CVE-2014-1933
Published: 21 February 2014
The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes it easier for local users to conduct symlink attacks by listing the processes.
Notes
| Author | Note |
|---|---|
| seth-arnold | See also CVE-2014-1932 |
| mdeslaur | same patch as CVE-2014-1932 |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
pillow Launchpad, Ubuntu, Debian |
lucid |
Does not exist
|
| precise |
Does not exist
|
|
| quantal |
Does not exist
|
|
| saucy |
Does not exist
|
|
| upstream |
Needed
|
|
|
python-imaging Launchpad, Ubuntu, Debian |
lucid |
Released
(1.1.7-1ubuntu0.2)
|
| precise |
Released
(1.1.7-4ubuntu0.12.04.1)
|
|
| quantal |
Released
(1.1.7-4ubuntu0.12.10.1)
|
|
| saucy |
Released
(1.1.7+2.0.0-1ubuntu1.1)
|
|
| upstream |
Needed
|
|
|
Patches: upstream: https://github.com/wiredfool/Pillow/commit/a549e77bd8219a75ac745dcecc09cb963b4032a6 upstream: https://github.com/wiredfool/Pillow/commit/1e331e3e6a40141ca8eee4f5da9f74e895423b66 |
||