PublicDateAtUSN: 2014-02-21
Candidate: CVE-2014-1933
PublicDate: 2014-04-17 14:55:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1933
 https://ubuntu.com/security/notices/USN-2168-1
Description:
 The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python
 Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the
 names of temporary files on the command line, which makes it easier for
 local users to conduct symlink attacks by listing the processes.
Ubuntu-Description:
Notes:
 seth-arnold> See also CVE-2014-1932
 mdeslaur> same patch as CVE-2014-1932
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737059
Priority: medium
Discovered-by: 
Assigned-to: mdeslaur
CVSS: 

Patches_pillow:
upstream_pillow: needed
lucid_pillow: DNE
precise_pillow: DNE
quantal_pillow: DNE
saucy_pillow: DNE
devel_pillow: released (2.3.0-1ubuntu3)

Patches_python-imaging:
 upstream: https://github.com/wiredfool/Pillow/commit/a549e77bd8219a75ac745dcecc09cb963b4032a6 (bp)
 upstream: https://github.com/wiredfool/Pillow/commit/1e331e3e6a40141ca8eee4f5da9f74e895423b66
upstream_python-imaging: needed
lucid_python-imaging: released (1.1.7-1ubuntu0.2)
precise_python-imaging: released (1.1.7-4ubuntu0.12.04.1)
quantal_python-imaging: released (1.1.7-4ubuntu0.12.10.1)
saucy_python-imaging: released (1.1.7+2.0.0-1ubuntu1.1)
devel_python-imaging: DNE