Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 811450 (CVE-2021-23437) - <dev-python/pillow-8.3.2: buffer overflow due to color specifiers (?)
Summary: <dev-python/pillow-8.3.2: buffer overflow due to color specifiers (?)
Status: RESOLVED FIXED
Alias: CVE-2021-23437
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+]
Keywords:
Depends on: 811453
Blocks: CVE-2021-34552
  Show dependency tree
 
Reported: 2021-09-02 20:41 UTC by Michał Górny
Modified: 2022-11-22 04:05 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-09-02 20:41:37 UTC
Apparently the CVE has not been published yet but the changelogs says:

+- CVE-2021-23437 Raise ValueError if color specifier is too long
+  [hugovk, radarhere]
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-09-03 18:41:07 UTC
CVE says it's a ReDoS.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-11-14 03:27:26 UTC
Please cleanup
Comment 3 Larry the Git Cow gentoo-dev 2021-11-14 08:16:43 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=489350a86a27cbf30814583641081d7f76bad69a

commit 489350a86a27cbf30814583641081d7f76bad69a
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-11-14 08:08:10 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-11-14 08:16:38 +0000

    dev-python/pillow: Remove old
    
    Bug: https://bugs.gentoo.org/811450
    Bug: https://bugs.gentoo.org/802090
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/pillow/Manifest            |  3 --
 dev-python/pillow/pillow-8.2.0.ebuild | 98 -----------------------------------
 dev-python/pillow/pillow-8.3.0.ebuild | 98 -----------------------------------
 dev-python/pillow/pillow-8.3.1.ebuild | 98 -----------------------------------
 4 files changed, 297 deletions(-)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-11-14 14:32:52 UTC
Thanks!
Comment 5 filip ambroz 2022-01-10 16:54:19 UTC
There are new bugs affecting versions < 9.0.0: https://bugs.gentoo.org/830934
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-14 21:15:23 UTC
GLSA request filed
Comment 7 Larry the Git Cow gentoo-dev 2022-11-22 04:01:30 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=65e54c1c2d5aa2b4a2012ca5e8d6771961ac4118

commit 65e54c1c2d5aa2b4a2012ca5e8d6771961ac4118
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-11-22 03:53:26 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-11-22 03:59:40 +0000

    [ GLSA 202211-10 ] Pillow: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/802090
    Bug: https://bugs.gentoo.org/811450
    Bug: https://bugs.gentoo.org/830934
    Bug: https://bugs.gentoo.org/832598
    Bug: https://bugs.gentoo.org/855683
    Bug: https://bugs.gentoo.org/878769
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202211-10.xml | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-22 04:05:50 UTC
GLSA released, all done!