Bugzilla – Bug 863541
VUL-1: CVE-2014-1932, CVE-2014-1933: python-imaging: insecure temporary file creation
Last modified: 2016-04-27 20:16:14 UTC
Jakub Wilk reported a problem with python-imaging over a Debian bug report. CVE-2014-1932 was assigned to this issue. References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737059 https://bugzilla.redhat.com/show_bug.cgi?id=1063658
bugbot adjusting priority
Affected packages: SLE-11-SP3: python-imaging SLE-10-SP3-TERADATA: python-imaging SLE-11-SP2: python-imaging
SR 36551 to SLE-10-SP2:Update:Test SR 36552 to SLE-11-SP3:Update:Test, applies for all of SLE11 (this covers all listed packages, but I'm not sure if these are the right projects to submit) fixes for openSUSE and SLE12 will follow
resubmitted to SLE-10 and SLE-11 submitted for 13.1, Factory and SLE12 ping me if we want an update for 12.3 as well otherwise this is all, closing
This is an autogenerated message for OBS integration: This bug (863541) was mentioned in https://build.opensuse.org/request/show/230785 13.1 / python-imaging https://build.opensuse.org/request/show/230788 Factory / python-imaging
Jan, I've just checked and we need a submission for SLE-11-SP1 as well. You just have to take the same submission as for SLE-11-SP3. Sorry that this wasn't mentioned in comment 2.
Okay, I've checked further and we missed to mention CVE-2014-1933 in this bug and therefore inside the submissions. CVE-2014-1932: The (1) load_djpeg function in JpegImagePlugin.py, (2) Ghostscript function in EpsImagePlugin.py, (3) load function in IptcImagePlugin.py, and (4) _copy function in Image.py in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 do not properly create temporary files, which allow local users to overwrite arbitrary files and obtain sensitive information via a symlink attack on the temporary file. CVE-2014-1933: The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes it easier for local users to conduct symlink attacks by listing the processes. The fix for both CVEs is the same: https://github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7 Please mention both CVEs inside the changes files and supersede the previous submissions (+SLE-11-SP1).
The SWAMPID for this issue is 57073. This issue was rated as moderate. Please submit fixed packages until 2014-05-06. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
Please also update 12.3.
The same goes for SLE-9-SP3-TD.
(In reply to comment #9) > Please mention both CVEs inside the changes files and supersede the previous > submissions (+SLE-11-SP1). my SP3 submission was declined with comment that it should be directed to just SLE-11:Update:Test. is one submission to that repo OK to cover all SPs?
python-imaging is only once in the SLE11 codebase, for all service packs it lives in the GA parts. As it was not forked, it is used also for the newer service packs. $ osci se python-imaging SUSE:SLE-11:GA python-imaging SUSE:SLE-11:Update:Test python-imaging so SUSE:SLE-11:Update:Test is the target for GA, SP1, SP2, SP3.
This is an autogenerated message for OBS integration: This bug (863541) was mentioned in https://build.opensuse.org/request/show/231152 12.3 / python-imaging
This is an autogenerated message for OBS integration: This bug (863541) was mentioned in https://build.opensuse.org/request/show/231162 13.1 / python-imaging https://build.opensuse.org/request/show/231163 12.3 / python-imaging
submitted with the new CVE codes for maintenance updates
Reopened to track SLE
Jan, please resubmit the SLE-10 submission to SUSE:SLE-10-SP3:Update:Test.
SR 36711
This is an autogenerated message for OBS integration: This bug (863541) was mentioned in https://build.opensuse.org/request/show/232182 Factory / python-imaging
openSUSE-SU-2014:0591-1: An update that fixes two vulnerabilities is now available. Category: security (low) Bug References: 863541 CVE References: CVE-2014-1932,CVE-2014-1933 Sources used: openSUSE 13.1 (src): python-imaging-1.1.7-18.4.1 openSUSE 12.3 (src): python-imaging-1.1.7-15.4.1
Update released for: python-imaging Products: SUSE-CORE 9-SP3-TERADATA (x86_64)
Update released for: python-imaging, python-imaging-debuginfo, python-imaging-sane Products: SLE-SERVER 10-SP3-TERADATA (x86_64)
Update released for: python-imaging, python-imaging-debuginfo, python-imaging-debugsource, python-imaging-sane Products: SLE-DEBUGINFO 11-SP1-TERADATA (x86_64) SLE-SERVER 11-SP1-TERADATA (x86_64)
Update released for: python-imaging, python-imaging-debuginfo, python-imaging-debugsource, python-imaging-sane Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP3 (i386, x86_64)
SUSE-SU-2014:0705-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 863541 CVE References: CVE-2014-1932,CVE-2014-1933 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): python-imaging-1.1.6-168.34.1 SUSE Linux Enterprise Server 11 SP3 for VMware (src): python-imaging-1.1.6-168.34.1 SUSE Linux Enterprise Server 11 SP3 (src): python-imaging-1.1.6-168.34.1
was released
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-04-13. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/61371
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-04-13. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/61372