CVE-2014-1932

Name of the Vulnerable Software and Affected Versions Pillow versions prior to 2.3.1 Python Image Library (PIL) versions 1.1.7 and earlier

Description The issue concerns the improper creation of temporary files by certain functions in Python Image Library (PIL) and Pillow, allowing local users to overwrite arbitrary files and obtain sensitive information via a symlink attack on the temporary file. The affected functions include load djpeg in JpegImagePlugin.py, Ghostscript in EpsImagePlugin.py, load in IptcImagePlugin.py, and copy in Image.py. There is also a potential for remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors.

Recommendations For Pillow versions prior to 2.3.1, update to version 2.3.1 or later to resolve the issue. For Python Image Library (PIL) versions 1.1.7 and earlier, consider migrating to Pillow version 2.3.1 or later, as PIL is no longer maintained. As a temporary workaround, consider restricting access to the affected functions, such as load djpeg, Ghostscript, load, and copy, until a patch is available.