High severityNVD Advisory· Published Apr 17, 2014· Updated May 6, 2026
CVE-2014-1932
CVE-2014-1932
Description
The (1) load_djpeg function in JpegImagePlugin.py, (2) Ghostscript function in EpsImagePlugin.py, (3) load function in IptcImagePlugin.py, and (4) _copy function in Image.py in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 do not properly create temporary files, which allow local users to overwrite arbitrary files and obtain sensitive information via a symlink attack on the temporary file.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pillowPyPI | < 2.3.1 | 2.3.1 |
Affected products
2- cpe:2.3:a:pythonware:python_imaging_library:*:*:*:*:*:*:*:*Range: <=1.1.7
Patches
14e9f367dfd3fRemoved tempfile.mktemp, fixes CVE-2014-1932 CVE-2014-1933, debian bug #737059
4 files changed · +18 −10
PIL/EpsImagePlugin.py+2 −1 modified@@ -67,7 +67,8 @@ def Ghostscript(tile, size, fp, scale=1): import tempfile, os, subprocess - file = tempfile.mktemp() + out_fd, file = tempfile.mkstemp() + os.close(out_fd) # Build ghostscript command command = ["gs",
PIL/Image.py+6 −3 modified@@ -495,14 +495,17 @@ def _copy(self): self.readonly = 0 def _dump(self, file=None, format=None): - import tempfile + import tempfile, os if not file: - file = tempfile.mktemp() + f, file = tempfile.mkstemp(format or '') + os.close(f) + self.load() if not format or format == "PPM": self.im.save_ppm(file) else: - file = file + "." + format + if file.endswith(format): + file = file + "." + format self.save(file, format) return file
PIL/IptcImagePlugin.py+2 −2 modified@@ -172,8 +172,8 @@ def load(self): self.fp.seek(offset) # Copy image data to temporary file - outfile = tempfile.mktemp() - o = open(outfile, "wb") + o_fd, outfile = tempfile.mkstemp(text=False) + o = os.fdopen(o_fd) if encoding == "raw": # To simplify access to the extracted file, # prepend a PPM header
PIL/JpegImagePlugin.py+8 −4 modified@@ -344,13 +344,17 @@ def load_djpeg(self): # ALTERNATIVE: handle JPEGs via the IJG command line utilities import tempfile, os - file = tempfile.mktemp() - os.system("djpeg %s >%s" % (self.filename, file)) + f, path = tempfile.mkstemp() + os.close(f) + if os.path.exists(self.filename): + os.system("djpeg '%s' >'%s'" % (self.filename, path)) + else: + raise ValueError("Invalid Filename") try: - self.im = Image.core.open_ppm(file) + self.im = Image.core.open_ppm(path) finally: - try: os.unlink(file) + try: os.unlink(path) except: pass self.mode = self.im.mode
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
11- github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7nvdExploitPatchWEB
- github.com/advisories/GHSA-x895-2wrm-hvp7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2014-1932ghsaADVISORY
- lists.opensuse.org/opensuse-updates/2014-05/msg00002.htmlnvdWEB
- www.openwall.com/lists/oss-security/2014/02/11/1nvdWEB
- www.ubuntu.com/usn/USN-2168-1nvdWEB
- bugs.debian.org/cgi-bin/bugreport.cginvdWEB
- github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2014-22.yamlghsaWEB
- security.gentoo.org/glsa/201612-52nvdWEB
- web.archive.org/web/20170103151725/http://www.securityfocus.com/bid/65511ghsaWEB
- www.securityfocus.com/bid/65511nvd
News mentions
0No linked articles in our index yet.