Bug 863541 - (CVE-2014-1932) VUL-1: CVE-2014-1932, CVE-2014-1933: python-imaging: insecure temporary file creation
(CVE-2014-1932)
VUL-1: CVE-2014-1932, CVE-2014-1933: python-imaging: insecure temporary file ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sles9-sp3-teradata:570...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-02-12 15:33 UTC by Alexander Bergmann
Modified: 2016-04-27 20:16 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2014-02-12 15:33:56 UTC
Jakub Wilk reported a problem with python-imaging over a Debian bug report.

CVE-2014-1932 was assigned to this issue.


References:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737059
https://bugzilla.redhat.com/show_bug.cgi?id=1063658
Comment 1 Swamp Workflow Management 2014-02-13 23:00:12 UTC
bugbot adjusting priority
Comment 2 SMASH SMASH 2014-02-26 09:50:11 UTC
Affected packages:

SLE-11-SP3: python-imaging
SLE-10-SP3-TERADATA: python-imaging
SLE-11-SP2: python-imaging
Comment 3 Jan Matejek 2014-04-17 15:38:29 UTC
SR 36551 to SLE-10-SP2:Update:Test
SR 36552 to SLE-11-SP3:Update:Test, applies for all of SLE11
(this covers all listed packages, but I'm not sure if these are the right projects to submit)

fixes for openSUSE and SLE12 will follow
Comment 5 Jan Matejek 2014-04-18 15:37:41 UTC
resubmitted to SLE-10 and SLE-11
submitted for 13.1, Factory and SLE12

ping me if we want an update for 12.3 as well
otherwise this is all, closing
Comment 7 Bernhard Wiedemann 2014-04-18 16:00:15 UTC
This is an autogenerated message for OBS integration:
This bug (863541) was mentioned in
https://build.opensuse.org/request/show/230785 13.1 / python-imaging
https://build.opensuse.org/request/show/230788 Factory / python-imaging
Comment 8 Alexander Bergmann 2014-04-22 07:58:19 UTC
Jan, I've just checked and we need a submission for SLE-11-SP1 as well. You just have to take the same submission as for SLE-11-SP3. 

Sorry that this wasn't mentioned in comment 2.
Comment 9 Alexander Bergmann 2014-04-22 09:40:14 UTC
Okay, I've checked further and we missed to mention CVE-2014-1933 in this bug and therefore inside the submissions.

CVE-2014-1932:
The (1) load_djpeg function in JpegImagePlugin.py, (2) Ghostscript function in EpsImagePlugin.py, (3) load function in IptcImagePlugin.py, and (4) _copy function in Image.py in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 do not properly create temporary files, which allow local users to overwrite arbitrary files and obtain sensitive information via a symlink attack on the temporary file.

CVE-2014-1933:
The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes it easier for local users to conduct symlink attacks by listing the processes.

The fix for both CVEs is the same:
https://github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7

Please mention both CVEs inside the changes files and supersede the previous submissions (+SLE-11-SP1).
Comment 10 Swamp Workflow Management 2014-04-22 09:40:47 UTC
The SWAMPID for this issue is 57073.
This issue was rated as moderate.
Please submit fixed packages until 2014-05-06.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 11 Johannes Segitz 2014-04-22 09:44:24 UTC
Please also update 12.3.
Comment 12 Alexander Bergmann 2014-04-22 09:48:19 UTC
The same goes for SLE-9-SP3-TD.
Comment 14 Jan Matejek 2014-04-22 17:05:42 UTC
(In reply to comment #9)
> Please mention both CVEs inside the changes files and supersede the previous
> submissions (+SLE-11-SP1).

my SP3 submission was declined with comment that it should be directed to
just SLE-11:Update:Test.
is one submission to that repo OK to cover all SPs?
Comment 16 Marcus Meissner 2014-04-23 06:46:20 UTC
python-imaging is only once in the SLE11 codebase, for all service packs it lives in the GA parts. As it was not forked, it is used also for the newer service packs.



$ osci se python-imaging
SUSE:SLE-11:GA                                              python-imaging
SUSE:SLE-11:Update:Test                                     python-imaging

so SUSE:SLE-11:Update:Test is the target for GA, SP1, SP2, SP3.
Comment 17 Bernhard Wiedemann 2014-04-23 13:00:23 UTC
This is an autogenerated message for OBS integration:
This bug (863541) was mentioned in
https://build.opensuse.org/request/show/231152 12.3 / python-imaging
Comment 18 Bernhard Wiedemann 2014-04-23 14:00:12 UTC
This is an autogenerated message for OBS integration:
This bug (863541) was mentioned in
https://build.opensuse.org/request/show/231162 13.1 / python-imaging
https://build.opensuse.org/request/show/231163 12.3 / python-imaging
Comment 19 Jan Matejek 2014-04-23 14:10:02 UTC
submitted with the new CVE codes for maintenance updates
Comment 20 Johannes Segitz 2014-04-23 14:15:22 UTC
Reopened to track SLE
Comment 21 Alexander Bergmann 2014-04-24 13:14:52 UTC
Jan, please resubmit the SLE-10 submission to SUSE:SLE-10-SP3:Update:Test.
Comment 22 Jan Matejek 2014-04-24 13:57:50 UTC
SR 36711
Comment 24 Bernhard Wiedemann 2014-04-30 11:00:14 UTC
This is an autogenerated message for OBS integration:
This bug (863541) was mentioned in
https://build.opensuse.org/request/show/232182 Factory / python-imaging
Comment 25 Swamp Workflow Management 2014-05-02 12:04:41 UTC
openSUSE-SU-2014:0591-1: An update that fixes two vulnerabilities is now available.

Category: security (low)
Bug References: 863541
CVE References: CVE-2014-1932,CVE-2014-1933
Sources used:
openSUSE 13.1 (src):    python-imaging-1.1.7-18.4.1
openSUSE 12.3 (src):    python-imaging-1.1.7-15.4.1
Comment 26 Swamp Workflow Management 2014-05-22 13:04:20 UTC
Update released for: python-imaging
Products:
SUSE-CORE 9-SP3-TERADATA (x86_64)
Comment 27 Swamp Workflow Management 2014-05-22 14:04:24 UTC
Update released for: python-imaging, python-imaging-debuginfo, python-imaging-sane
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 28 Swamp Workflow Management 2014-05-22 14:04:44 UTC
Update released for: python-imaging, python-imaging-debuginfo, python-imaging-debugsource, python-imaging-sane
Products:
SLE-DEBUGINFO 11-SP1-TERADATA (x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
Comment 29 Swamp Workflow Management 2014-05-22 20:47:58 UTC
Update released for: python-imaging, python-imaging-debuginfo, python-imaging-debugsource, python-imaging-sane
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP3 (i386, x86_64)
Comment 30 Swamp Workflow Management 2014-05-23 00:05:10 UTC
SUSE-SU-2014:0705-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 863541
CVE References: CVE-2014-1932,CVE-2014-1933
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    python-imaging-1.1.6-168.34.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    python-imaging-1.1.6-168.34.1
SUSE Linux Enterprise Server 11 SP3 (src):    python-imaging-1.1.6-168.34.1
Comment 31 Marcus Meissner 2014-06-20 08:57:06 UTC
was released
Comment 32 Swamp Workflow Management 2015-03-30 08:58:02 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-04-13.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61371
Comment 33 Swamp Workflow Management 2015-03-30 08:58:16 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-04-13.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61372