From 8.1.1 release notes: CVE-2021-25289: The previous fix for CVE-2020-35654 was insufficent due to incorrect error checking in TiffDecode.c. CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size CVE-2021-25291: In TiffDecode.c, invalid tile boundaries could lead to an OOB Read in TiffReadRGBATile CVE-2021-25292: The PDF parser has a catastrophic backtracking regex that could be used as a DOS attack. CVE-2021-25293: There is an Out of Bounds Read in SGIRleDecode.c, since pillow 4.3.0.
Please bump to 8.1.1.
Unable to check for sanity: > no match for package: dev-python/pillow-8.1.1
All sanity-check issues have been resolved
x86 stable
amd64 done
arm done
ppc done
ppc64 done
sparc done
arm64 done all arches done
Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=39b2f71aefaa6de7ff40d0850fe8eb6409eb828e commit 39b2f71aefaa6de7ff40d0850fe8eb6409eb828e Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2021-03-02 08:41:56 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2021-03-02 08:43:52 +0000 dev-python/pillow: Remove old Bug: https://bugs.gentoo.org/773559 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-python/pillow/Manifest | 1 - dev-python/pillow/pillow-8.1.0.ebuild | 98 ----------------------------------- 2 files changed, 99 deletions(-)
A few more CVEs appear to be covered by this release which reference the Pillow-8.1.1 release notes, but the release notes do not reference the CVEs.
(In reply to John Helmert III from comment #13) > A few more CVEs appear to be covered by this release which reference the > Pillow-8.1.1 release notes, but the release notes do not reference the CVEs. This turned out to be 8.1.2 instead: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.2.html.
GLSA request filed.
This issue was resolved and addressed in GLSA 202107-33 at https://security.gentoo.org/glsa/202107-33 by GLSA coordinator John Helmert III (ajak).
