Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 802090 (CVE-2021-34552) - <dev-python/pillow-8.3.0: buffer overflow (CVE-2021-34552)
Summary: <dev-python/pillow-8.3.0: buffer overflow (CVE-2021-34552)
Status: RESOLVED FIXED
Alias: CVE-2021-34552
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Gentoo Security
URL: https://pillow.readthedocs.io/en/stab...
Whiteboard: A2 [glsa+]
Keywords:
Depends on: CVE-2021-23437
Blocks:
  Show dependency tree
 
Reported: 2021-07-14 02:52 UTC by John Helmert III
Modified: 2023-05-31 04:29 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-14 02:52:49 UTC 
CVE-2021-34552:

Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c.


Please stabilize 8.3.0.
Comment 1 Rolf Eike Beer archtester 2021-07-21 19:40:36 UTC 
sparc stable
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-22 02:49:51 UTC 
amd64 done
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-22 02:50:28 UTC 
x86 done
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-26 04:36:57 UTC 
arm64 done
Comment 5 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-08-07 07:14:16 UTC 
Ping.
Comment 6 Larry the Git Cow gentoo-dev 2021-10-16 02:28:08 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=11523faea2b3008fd55f6c371dd218267d91cb6f

commit 11523faea2b3008fd55f6c371dd218267d91cb6f
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-10-16 02:27:26 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-10-16 02:27:26 +0000

    dev-python/pillow: add USE=truetype to test REQUIRED_USE
    
    See 11131c2b5d5252fdca56643a4b976c6ac0ca11ea.
    
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=811453
    Bug: https://bugs.gentoo.org/802090
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-python/pillow/pillow-8.3.0.ebuild | 2 +-
 dev-python/pillow/pillow-8.3.1.ebuild | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-10-17 00:12:59 UTC 
arm done
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-11-11 15:56:31 UTC 
Ping ppc, ppc64
Comment 9 NATTkA bot gentoo-dev 2021-11-14 03:32:38 UTC 
Resetting sanity check; package list is empty or all packages are done.
Comment 10 Larry the Git Cow gentoo-dev 2021-11-14 08:16:41 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=489350a86a27cbf30814583641081d7f76bad69a

commit 489350a86a27cbf30814583641081d7f76bad69a
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-11-14 08:08:10 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-11-14 08:16:38 +0000

    dev-python/pillow: Remove old
    
    Bug: https://bugs.gentoo.org/811450
    Bug: https://bugs.gentoo.org/802090
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/pillow/Manifest            |  3 --
 dev-python/pillow/pillow-8.2.0.ebuild | 98 -----------------------------------
 dev-python/pillow/pillow-8.3.0.ebuild | 98 -----------------------------------
 dev-python/pillow/pillow-8.3.1.ebuild | 98 -----------------------------------
 4 files changed, 297 deletions(-)
Comment 11 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-14 21:15:13 UTC 
GLSA request filed
Comment 12 Larry the Git Cow gentoo-dev 2022-11-22 04:01:17 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=65e54c1c2d5aa2b4a2012ca5e8d6771961ac4118

commit 65e54c1c2d5aa2b4a2012ca5e8d6771961ac4118
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-11-22 03:53:26 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-11-22 03:59:40 +0000

    [ GLSA 202211-10 ] Pillow: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/802090
    Bug: https://bugs.gentoo.org/811450
    Bug: https://bugs.gentoo.org/830934
    Bug: https://bugs.gentoo.org/832598
    Bug: https://bugs.gentoo.org/855683
    Bug: https://bugs.gentoo.org/878769
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202211-10.xml | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)
Comment 13 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-22 04:05:57 UTC 
GLSA released, all done!