CVE-2014-3007

Advisory

Pillow 2.5.0 includes a fix that prevents shell injection.
https://github.com/python-pillow/Pillow/pull/731

Affected package

Affected versions

Fixed versions

Vulnerability changelog

------------------

- Imagedraw rewrite 737
[terseus, wiredfool]

- Add support for multithreaded test execution 755
[wiredfool]

- Prevent shell injection 748
[mbrown1413, wiredfool]

- Support for Resolution in BMP files 734
[gcq]

- Fix error in setup.py for Python 3 744
[matthew-brett]

- Pyroma fix and add Python 3.4 to setup metadata 742
[wirefool]

- Top level flake8 fixes 741
[aclark4life]

- Remove obsolete Animated Raster Graphics (ARG) support 736
[hugovk]

- Fix test_imagedraw failures 727
[cgohlke]

- Fix AttributeError: class Image has no attribute 'DEBUG' 726
[cgohlke]

- Fix msvc warning: 'inline' : macro redefinition 725
[cgohlke]

- Cleanup 654
[dvska, hugovk, wiredfool]

- 16-bit monochrome support for JPEG2000 730
[videan42]

- Fixed ImagePalette.save
[brightpisces]

- Support JPEG qtables 677
[csinchok]

- Add binary morphology addon
[dov, wiredfool]

- Decompression bomb protection 674
[hugovk]

- Put images in a single directory 708
[hugovk]

- Support OpenJpeg 2.1 681
[al45tair, wiredfool]

- Remove unistd.h include for all platforms 704
[wiredfool]

- Use unittest for tests
[hugovk]

- ImageCms fixes
[hugovk]

- Added more ImageDraw tests
[hugovk]

- Added tests for Spider files
[hugovk]

- Use libtiff to write any compressed tiff files 669
[wiredfool]

- Support for pickling Image objects
[hugovk]

- Fixed resolution handling for EPS thumbnails 619
[eliempje]

- Fixed rendering of some binary EPS files (Issue 302)
[eliempje]

- Rename variables not to use built-in function names 670
[hugovk]

- Ignore junk JPEG markers
[hugovk]

- Change default interpolation for Image.thumbnail to Image.ANTIALIAS
[hugovk]

- Add tests and fixes for saving PDFs
[hugovk]

- Remove transparency resource after P->RGBA conversion
[hugovk]

- Clean up preprocessor cruft for Windows 652
[CounterPillow]

- Adjust Homebrew freetype detection logic 656
[jacknagel]

- Added Image.close, context manager support
[wiredfool]

- Added support for 16 bit PGM files
[wiredfool]

- Updated OleFileIO to version 0.30 from upstream 618
[hugovk]

- Added support for additional TIFF floating point format
[Hijackal]

- Have the tempfile use a suffix with a dot
[wiredfool]

- Fix variable name used for transparency manipulations 604
[nijel]

Resources

• https://pypi.org/project/pillow
• https://pyup.io/changelogs/pillow/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3007
• http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-1932.html
• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737059