Hello community,
here is the log from the commit of package python-imaging for openSUSE:Factory
checked in at 2014-05-01 07:51:47
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-imaging (Old)
and /work/SRC/openSUSE:Factory/.python-imaging.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-imaging"
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-imaging/python-imaging.changes
2013-12-12 11:23:56.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.python-imaging.new/python-imaging.changes
2014-05-01 07:51:54.000000000 +0200
@@ -1,0 +2,6 @@
+Thu Apr 17 15:53:13 CEST 2014 - jmate...@suse.com
+
+- added CVE-2014-1932-mktemp.patch: insecure temporary file creation
+ CVE-2014-1932, bnc#863541
+
+-------------------------------------------------------------------
New:
----
CVE-2014-1932-mktemp.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-imaging.spec ++++++
--- /var/tmp/diff_new_pack.ocb1h1/_old 2014-05-01 07:51:55.000000000 +0200
+++ /var/tmp/diff_new_pack.ocb1h1/_new 2014-05-01 07:51:55.000000000 +0200
@@ -1,7 +1,7 @@
#
# spec file for package python-imaging
#
-# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -61,6 +61,8 @@
# PATCH-FIX-UPSTREAM use-recommended-freetype-include.patch -- Freetype
upstream recommends using their macros together with
# ft2build include. Positive sideeffect is that this patch makes it build with
both freetype2 2.5.1, and older versions
Patch4: use-recommended-freetype-include.patch
+# CVE-2014-1932 - insecure use of `mktemp`
+Patch5: CVE-2014-1932-mktemp.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -96,6 +98,7 @@
%patch2
%patch3
%patch4 -p1
+%patch5 -p1
cp %{S:1} .
%build
++++++ CVE-2014-1932-mktemp.patch ++++++
>From 4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7 Mon Sep 17 00:00:00 2001
From: wiredfool <eric-git...@soroos.net>
Date: Fri, 14 Mar 2014 15:56:41 -0700
Subject: [PATCH] Removed tempfile.mktemp, fixes CVE-2014-1932 CVE-2014-1933,
debian bug #737059
---
PIL/EpsImagePlugin.py | 3 ++-
PIL/Image.py | 9 ++++++---
PIL/IptcImagePlugin.py | 4 ++--
PIL/JpegImagePlugin.py | 12 ++++++++----
4 files changed, 18 insertions(+), 10 deletions(-)
Index: Imaging-1.1.7/PIL/EpsImagePlugin.py
===================================================================
--- Imaging-1.1.7.orig/PIL/EpsImagePlugin.py 2009-11-01 01:44:11.000000000
+0100
+++ Imaging-1.1.7/PIL/EpsImagePlugin.py 2014-04-18 15:47:47.125694292 +0200
@@ -44,7 +44,8 @@
import tempfile, os
- file = tempfile.mktemp()
+ out_fd, file = tempfile.mkstemp()
+ os.close(out_fd)
# Build ghostscript command
command = ["gs",
Index: Imaging-1.1.7/PIL/Image.py
===================================================================
--- Imaging-1.1.7.orig/PIL/Image.py 2009-11-15 16:51:25.000000000 +0100
+++ Imaging-1.1.7/PIL/Image.py 2014-04-18 15:57:25.748089006 +0200
@@ -482,14 +482,22 @@
self.readonly = 0
def _dump(self, file=None, format=None):
- import tempfile
- if not file:
- file = tempfile.mktemp()
+ import tempfile, os
+
self.load()
+
+ suffix = ''
+ if format: suffix = '.' + format
+
+ if not file:
+ f, file = tempfile.mkstemp(suffix)
+ os.close(f)
+
if not format or format == "PPM":
self.im.save_ppm(file)
else:
- file = file + "." + format
+ if not file.endswith(format):
+ file = file + "." + format
self.save(file, format)
return file
Index: Imaging-1.1.7/PIL/IptcImagePlugin.py
===================================================================
--- Imaging-1.1.7.orig/PIL/IptcImagePlugin.py 2009-11-01 01:44:12.000000000
+0100
+++ Imaging-1.1.7/PIL/IptcImagePlugin.py 2014-04-18 15:47:47.125694292
+0200
@@ -173,8 +173,8 @@
self.fp.seek(offset)
# Copy image data to temporary file
- outfile = tempfile.mktemp()
- o = open(outfile, "wb")
+ o_fd, outfile = tempfile.mkstemp(text=False)
+ o = os.fdopen(o_fd)
if encoding == "raw":
# To simplify access to the extracted file,
# prepend a PPM header
Index: Imaging-1.1.7/PIL/JpegImagePlugin.py
===================================================================
--- Imaging-1.1.7.orig/PIL/JpegImagePlugin.py 2009-11-01 01:44:12.000000000
+0100
+++ Imaging-1.1.7/PIL/JpegImagePlugin.py 2014-04-18 16:03:18.452141478
+0200
@@ -343,15 +343,18 @@
# ALTERNATIVE: handle JPEGs via the IJG command line utilities
+ if not os.path.exists(self.filename):
+ raise ValueError("Invalid Filename")
+
import tempfile, os
- file = tempfile.mktemp()
- os.system("djpeg %s >%s" % (self.filename, file))
+ f, path = tempfile.mkstemp()
+ os.close(f)
try:
- self.im = Image.core.open_ppm(file)
+ os.system("djpeg '%s' >'%s'" % (self.filename, path))
+ self.im = Image.core.open_ppm(path)
finally:
- try: os.unlink(file)
- except: pass
+ os.unlink(path)
self.mode = self.im.mode
self.size = self.im.size
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
