Hello community, here is the log from the commit of package python-imaging for openSUSE:Factory checked in at 2014-05-01 07:51:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-imaging (Old) and /work/SRC/openSUSE:Factory/.python-imaging.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "python-imaging" Changes: -------- --- /work/SRC/openSUSE:Factory/python-imaging/python-imaging.changes 2013-12-12 11:23:56.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.python-imaging.new/python-imaging.changes 2014-05-01 07:51:54.000000000 +0200 @@ -1,0 +2,6 @@ +Thu Apr 17 15:53:13 CEST 2014 - jmatejek@suse.com + +- added CVE-2014-1932-mktemp.patch: insecure temporary file creation + CVE-2014-1932, bnc#863541 + +------------------------------------------------------------------- New: ---- CVE-2014-1932-mktemp.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-imaging.spec ++++++ --- /var/tmp/diff_new_pack.ocb1h1/_old 2014-05-01 07:51:55.000000000 +0200 +++ /var/tmp/diff_new_pack.ocb1h1/_new 2014-05-01 07:51:55.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package python-imaging # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -61,6 +61,8 @@ # PATCH-FIX-UPSTREAM use-recommended-freetype-include.patch -- Freetype upstream recommends using their macros together with # ft2build include. Positive sideeffect is that this patch makes it build with both freetype2 2.5.1, and older versions Patch4: use-recommended-freetype-include.patch +# CVE-2014-1932 - insecure use of `mktemp` +Patch5: CVE-2014-1932-mktemp.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -96,6 +98,7 @@ %patch2 %patch3 %patch4 -p1 +%patch5 -p1 cp %{S:1} . %build ++++++ CVE-2014-1932-mktemp.patch ++++++
From 4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7 Mon Sep 17 00:00:00 2001 From: wiredfool <eric-github@soroos.net> Date: Fri, 14 Mar 2014 15:56:41 -0700 Subject: [PATCH] Removed tempfile.mktemp, fixes CVE-2014-1932 CVE-2014-1933, debian bug #737059
--- PIL/EpsImagePlugin.py | 3 ++- PIL/Image.py | 9 ++++++--- PIL/IptcImagePlugin.py | 4 ++-- PIL/JpegImagePlugin.py | 12 ++++++++---- 4 files changed, 18 insertions(+), 10 deletions(-) Index: Imaging-1.1.7/PIL/EpsImagePlugin.py =================================================================== --- Imaging-1.1.7.orig/PIL/EpsImagePlugin.py 2009-11-01 01:44:11.000000000 +0100 +++ Imaging-1.1.7/PIL/EpsImagePlugin.py 2014-04-18 15:47:47.125694292 +0200 @@ -44,7 +44,8 @@ import tempfile, os - file = tempfile.mktemp() + out_fd, file = tempfile.mkstemp() + os.close(out_fd) # Build ghostscript command command = ["gs", Index: Imaging-1.1.7/PIL/Image.py =================================================================== --- Imaging-1.1.7.orig/PIL/Image.py 2009-11-15 16:51:25.000000000 +0100 +++ Imaging-1.1.7/PIL/Image.py 2014-04-18 15:57:25.748089006 +0200 @@ -482,14 +482,22 @@ self.readonly = 0 def _dump(self, file=None, format=None): - import tempfile - if not file: - file = tempfile.mktemp() + import tempfile, os + self.load() + + suffix = '' + if format: suffix = '.' + format + + if not file: + f, file = tempfile.mkstemp(suffix) + os.close(f) + if not format or format == "PPM": self.im.save_ppm(file) else: - file = file + "." + format + if not file.endswith(format): + file = file + "." + format self.save(file, format) return file Index: Imaging-1.1.7/PIL/IptcImagePlugin.py =================================================================== --- Imaging-1.1.7.orig/PIL/IptcImagePlugin.py 2009-11-01 01:44:12.000000000 +0100 +++ Imaging-1.1.7/PIL/IptcImagePlugin.py 2014-04-18 15:47:47.125694292 +0200 @@ -173,8 +173,8 @@ self.fp.seek(offset) # Copy image data to temporary file - outfile = tempfile.mktemp() - o = open(outfile, "wb") + o_fd, outfile = tempfile.mkstemp(text=False) + o = os.fdopen(o_fd) if encoding == "raw": # To simplify access to the extracted file, # prepend a PPM header Index: Imaging-1.1.7/PIL/JpegImagePlugin.py =================================================================== --- Imaging-1.1.7.orig/PIL/JpegImagePlugin.py 2009-11-01 01:44:12.000000000 +0100 +++ Imaging-1.1.7/PIL/JpegImagePlugin.py 2014-04-18 16:03:18.452141478 +0200 @@ -343,15 +343,18 @@ # ALTERNATIVE: handle JPEGs via the IJG command line utilities + if not os.path.exists(self.filename): + raise ValueError("Invalid Filename") + import tempfile, os - file = tempfile.mktemp() - os.system("djpeg %s >%s" % (self.filename, file)) + f, path = tempfile.mkstemp() + os.close(f) try: - self.im = Image.core.open_ppm(file) + os.system("djpeg '%s' >'%s'" % (self.filename, path)) + self.im = Image.core.open_ppm(path) finally: - try: os.unlink(file) - except: pass + os.unlink(path) self.mode = self.im.mode self.size = self.im.size -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org