Local File Overwrite Vulnerability in Python Imaging Library and Pillow
CVE-2014-1932

Currently unrated

Key Information:

Vendor: Python
Status: Pillow; Python Imaging Library
Vendor: CVE Published:; 17 April 2014

Summary

The Python Imaging Library (PIL) and its fork Pillow contain a vulnerability in several functions, including load_djpeg and Ghostscript, where they improperly create temporary files. This design flaw allows local users to conduct symlink attacks, leading to arbitrary file overwrites and potential exposure of sensitive information. This vulnerability impacts PIL versions up to 1.1.7 and Pillow versions before 2.3.1, necessitating immediate updates to mitigate associated risks.

References

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737059

x_refsource_CONFIRM

https://security.gentoo.org/glsa/201612-52

vendor-advisoryx_refsource_GENTOO

https://github.com/python-imaging/Pillow/commit/4e9f367df...

x_refsource_CONFIRM

Timeline

Vulnerability published
Apr 17, 2014
Vulnerability Reserved
Feb 10, 2014