Feb 2014 06:27:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>
:
Bug#737059
; Package python-pil
.
(Sat, 15 Mar 2014 02:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Eric Soroos <eric-debian@soroos.net>
:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>
.
(Sat, 15 Mar 2014 02:24:04 GMT) (full text, mbox, link).
Message #13 received at 737059@bugs.debian.org (full text, mbox, reply):
Previous patch will not apply cleanly on 2.3.
This one applies cleanly:
https://github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7
Thanks,
eric
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>
:
Bug#737059
; Package python-pil
.
(Sat, 15 Mar 2014 02:24:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Eric Soroos <eric@soroos.net>
:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>
.
(Sat, 15 Mar 2014 02:24:07 GMT) (full text, mbox, link).
Message #18 received at 737059@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
There's a patch available for this issue:
https://github.com/wiredfool/Pillow/commit/1e331e3e6a40141ca8eee4f5da9f74e895423b66
It's been merged into HEAD, and will be released shortly as 2.3.1.
eric
[cve.patch (text/x-patch, attachment)]
Added tag(s) fixed-upstream.
Request was from Henri Salo <henri@nerv.fi>
to control@bugs.debian.org
.
(Sat, 03 May 2014 10:30:08 GMT) (full text, mbox, link).
Reply sent
to Matthias Klose <doko@debian.org>
:
You have taken responsibility.
(Fri, 13 Jun 2014 09:42:08 GMT) (full text, mbox, link).
Notification sent
to Jakub Wilk <jwilk@debian.org>
:
Bug acknowledged by developer.
(Fri, 13 Jun 2014 09:42:08 GMT) (full text, mbox, link).
Message #25 received at 737059-close@bugs.debian.org (full text, mbox, reply):
Source: pillow
Source-Version: 2.4.0-1
We believe that the bug you reported is fixed in the latest version of
pillow, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 737059@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matthias Klose <doko@debian.org> (supplier of updated pillow package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 16 Apr 2014 00:48:53 +0200
Source: pillow
Binary: python-pil python-pil-dbg python-pil.imagetk python-pil.imagetk-dbg python-sane python-sane-dbg python3-pil python3-pil-dbg python3-pil.imagetk python3-pil.imagetk-dbg python3-sane python3-sane-dbg python-pil-doc python-imaging
Architecture: source all amd64
Version: 2.4.0-1
Distribution: unstable
Urgency: medium
Maintainer: Matthias Klose <doko@debian.org>
Changed-By: Matthias Klose <doko@debian.org>
Description:
python-imaging - Python Imaging Library compatibility layer
python-pil - Python Imaging Library (Pillow fork)
python-pil-dbg - Python Imaging Library (debug extension)
python-pil-doc - Examples for the Python Imaging Library
python-pil.imagetk - Python Imaging Library - ImageTk Module (Pillow fork)
python-pil.imagetk-dbg - Python Imaging Library - ImageTk Module (debug extension)
python-sane - Python Imaging Library - SANE interface (Pillow fork)
python-sane-dbg - Python Imaging Library - SANE interface (debug extension)
python3-pil - Python Imaging Library (Python3)
python3-pil-dbg - Python Imaging Library (Python3 debug extension)
python3-pil.imagetk - Python Imaging Library - ImageTk Module (Python3)
python3-pil.imagetk-dbg - Python Imaging Library - ImageTk Module (Python3 debug extension)
python3-sane - Python Imaging Library - SANE interface (Python3)
python3-sane-dbg - Python Imaging Library - SANE interface (Python3 debug extension)
Closes: 737059 745714 746051
Changes:
pillow (2.4.0-1) unstable; urgency=medium
.
* New upstream version.
- Fix configuration on non-linux platforms. Closes: #745714.
- CVE-2014-1932, CVE-2014-1933: Fix insecure use of /tmp. Closes: #737059.
* Fix detection of Tk. Closes: #746051.
Checksums-Sha1:
ecc79de5504d3d0acfc35a693e543eb010e8212e 2176 pillow_2.4.0-1.dsc
67f6a072132c1343bbb547570d1e572f8c523f37 6339287 pillow_2.4.0.orig.tar.gz
4674f00773127eddd4bcf71732740afa06207c16 13060 pillow_2.4.0-1.debian.tar.xz
ea6757f089d58d303bee162772398557cc40d343 18446 python-pil-doc_2.4.0-1_all.deb
4996b2bf0ed6e5dfd95590b4330aedd8fc14898d 9046 python-imaging_2.4.0-1_all.deb
64fb270b6581bfaafbe3c84ab1cda969a0fc09bf 312596 python-pil_2.4.0-1_amd64.deb
aec5f1856c24821600b2cdcb5aea2afc5ddecb6f 406840 python-pil-dbg_2.4.0-1_amd64.deb
ec5bdacc7da5402e3d4f7a384d4251d219703d2d 12840 python-pil.imagetk_2.4.0-1_amd64.deb
eb9bdfcb5950d0fb8329bdb05f4961af006f3696 12978 python-pil.imagetk-dbg_2.4.0-1_amd64.deb
de32eaf2445ced4ca92dc8c9c4e6b1fa6dee2dff 24008 python-sane_2.4.0-1_amd64.deb
394cadfb9de90e44a591ae0c333503d8b6dc856a 28564 python-sane-dbg_2.4.0-1_amd64.deb
1e0f9e9727d2ed899147051638daa89ffbea9ca2 314472 python3-pil_2.4.0-1_amd64.deb
9d745335aecf9f337e34d3a96582618deaf54c2c 431192 python3-pil-dbg_2.4.0-1_amd64.deb
b6da20dd8b4a3ca825c9e23d677b65fcc0cf9c1c 13000 python3-pil.imagetk_2.4.0-1_amd64.deb
039a8e2167c861981bf2178438922e56f4b5a6f6 13154 python3-pil.imagetk-dbg_2.4.0-1_amd64.deb
f3604c9ac9b7b9b1a043a0dc776412aa9db6f03e 19818 python3-sane_2.4.0-1_amd64.deb
92a215a91c04155c0847e5e96edd4170bd235494 30930 python3-sane-dbg_2.4.0-1_amd64.deb
Checksums-Sha256:
fd0c1e52295a3b3dc98bd8dbb4da401e1ef407461c047eb67d003c50bef5be3a 2176 pillow_2.4.0-1.dsc
2084ff42836d9db55022794d559f9bb27ff1204c9b67bf2921e3010832821879 6339287 pillow_2.4.0.orig.tar.gz
44e5e1b96c419d7f0f323ec6740f6401e8a04b3f7e5212904f33659e1280f955 13060 pillow_2.4.0-1.debian.tar.xz
53fc80db77fa0acd7b3aec6c6a78ef4ab370d7215590cfc4837d4429cad7c42c 18446 python-pil-doc_2.4.0-1_all.deb
6dd75768a0f3eb3fa8e0ad52509236b3e38f88c21c9aace821ab790f14f97cb8 9046 python-imaging_2.4.0-1_all.deb
3a606343ef3391a3e45f94de58194f25f9b54295cfe2dc0fea49c58a9a10f587 312596 python-pil_2.4.0-1_amd64.deb
8aed0224851e0a52ea41e7a427d3a4e6da80fde363732cea9e9d0572695baa93 406840 python-pil-dbg_2.4.0-1_amd64.deb
217b8f3098f0c7cfb1e1edf92aaa27d624120ce5bb670963369d173589076a57 12840 python-pil.imagetk_2.4.0-1_amd64.deb
537f8b4ed7e0cd07e5ec896948c147ef6a81d7ea59658e8bbef00dd7c7623d73 12978 python-pil.imagetk-dbg_2.4.0-1_amd64.deb
35ff0cb4c20f6c2fbeef4d1a04eb3488baddafdf14263964f245d500956f076e 24008 python-sane_2.4.0-1_amd64.deb
29bfabd082ee169dedcf95a05d4bc73838016b7e62fbd912e9fc761731cca27d 28564 python-sane-dbg_2.4.0-1_amd64.deb
d9895daf4a3dcaa8af743e96f82f38ad289562798cd2eaaf9f1c7a2e956a72d1 314472 python3-pil_2.4.0-1_amd64.deb
2b14049a75c6afcff526d9c16b3bfa51d0504499fe42f8629420793d4624206a 431192 python3-pil-dbg_2.4.0-1_amd64.deb
c31cf8aa9bd7b58969b2a83c59900ea07b378ab335d1a6a368a22121a7023939 13000 python3-pil.imagetk_2.4.0-1_amd64.deb
df08bf758d41eb5c0603273b48ef641423b93dc3890d51f3e1516208cc0590b6 13154 python3-pil.imagetk-dbg_2.4.0-1_amd64.deb
c1be9d9ddd48b6293d09a9b51ea1d7c44d6ae175e1de0105fc673258dafa2c3b 19818 python3-sane_2.4.0-1_amd64.deb
e0658577b02f3d5e8b6c72c0001fe9a2f3d72e24e665ce7490f06c76b25015c9 30930 python3-sane-dbg_2.4.0-1_amd64.deb
Files:
0d721729ce560d2aa595bd82a3af627b 18446 doc optional python-pil-doc_2.4.0-1_all.deb
247d9dfabda516689c2bf13ee56fb5e6 9046 python optional python-imaging_2.4.0-1_all.deb
3675091893763e477e865449e74760fc 312596 python optional python-pil_2.4.0-1_amd64.deb
57dc22fd136a9690faecc819d24c86ae 406840 debug extra python-pil-dbg_2.4.0-1_amd64.deb
3a1de8a463138381ec0a747f49e18130 12840 python optional python-pil.imagetk_2.4.0-1_amd64.deb
241fec6b764e58176cd0f95166325f52 12978 debug extra python-pil.imagetk-dbg_2.4.0-1_amd64.deb
21fb295cb2772a79e697903f98fee28d 24008 python optional python-sane_2.4.0-1_amd64.deb
7ddaab9dc138e7885fdc0264d93f312e 28564 debug extra python-sane-dbg_2.4.0-1_amd64.deb
3680881652cb5711902a88a5ee4b5e81 314472 python optional python3-pil_2.4.0-1_amd64.deb
03aa866ea4dd2af8a26e8aa272b2a520 431192 debug extra python3-pil-dbg_2.4.0-1_amd64.deb
e9e918bcd3a9382daa85a7ba43aa3ebb 13000 python optional python3-pil.imagetk_2.4.0-1_amd64.deb
f3a5a9333be6902b24eeef397d1543b5 13154 debug extra python3-pil.imagetk-dbg_2.4.0-1_amd64.deb
2f2e52900319ef8cddd4a330bb451e52 19818 python optional python3-sane_2.4.0-1_amd64.deb
37560276ae374270f09f4890a19b8caf 30930 debug extra python3-sane-dbg_2.4.0-1_amd64.deb
570628f19672455f7538fc686383684d 2176 python optional pillow_2.4.0-1.dsc
d55fc57475cf255c9e9215de154b7ac4 6339287 python optional pillow_2.4.0.orig.tar.gz
f5ba617e10055dbc8dd9a30d358bc35c 13060 python optional pillow_2.4.0-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlOauCQACgkQStlRaw+TLJzkRACgwpMPxFCdn4pP2Ajdzdo8T4Zh
Zv4An2rplB/4Iu6ZhvUUAa1ZAWXfXxbC
=uLlz
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sat, 12 Jul 2014 07:32:21 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:47:48 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.