Moderate severityNVD Advisory· Published Apr 17, 2014· Updated May 6, 2026

CVE-2014-1933

Description

The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes it easier for local users to conduct symlink attacks by listing the processes.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
pillowPyPI	< 2.3.1	2.3.1

Affected products

Python (programming language)/Pillow
cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*
Range: <=2.3.0
Pythonware/Python Imaging Library
cpe:2.3:a:pythonware:python_imaging_library:*:*:*:*:*:*:*:*
Range: <=1.1.7

Patches

4e9f367dfd3f

Removed tempfile.mktemp, fixes CVE-2014-1932 CVE-2014-1933, debian bug #737059

https://github.com/python-imaging/PillowwiredfoolMar 14, 2014via ghsa

commit

4 files changed · +18 −10

PIL/EpsImagePlugin.py+2 −1 modified

@@ -67,7 +67,8 @@ def Ghostscript(tile, size, fp, scale=1):
 
     import tempfile, os, subprocess
 
-    file = tempfile.mktemp()
+    out_fd, file = tempfile.mkstemp()
+    os.close(out_fd)
 
     # Build ghostscript command
     command = ["gs",

PIL/Image.py+6 −3 modified

@@ -495,14 +495,17 @@ def _copy(self):
         self.readonly = 0
 
     def _dump(self, file=None, format=None):
-        import tempfile
+        import tempfile, os
         if not file:
-            file = tempfile.mktemp()
+            f, file = tempfile.mkstemp(format or '')
+            os.close(f)
+            
         self.load()
         if not format or format == "PPM":
             self.im.save_ppm(file)
         else:
-            file = file + "." + format
+            if file.endswith(format):
+                file = file + "." + format
             self.save(file, format)
         return file

PIL/IptcImagePlugin.py+2 −2 modified

@@ -172,8 +172,8 @@ def load(self):
         self.fp.seek(offset)
 
         # Copy image data to temporary file
-        outfile = tempfile.mktemp()
-        o = open(outfile, "wb")
+        o_fd, outfile = tempfile.mkstemp(text=False)
+        o = os.fdopen(o_fd)
         if encoding == "raw":
             # To simplify access to the extracted file,
             # prepend a PPM header

PIL/JpegImagePlugin.py+8 −4 modified

@@ -344,13 +344,17 @@ def load_djpeg(self):
         # ALTERNATIVE: handle JPEGs via the IJG command line utilities
 
         import tempfile, os
-        file = tempfile.mktemp()
-        os.system("djpeg %s >%s" % (self.filename, file))
+        f, path = tempfile.mkstemp()
+        os.close(f)
+        if os.path.exists(self.filename):
+            os.system("djpeg '%s' >'%s'" % (self.filename, path))
+        else:
+            raise ValueError("Invalid Filename")
 
         try:
-            self.im = Image.core.open_ppm(file)
+            self.im = Image.core.open_ppm(path)
         finally:
-            try: os.unlink(file)
+            try: os.unlink(path)
             except: pass
 
         self.mode = self.im.mode

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7nvdExploitPatchWEB
github.com/advisories/GHSA-r854-96gq-rfg3ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2014-1933ghsaADVISORY
lists.opensuse.org/opensuse-updates/2014-05/msg00002.htmlnvdWEB
www.openwall.com/lists/oss-security/2014/02/10/15nvdWEB
www.openwall.com/lists/oss-security/2014/02/11/1nvdWEB
www.ubuntu.com/usn/USN-2168-1nvdWEB
github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2014-23.yamlghsaWEB
security.gentoo.org/glsa/201612-52nvdWEB
www.securityfocus.com/bid/65513nvd

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000