To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: python-pil: insecure use of /tmp
Date: Wed, 29 Jan 2014 21:19:03 +0100
Package: python-pil
Version: 2.2.1-3.1
Severity: important
Tags: security
PIL/JpegImagePlugin.py contains this code:
def load_djpeg(self):
# ALTERNATIVE: handle JPEGs via the IJG command line utilities
import tempfile, os
file = tempfile.mktemp()
os.system("djpeg %s >%s" % (self.filename, file))
From the tempfile.mktemp() docstring: “This function is unsafe and
should not be used. The file name refers to a file that did not exist at
some point, but by the time you get around to creating it, someone else
may have beaten you to the punch.”
There are other uses of tempfile.mktemp() in the PIL codebase. They are
most likely insecure too, but I haven't checked.
--
Jakub Wilk
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>: Bug#737059; Package python-pil.
(Mon, 10 Feb 2014 21:30:04 GMT) (full text, mbox, link).
Subject: Re: Bug#737059: python-pil: insecure use of /tmp
Date: Mon, 10 Feb 2014 22:27:43 +0100
* Jakub Wilk <jwilk@debian.org>, 2014-01-29, 21:19:
>There are other uses of tempfile.mktemp() in the PIL codebase. They
>are most likely insecure too, but I haven't checked.
I have now checked the rest, and they are all insecure.
In PIL/EpsImagePlugin.py:
file = tempfile.mktemp()
# Build ghostscript command
command = ["gs",
"-q", # quite mode
"-g%dx%d" % size, # set output geometry (pixels)
"-r%d" % (72*scale), # set input DPI (dots per inch)
"-dNOPAUSE -dSAFER", # don't pause between pages, safe mode
"-sDEVICE=ppmraw", # ppm driver
"-sOutputFile=%s" % file,# output file
]
# [...]
# push data through ghostscript
try:
gs = subprocess.Popen(command, stdin=subprocess.PIPE, stdout=subprocess.PIPE)
In PIL/IptcImagePlugin.py:
outfile = tempfile.mktemp()
o = open(outfile, "wb")
if encoding == "raw":
# To simplify access to the extracted file,
# prepend a PPM header
o.write("P5\n%d %d\n255\n" % self.size)
In PIL/Image.py:
if not file:
file = tempfile.mktemp()
self.load()
if not format or format == "PPM":
self.im.save_ppm(file)
else:
file = file + "." + format
self.save(file, format)
--
Jakub Wilk
Changed Bug title to 'python-pil: CVE-2014-1932 CVE-2014-1933' from 'python-pil: insecure use of /tmp'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 11 Feb 2014 06:27:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>: Bug#737059; Package python-pil.
(Sat, 15 Mar 2014 02:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Eric Soroos <eric-debian@soroos.net>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>.
(Sat, 15 Mar 2014 02:24:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>: Bug#737059; Package python-pil.
(Sat, 15 Mar 2014 02:24:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Eric Soroos <eric@soroos.net>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>.
(Sat, 15 Mar 2014 02:24:07 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from Henri Salo <henri@nerv.fi>
to control@bugs.debian.org.
(Sat, 03 May 2014 10:30:08 GMT) (full text, mbox, link).
Reply sent
to Matthias Klose <doko@debian.org>:
You have taken responsibility.
(Fri, 13 Jun 2014 09:42:08 GMT) (full text, mbox, link).
Notification sent
to Jakub Wilk <jwilk@debian.org>:
Bug acknowledged by developer.
(Fri, 13 Jun 2014 09:42:08 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.