Mandriva Linux Security Advisory : python-imaging (MDVSA-2014:082)
Medium Nessus Plugin ID 73933
SynopsisThe remote Mandriva Linux host is missing one or more security updates.
DescriptionUpdated python-imaging packages fix security vulnerabilities :
Jakub Wilk discovered that temporary files were insecurely created (via mktemp()) in the IptcImagePlugin.py, Image.py, JpegImagePlugin.py, and EpsImagePlugin.py files of Python Imaging Library. A local attacker could use this flaw to perform a symbolic link attack to modify an arbitrary file accessible to the user running an application that uses the Python Imaging Library (CVE-2014-1932).
Jakub Wilk discovered that temporary files created in the JpegImagePlugin.py and EpsImagePlugin.py files of the Python Imaging Library were passed to an external process. These could be viewed on the command line, allowing an attacker to obtain the name and possibly perform symbolic link attacks, allowing them to modify an arbitrary file accessible to the user running an application that uses the Python Imaging Library (CVE-2014-1933).
SolutionUpdate the affected python-imaging and / or python-imaging-devel packages.