Fluid Attacks Database

Description

Pillow Temporary file name leakage The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes it easier for local users to conduct symlink attacks by listing the processes.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	pillow	>=0 <2.3.1	2.3.1
debian 11	pillow	>=0 <2.4.0-1	2.4.0-1
debian 12	pillow	>=0 <2.4.0-1	2.4.0-1
debian 14	pillow	>=0 <2.4.0-1	2.4.0-1
debian 13	pillow	>=0 <2.4.0-1	2.4.0-1
rpm rhel7	python-pillow	-	-
rpm rhel6	python-imaging	-	-
rpm rhel5	python-imaging	-	-

Aliases

1. CVE-2014-19332. NVD-2014-19333. OSV-2014-19334. OSV-DEBIAN-2014-19335. GCVE-2014-19336. security.gentoo.org7. SECURITY-TRACKER-CVE-2014-1933

References

1. https://github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee72. https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2014-23.yaml3. http://lists.opensuse.org/opensuse-updates/2014-05/msg00002.html4. http://www.openwall.com/lists/oss-security/2014/02/10/155. http://www.openwall.com/lists/oss-security/2014/02/11/16. http://www.ubuntu.com/usn/USN-2168-1

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.