User: Password:
|
|
Subscribe / Log in / New account

python-imaging: two tmpfile flaws

Package(s):python-imaging CVE #(s):CVE-2014-1932 CVE-2014-1933
Created:April 4, 2014 Updated:November 24, 2014
Description: From the Mageia advisory:

Jakub Wilk discovered that temporary files were insecurely created (via mktemp()) in the IptcImagePlugin.py, Image.py, JpegImagePlugin.py, and EpsImagePlugin.py files of Python Imaging Library. A local attacker could use this flaw to perform a symbolic link attack to modify an arbitrary file accessible to the user running an application that uses the Python Imaging Library (CVE-2014-1932).

Jakub Wilk discovered that temporary files created in the JpegImagePlugin.py and EpsImagePlugin.py files of the Python Imaging Library were passed to an external process. These could be viewed on the command line, allowing an attacker to obtain the name and possibly perform symbolic link attacks, allowing them to modify an arbitrary file accessible to the user running an application that uses the Python Imaging Library (CVE-2014-1933).

Alerts:
Mandriva MDVSA-2015:099 python-pillow 2015-03-28
Fedora FEDORA-2014-14980 python-pillow 2014-11-22
Fedora FEDORA-2014-14883 python-pillow 2014-11-22
Mageia MGASA-2014-0476 python-imaging, python-pillow 2014-11-21
Mandriva MDVSA-2014:082 python-imaging 2014-05-08
openSUSE openSUSE-SU-2014:0591-1 python-imaging 2014-05-02
Fedora FEDORA-2014-5487 python-pillow 2014-05-01
Fedora FEDORA-2014-5492 python-pillow 2014-05-01
Ubuntu USN-2168-1 python-imaging 2014-04-15
Mageia MGASA-2014-0159 python-pillow 2014-04-03
Mageia MGASA-2014-0158 python-imaging 2014-04-03
Gentoo 201612-52 pillow 2016-12-31

(Log in to post comments)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds