{"id":"MGASA-2014-0159","summary":"Updated python-pillow packages fix insecure use of temporary files","details":"Updated python-imaging packages fix security vulnerabilities:\n\nJakub Wilk discovered that temporary files were insecurely created (via\nmktemp()) in the IptcImagePlugin.py, Image.py, JpegImagePlugin.py, and\nEpsImagePlugin.py files of Python Imaging Library. A local attacker could use\nthis flaw to perform a symbolic link attack to modify an arbitrary file\naccessible to the user running an application that uses the Python Imaging\nLibrary (CVE-2014-1932).\n\nJakub Wilk discovered that temporary files created in the JpegImagePlugin.py\nand EpsImagePlugin.py files of the Python Imaging Library were passed to an\nexternal process. These could be viewed on the command line, allowing an\nattacker to obtain the name and possibly perform symbolic link attacks,\nallowing them to modify an arbitrary file accessible to the user running an\napplication that uses the Python Imaging Library (CVE-2014-1933).\n","modified":"2026-01-30T10:29:53.557309Z","published":"2014-04-03T15:18:48Z","related":["CVE-2014-1932","CVE-2014-1933"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2014-0159.html"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1063658"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1063660"},{"type":"REPORT","url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737059"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=13075"}],"affected":[{"package":{"name":"python-pillow","ecosystem":"Mageia:4","purl":"pkg:rpm/mageia/python-pillow?arch=source&distro=mageia-4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.2.1-0.4.mga4"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2014-0159.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}