Backport of: From 1e331e3e6a40141ca8eee4f5da9f74e895423b66 Mon Sep 17 00:00:00 2001 From: wiredfool Date: Fri, 14 Mar 2014 15:56:41 -0700 Subject: [PATCH] Removed tempfile.mktemp, fixes CVE-2014-1932 CVE-2014-1933, debian bug #737059 --- PIL/EpsImagePlugin.py | 6 ++++-- PIL/Image.py | 9 ++++++--- PIL/IptcImagePlugin.py | 4 ++-- PIL/JpegImagePlugin.py | 12 ++++++++---- 4 files changed, 20 insertions(+), 11 deletions(-) Index: python-imaging-1.1.7+2.0.0/PIL/EpsImagePlugin.py =================================================================== --- python-imaging-1.1.7+2.0.0.orig/PIL/EpsImagePlugin.py 2014-03-31 10:19:26.172250673 -0400 +++ python-imaging-1.1.7+2.0.0/PIL/EpsImagePlugin.py 2014-03-31 10:20:06.668251330 -0400 @@ -59,7 +59,8 @@ import tempfile, os - file = tempfile.mktemp() + fd, file = tempfile.mkstemp() + os.close(fd) # Build ghostscript command command = ["gs", Index: python-imaging-1.1.7+2.0.0/PIL/Image.py =================================================================== --- python-imaging-1.1.7+2.0.0.orig/PIL/Image.py 2014-03-31 10:19:26.172250673 -0400 +++ python-imaging-1.1.7+2.0.0/PIL/Image.py 2014-03-31 10:19:26.164250673 -0400 @@ -484,14 +484,17 @@ self.readonly = 0 def _dump(self, file=None, format=None): - import tempfile + import tempfile, os if not file: - file = tempfile.mktemp() + f, file = tempfile.mkstemp(format or '') + os.close(f) + self.load() if not format or format == "PPM": self.im.save_ppm(file) else: - file = file + "." + format + if file.endswith(format): + file = file + "." + format self.save(file, format) return file Index: python-imaging-1.1.7+2.0.0/PIL/IptcImagePlugin.py =================================================================== --- python-imaging-1.1.7+2.0.0.orig/PIL/IptcImagePlugin.py 2014-03-31 10:19:26.172250673 -0400 +++ python-imaging-1.1.7+2.0.0/PIL/IptcImagePlugin.py 2014-03-31 10:19:26.164250673 -0400 @@ -172,8 +172,8 @@ self.fp.seek(offset) # Copy image data to temporary file - outfile = tempfile.mktemp() - o = open(outfile, "wb") + o_fd, outfile = tempfile.mkstemp(text=False) + o = os.fdopen(o_fd) if encoding == "raw": # To simplify access to the extracted file, # prepend a PPM header Index: python-imaging-1.1.7+2.0.0/PIL/JpegImagePlugin.py =================================================================== --- python-imaging-1.1.7+2.0.0.orig/PIL/JpegImagePlugin.py 2014-03-31 10:19:26.172250673 -0400 +++ python-imaging-1.1.7+2.0.0/PIL/JpegImagePlugin.py 2014-03-31 10:19:26.168250673 -0400 @@ -343,13 +343,17 @@ # ALTERNATIVE: handle JPEGs via the IJG command line utilities import tempfile, os - file = tempfile.mktemp() - os.system("djpeg %s >%s" % (self.filename, file)) + f, path = tempfile.mkstemp() + os.close(f) + if os.path.exists(self.filename): + os.system("djpeg '%s' >'%s'" % (self.filename, path)) + else: + raise ValueError("Invalid Filename") try: - self.im = Image.core.open_ppm(file) + self.im = Image.core.open_ppm(path) finally: - try: os.unlink(file) + try: os.unlink(path) except: pass self.mode = self.im.mode