diff -Nru pillow-2.3.0/debian/changelog pillow-2.3.0/debian/changelog --- pillow-2.3.0/debian/changelog 2014-03-23 15:28:42.000000000 +0000 +++ pillow-2.3.0/debian/changelog 2014-03-31 14:08:25.000000000 +0000 @@ -1,3 +1,14 @@ +pillow (2.3.0-1ubuntu3) trusty; urgency=medium + + * SECURITY UPDATE: insecure use of temporary files + - debian/patches/CVE-2014-193x.patch: use tempfile.mkstemp() in + PIL/EpsImagePlugin.py, PIL/Image.py, PIL/IptcImagePlugin.py, + PIL/JpegImagePlugin.py. + - CVE-2014-1932 + - CVE-2014-1933 + + -- Marc Deslauriers Mon, 31 Mar 2014 10:07:00 -0400 + pillow (2.3.0-1ubuntu2) trusty; urgency=medium * No-change rebuild to drop Python 3.3 support. diff -Nru pillow-2.3.0/debian/patches/CVE-2014-193x.patch pillow-2.3.0/debian/patches/CVE-2014-193x.patch --- pillow-2.3.0/debian/patches/CVE-2014-193x.patch 1970-01-01 00:00:00.000000000 +0000 +++ pillow-2.3.0/debian/patches/CVE-2014-193x.patch 2014-03-31 14:08:57.000000000 +0000 @@ -0,0 +1,142 @@ +Description: fix insecure use of temporary files +Origin: backport, https://github.com/wiredfool/Pillow/commit/a549e77bd8219a75ac745dcecc09cb963b4032a6 +Origin: backport, https://github.com/wiredfool/Pillow/commit/1e331e3e6a40141ca8eee4f5da9f74e895423b66 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737059 + +Index: pillow-2.3.0/PIL/EpsImagePlugin.py +=================================================================== +--- pillow-2.3.0.orig/PIL/EpsImagePlugin.py 2013-12-28 03:33:26.000000000 -0500 ++++ pillow-2.3.0/PIL/EpsImagePlugin.py 2014-03-31 10:06:46.768238362 -0400 +@@ -67,16 +67,31 @@ + + import tempfile, os, subprocess + +- file = tempfile.mktemp() ++ out_fd, outfile = tempfile.mkstemp() ++ os.close(out_fd) ++ in_fd, infile = tempfile.mkstemp() ++ os.close(in_fd) ++ ++ with open(infile, 'wb') as f: ++ fp.seek(offset) ++ while length >0: ++ s = fp.read(100*1024) ++ if not s: ++ break ++ length = length - len(s) ++ f.write(s) + + # Build ghostscript command + command = ["gs", +- "-q", # quite mode +- "-g%dx%d" % size, # set output geometry (pixels) +- "-r%d" % (72*scale), # set input DPI (dots per inch) +- "-dNOPAUSE -dSAFER", # don't pause between pages, safe mode +- "-sDEVICE=ppmraw", # ppm driver +- "-sOutputFile=%s" % file,# output file ++ "-q", # quiet mode ++ "-g%dx%d" % size, # set output geometry (pixels) ++ "-r%d" % (72*scale), # set input DPI (dots per inch) ++ "-dNOPAUSE -dSAFER", # don't pause between pages, safe mode ++ "-sDEVICE=ppmraw", # ppm driver ++ "-sOutputFile=%s" % outfile, # output file ++ "-c", "%d %d translate" % (-bbox[0], -bbox[1]), ++ # adjust for image origin ++ "-f", infile, # input file + ] + + if gs_windows_binary is not None: +@@ -87,23 +102,15 @@ + # push data through ghostscript + try: + gs = subprocess.Popen(command, stdin=subprocess.PIPE, stdout=subprocess.PIPE) +- # adjust for image origin +- if bbox[0] != 0 or bbox[1] != 0: +- gs.stdin.write(("%d %d translate\n" % (-bbox[0], -bbox[1])).encode('ascii')) +- fp.seek(offset) +- while length > 0: +- s = fp.read(8192) +- if not s: +- break +- length = length - len(s) +- gs.stdin.write(s) + gs.stdin.close() + status = gs.wait() + if status: + raise IOError("gs failed (status %d)" % status) +- im = Image.core.open_ppm(file) ++ im = Image.core.open_ppm(outfile) + finally: +- try: os.unlink(file) ++ try: ++ os.unlink(outfile) ++ os.unlink(infile) + except: pass + + return im +Index: pillow-2.3.0/PIL/Image.py +=================================================================== +--- pillow-2.3.0.orig/PIL/Image.py 2013-12-28 04:08:14.000000000 -0500 ++++ pillow-2.3.0/PIL/Image.py 2014-03-31 10:06:46.768238362 -0400 +@@ -495,14 +495,17 @@ + self.readonly = 0 + + def _dump(self, file=None, format=None): +- import tempfile ++ import tempfile, os + if not file: +- file = tempfile.mktemp() ++ f, file = tempfile.mkstemp(format or '') ++ os.close(f) ++ + self.load() + if not format or format == "PPM": + self.im.save_ppm(file) + else: +- file = file + "." + format ++ if file.endswith(format): ++ file = file + "." + format + self.save(file, format) + return file + +Index: pillow-2.3.0/PIL/IptcImagePlugin.py +=================================================================== +--- pillow-2.3.0.orig/PIL/IptcImagePlugin.py 2013-12-28 03:33:26.000000000 -0500 ++++ pillow-2.3.0/PIL/IptcImagePlugin.py 2014-03-31 10:06:46.768238362 -0400 +@@ -172,8 +172,8 @@ + self.fp.seek(offset) + + # Copy image data to temporary file +- outfile = tempfile.mktemp() +- o = open(outfile, "wb") ++ o_fd, outfile = tempfile.mkstemp(text=False) ++ o = os.fdopen(o_fd) + if encoding == "raw": + # To simplify access to the extracted file, + # prepend a PPM header +Index: pillow-2.3.0/PIL/JpegImagePlugin.py +=================================================================== +--- pillow-2.3.0.orig/PIL/JpegImagePlugin.py 2013-12-28 03:33:26.000000000 -0500 ++++ pillow-2.3.0/PIL/JpegImagePlugin.py 2014-03-31 10:06:46.768238362 -0400 +@@ -344,13 +344,17 @@ + # ALTERNATIVE: handle JPEGs via the IJG command line utilities + + import tempfile, os +- file = tempfile.mktemp() +- os.system("djpeg %s >%s" % (self.filename, file)) ++ f, path = tempfile.mkstemp() ++ os.close(f) ++ if os.path.exists(self.filename): ++ os.system("djpeg '%s' >'%s'" % (self.filename, path)) ++ else: ++ raise ValueError("Invalid Filename") + + try: +- self.im = Image.core.open_ppm(file) ++ self.im = Image.core.open_ppm(path) + finally: +- try: os.unlink(file) ++ try: os.unlink(path) + except: pass + + self.mode = self.im.mode diff -Nru pillow-2.3.0/debian/patches/series pillow-2.3.0/debian/patches/series --- pillow-2.3.0/debian/patches/series 2014-02-04 13:15:02.000000000 +0000 +++ pillow-2.3.0/debian/patches/series 2014-03-31 14:06:32.000000000 +0000 @@ -2,3 +2,4 @@ toplevel-setup.py generate-webp-file disable-icm-tests.diff +CVE-2014-193x.patch