Bump Versions/Changelog

Icns DOS fix -- CVE-2014-3589
Found and reported by Andrew Drake of dropbox.com
2014-08-12 11:48:14 -07:00 · 2014-08-12 11:46:33 -07:00 · 2014-03-14 16:44:59 -07:00 · 2014-03-14 16:40:45 -07:00 · 2014-03-14 16:40:45 -07:00
11 changed files with 45 additions and 14 deletions
--- a/.travis.yml
+++ b/.travis.yml
@ -10,7 +10,7 @@ python:
  - 3.2
  - 3.3

-install: "sudo apt-get -qq install libfreetype6-dev liblcms2-dev libwebp-dev python-qt4 ghostscript""
+install: "sudo apt-get -qq install libfreetype6-dev liblcms2-dev libwebp-dev python-qt4 ghostscript"

 script:
  - python setup.py clean
--- a/CHANGES.rst
+++ b/CHANGES.rst
@ -1,6 +1,17 @@
 Changelog (Pillow)
 ==================

+2.3.2 (2014-08-13)
+------------------
+
+- Fixed CVE-2014-3589, a DOS in the IcnsImagePlugin
+  [Andrew Drake]
+
+2.3.1 (2014-03-14)
+------------------
+- Fix insecure use of tempfile.mktemp (CVE-2014-1932 CVE-2014-1933)
+  [wiredfool]
+
 2.3.0 (2014-01-01)
 ------------------

--- a/PIL/EpsImagePlugin.py
+++ b/PIL/EpsImagePlugin.py
@ -67,7 +67,8 @@ def Ghostscript(tile, size, fp, scale=1):

    import tempfile, os, subprocess

-    file = tempfile.mktemp()
+    out_fd, file = tempfile.mkstemp()
+    os.close(out_fd)

    # Build ghostscript command
    command = ["gs",
--- a/PIL/IcnsImagePlugin.py
+++ b/PIL/IcnsImagePlugin.py
@ -120,6 +120,8 @@ class IcnsFile:
        i = HEADERSIZE
        while i < filesize:
            sig, blocksize = nextheader(fobj)
+            if blocksize <= 0:
+                raise SyntaxError('invalid block header')
            i = i + HEADERSIZE
            blocksize = blocksize - HEADERSIZE
            dct[sig] = (i, blocksize)
--- a/PIL/Image.py
+++ b/PIL/Image.py
@ -495,14 +495,17 @@ class Image:
        self.readonly = 0

    def _dump(self, file=None, format=None):
-        import tempfile
+        import tempfile, os
        if not file:
-            file = tempfile.mktemp()
+            f, file = tempfile.mkstemp(format or '')
+            os.close(f)
+            
        self.load()
        if not format or format == "PPM":
            self.im.save_ppm(file)
        else:
-            file = file + "." + format
+            if file.endswith(format):
+                file = file + "." + format
            self.save(file, format)
        return file

--- a/PIL/IptcImagePlugin.py
+++ b/PIL/IptcImagePlugin.py
@ -172,8 +172,8 @@ class IptcImageFile(ImageFile.ImageFile):
        self.fp.seek(offset)

        # Copy image data to temporary file
-        outfile = tempfile.mktemp()
-        o = open(outfile, "wb")
+        o_fd, outfile = tempfile.mkstemp(text=False)
+        o = os.fdopen(o_fd)
        if encoding == "raw":
            # To simplify access to the extracted file,
            # prepend a PPM header
--- a/PIL/JpegImagePlugin.py
+++ b/PIL/JpegImagePlugin.py
@ -344,13 +344,17 @@ class JpegImageFile(ImageFile.ImageFile):
        # ALTERNATIVE: handle JPEGs via the IJG command line utilities

        import tempfile, os
-        file = tempfile.mktemp()
-        os.system("djpeg %s >%s" % (self.filename, file))
+        f, path = tempfile.mkstemp()
+        os.close(f)
+        if os.path.exists(self.filename):
+            os.system("djpeg '%s' >'%s'" % (self.filename, path))
+        else:
+            raise ValueError("Invalid Filename")

        try:
-            self.im = Image.core.open_ppm(file)
+            self.im = Image.core.open_ppm(path)
        finally:
-            try: os.unlink(file)
+            try: os.unlink(path)
            except: pass

        self.mode = self.im.mode
--- a/PIL/init.py
+++ b/PIL/init.py
@ -12,7 +12,7 @@
 # ;-)

 VERSION = '1.1.7'  # PIL version
-PILLOW_VERSION = '2.3.0' # Pillow
+PILLOW_VERSION = '2.3.2' # Pillow

 _plugins = ['ArgImagePlugin',
            'BmpImagePlugin',
--- a/Tests/check_icns_dos.py
+++ b/Tests/check_icns_dos.py
@ -0,0 +1,10 @@
+# Tests potential DOS of IcnsImagePlugin with 0 length block.
+# Run from anywhere that PIL is importable. 
+
+from PIL import Image
+from io import BytesIO
+
+if bytes is str:
+    Image.open(BytesIO(bytes('icns\x00\x00\x00\x10hang\x00\x00\x00\x00')))
+else:
+    Image.open(BytesIO(bytes('icns\x00\x00\x00\x10hang\x00\x00\x00\x00', 'latin-1')))
--- a/_imaging.c
+++ b/_imaging.c
@ -71,7 +71,7 @@
 * See the README file for information on usage and redistribution.
 */

-#define PILLOW_VERSION "2.3.0"
+#define PILLOW_VERSION "2.3.2"

 #include "Python.h"

--- a/setup.py
+++ b/setup.py
@ -85,7 +85,7 @@ except ImportError:


 NAME = 'Pillow'
-VERSION = '2.3.0'
+VERSION = '2.3.2'
 TCL_ROOT = None
 JPEG_ROOT = None
 ZLIB_ROOT = None
Author	SHA1	Message	Date
wiredfool	30529a0279	Bump Versions/Changelog	2014-08-12 11:48:14 -07:00
wiredfool	5efeed7766	Icns DOS fix -- CVE-2014-3589 Found and reported by Andrew Drake of dropbox.com	2014-08-12 11:46:33 -07:00
wiredfool	b8d4895bd5	Travis.yml syntax fix	2014-03-14 16:44:59 -07:00
wiredfool	bd7e6b868f	Version Bump	2014-03-14 16:40:45 -07:00
wiredfool	4e9f367dfd	Removed tempfile.mktemp, fixes CVE-2014-1932 CVE-2014-1933, debian bug #737059	2014-03-14 16:40:45 -07:00