CVE-2014-1932 (retired)

Priority
Description
The (1) load_djpeg function in JpegImagePlugin.py, (2) Ghostscript function
in EpsImagePlugin.py, (3) load function in IptcImagePlugin.py, and (4)
_copy function in Image.py in Python Image Library (PIL) 1.1.7 and earlier
and Pillow before 2.3.1 do not properly create temporary files, which allow
local users to overwrite arbitrary files and obtain sensitive information
via a symlink attack on the temporary file.
Notes
 sarnold> Normally mktemp() mistakes are classed as 'low' because Ubuntu has
  hardlink and symlink protections in the kernel. However, one of the discovered
  flaws is almost certainly also a shell metacharacter injection problem.
Assigned-to
mdeslaur
Package
Upstream:needed
Ubuntu 14.04 LTS (Trusty Tahr):released (2.3.0-1ubuntu3)
More Information

Updated: 2019-03-26 12:12:48 UTC (commit ccdecfcf0fead22bd291e5f4ea745a46872dcb15)