"CVE-2022-30595: When reading a TGA file with RLE packets that cross scan lines, Pillow reads the information past the end of the first line without deducting that from the length of the remaining file data. This vulnerability was introduced in Pillow 9.1.0, and can cause a heap buffer overflow." Introduced in 9.1.0, so only unstable is affected. Please bump to 9.1.1.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=75e093bf57da23ab2e0740de89eba7f9a09d79dd commit 75e093bf57da23ab2e0740de89eba7f9a09d79dd Author: Sam James <sam@gentoo.org> AuthorDate: 2022-05-17 19:16:26 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-05-17 19:16:32 +0000 dev-python/pillow: drop 9.1.0 Bug: https://bugs.gentoo.org/845192 Signed-off-by: Sam James <sam@gentoo.org> dev-python/pillow/Manifest | 1 - dev-python/pillow/pillow-9.1.0.ebuild | 118 ---------------------------------- 2 files changed, 119 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=999f510755e20771898673bcb6d4c48a2df7cd29 commit 999f510755e20771898673bcb6d4c48a2df7cd29 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-05-17 19:16:04 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-05-17 19:16:31 +0000 dev-python/pillow: add 9.1.1 Bug: https://bugs.gentoo.org/845192 Signed-off-by: Sam James <sam@gentoo.org> dev-python/pillow/Manifest | 1 + dev-python/pillow/pillow-9.1.1.ebuild | 118 ++++++++++++++++++++++++++++++++++ 2 files changed, 119 insertions(+)
