CVE-2014-1932

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2014-1932

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2014-1932.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2014-1932

Aliases

Related

SUSE-SU-2015:0777-1

Published

2014-04-17T14:55:11Z

Modified

2024-06-30T12:00:03Z

Summary

[none]

Details

The (1) load_djpeg function in JpegImagePlugin.py, (2) Ghostscript function in EpsImagePlugin.py, (3) load function in IptcImagePlugin.py, and (4) _copy function in Image.py in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 do not properly create temporary files, which allow local users to overwrite arbitrary files and obtain sensitive information via a symlink attack on the temporary file.

References

Affected packages

Debian:11 / pillow

Package

Name: pillow
Purl: pkg:deb/debian/pillow?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.0-1

Ecosystem specific

{
    "urgency": "low"
}

Debian:12 / pillow

Package

Name: pillow
Purl: pkg:deb/debian/pillow?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.0-1

Ecosystem specific

{
    "urgency": "low"
}

Debian:13 / pillow

Package

Name: pillow
Purl: pkg:deb/debian/pillow?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.0-1

Ecosystem specific

{
    "urgency": "low"
}