Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:31948
HistoryApr 19, 2015 - 12:00 a.m.

[ MDVSA-2015:099 ] python-pillow

2015-04-1900:00:00
vulners.com
16
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mandriva Linux Security Advisory MDVSA-2015:099
http://www.mandriva.com/en/support/security/

Package : python-pillow
Date : March 28, 2015
Affected: Business Server 2.0

Problem Description:

Updated python-imaging packages fix security vulnerabilities:

Jakub Wilk discovered that temporary files were insecurely created
(via mktemp()) in the IptcImagePlugin.py, Image.py, JpegImagePlugin.py,
and EpsImagePlugin.py files of Python Imaging Library. A local attacker
could use this flaw to perform a symbolic link attack to modify an
arbitrary file accessible to the user running an application that
uses the Python Imaging Library (CVE-2014-1932).

Jakub Wilk discovered that temporary files created in the
JpegImagePlugin.py and EpsImagePlugin.py files of the Python Imaging
Library were passed to an external process. These could be viewed
on the command line, allowing an attacker to obtain the name and
possibly perform symbolic link attacks, allowing them to modify an
arbitrary file accessible to the user running an application that
uses the Python Imaging Library (CVE-2014-1933).

The Python Imaging Library is vulnerable to a denial of service attack
in the IcnsImagePlugin (CVE-2014-3589).

Python Image Library (PIL) 1.1.7 and earlier and Pillow 2.3
might allow remote attackers to execute arbitrary commands via
shell metacharacters, due to an incomplete fix for CVE-2014-1932
(CVE-2014-3007).

Pillow before 2.7.0 and 2.6.2 allows remote attackers to cause a
denial of service via a compressed text chunk in a PNG image that
has a large size when it is decompressed (CVE-2014-9601).

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1932
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1933
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3589
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3007
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9601
http://advisories.mageia.org/MGASA-2014-0159.html
http://advisories.mageia.org/MGASA-2014-0343.html
http://advisories.mageia.org/MGASA-2014-0476.html
http://advisories.mageia.org/MGASA-2015-0039.html

Updated Packages:

Mandriva Business Server 2/X86_64:
851eb58425ac5564e505233acd49e147 mbs2/x86_64/python3-pillow-2.6.2-1.1.mbs2.x86_64.rpm
a24beaf54149ec5049cc215908c9a5ce mbs2/x86_64/python3-pillow-devel-2.6.2-1.1.mbs2.x86_64.rpm
5d6155bdef86b902c346cf11c55dceee mbs2/x86_64/python3-pillow-doc-2.6.2-1.1.mbs2.noarch.rpm
5727dc1b952f8d8e4214887c5f19f1e1 mbs2/x86_64/python3-pillow-sane-2.6.2-1.1.mbs2.x86_64.rpm
5d72610503946bfd2a3e5bb9f5aba317 mbs2/x86_64/python3-pillow-tk-2.6.2-1.1.mbs2.x86_64.rpm
ff25c3184b79c98affb7c287ed6bf810 mbs2/x86_64/python-pillow-2.6.2-1.1.mbs2.x86_64.rpm
b64e67fd59fbaed0a454134d8c5093b4 mbs2/x86_64/python-pillow-devel-2.6.2-1.1.mbs2.x86_64.rpm
84bac4da63c5a44bb49c353e9019ad2d mbs2/x86_64/python-pillow-doc-2.6.2-1.1.mbs2.noarch.rpm
8b567267acc437c0ebad1aeb8f85bb55 mbs2/x86_64/python-pillow-sane-2.6.2-1.1.mbs2.x86_64.rpm
b1750dd703813d162291db4f34e077eb mbs2/x86_64/python-pillow-tk-2.6.2-1.1.mbs2.x86_64.rpm
38024e50a951ebae0a6f670aed5a8b47 mbs2/SRPMS/python-pillow-2.6.2-1.1.mbs2.src.rpm

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFn70mqjQ0CJFipgRAijaAKCTIyac5ApvxzxZ//qQJDsnz8YPGACgruKo
LTTw2e4UyqR4Vq8nItlLmcw=
=DRbE
-----END PGP SIGNATURE-----

Related

securityvulns 5
nessus 36
fedora 7
openvas 35
ubuntucve 5
amazon 2
osv 11
cve 5
mageia 5
ubuntu 6
debiancve 5
github 5
prion 5
debian 2
gentoo 1
securityvulns
securityvulns
pillow multiple security vulnerabilities
2015-04-19 00:00:00
Python Imaging Library security vulnerabilities
2014-05-04 00:00:00
[USN-2168-1] Python Imaging Library vulnerabilities
2014-05-04 00:00:00
nessus
nessus
Mandriva Linux Security Advisory : python-pillow (MDVSA-2015:099)
2015-03-30 00:00:00
Amazon Linux 2 : python-pillow (ALAS-2023-2286)
2023-10-05 00:00:00
EulerOS 2.0 SP5 : python-pillow (EulerOS-SA-2019-2701)
2019-12-23 00:00:00
fedora
fedora
[SECURITY] Fedora 20 Update: python-pillow-2.2.1-7.fc20
2014-11-22 12:39:31
[SECURITY] Fedora 19 Update: python-pillow-2.0.0-16.gitd1c6db8.fc19
2014-11-22 12:40:12
[SECURITY] Fedora 19 Update: python-pillow-2.0.0-14.gitd1c6db8.fc19
2014-08-27 01:29:32
openvas
openvas
Fedora Update for python-pillow FEDORA-2014-14883
2014-11-23 00:00:00
Fedora Update for python-pillow FEDORA-2014-14980
2014-11-23 00:00:00
Huawei EulerOS: Security Advisory for python-pillow (EulerOS-SA-2019-2701)
2020-01-23 00:00:00
ubuntucve
ubuntucve
CVE-2014-3007
2014-04-27 00:00:00
CVE-2014-1933
2014-02-21 00:00:00
CVE-2014-9601
2015-01-16 00:00:00
amazon
amazon
Important: python-pillow
2023-09-27 22:49:00
Important: python-pillow
2023-06-05 16:39:00
osv
osv
Pillow command injection
2022-05-17 04:45:39
PYSEC-2014-87
2014-04-27 20:55:00
PYSEC-2015-16
2015-01-16 16:59:00
cve
cve
CVE-2014-3007
2014-04-27 20:55:00
CVE-2014-9601
2015-01-16 16:59:00
CVE-2014-1933
2014-04-17 14:55:00
mageia
mageia
Updated python-pillow packages fix insecure use of temporary files
2014-04-03 19:18:48
Updated python-imaging and python-pillow packages fix security vulnerability
2014-11-21 15:44:16
Updated python-imaging package fixes insecure use of temporary files
2014-04-03 19:18:48
ubuntu
ubuntu
Python Imaging Library vulnerabilities
2014-04-15 00:00:00
Pillow regresssion
2016-09-30 00:00:00
Pillow vulnerabilities
2016-09-27 00:00:00
debiancve
debiancve
CVE-2014-3007
2014-04-27 20:55:00
CVE-2014-9601
2015-01-16 16:59:00
CVE-2014-3589
2014-08-25 14:55:00
github
github
Pillow command injection
2022-05-17 04:45:39
Pillow denial of service via PNG bomb
2022-05-14 02:05:56
Pillow Temporary file name leakage
2020-05-18 17:41:19
prion
prion
Design/Logic Flaw
2014-04-27 20:55:00
Code injection
2015-01-16 16:59:00
Code injection
2014-08-25 14:55:00
debian
debian
[DLA 41-1] python-imaging security update
2014-08-24 16:38:21
[SECURITY] [DSA 3009-1] python-imaging security update
2014-08-21 18:09:34
gentoo
gentoo
Pillow: Multiple vulnerabilities
2016-12-31 00:00:00
JSON
Related for SECURITYVULNS:DOC:31948
securityvulns5nessus36fedora7openvas35ubuntucve5amazon2osv11cve5mageia5ubuntu6debiancve5github5prion5debian2gentoo1