Summary: | <dev-python/pillow-2.5.3-r1: DoS in IcnsImagePlugin (CVE-2014-3589) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | minor | CC: | python | ||||
Priority: | Normal | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1130711 | ||||||
Whiteboard: | B3 [noglsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Bug Depends on: | 522426 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Agostino Sarubbo
2014-08-19 06:31:54 UTC
I've bumped it to 2.5.3, which includes a fix for the similar CVE-2014-3598 (denial of service vulnerability against JPEG 2K images). https://github.com/python-pillow/Pillow/commit/05a169d65c19940495c26769ae66c5d1a001cb9f Created attachment 383122 [details]
build.log
writing byte-compilation script '/var/tmp/portage/dev-python/pillow-2.5.3/temp/python2.7/tmpNDZaSk.py' /usr/bin/python2.7 -OO /var/tmp/portage/dev-python/pillow-2.5.3/temp/python2.7/tmpNDZaSk.py removing /var/tmp/portage/dev-python/pillow-2.5.3/temp/python2.7/tmpNDZaSk.py running install_egg_info Writing /var/tmp/portage/dev-python/pillow-2.5.3/image//_python2.7/usr/lib64/python2.7/site-packages/pysane-2.0-py2.7.egg-info * python2_7: running distutils-r1_run_phase python_install_all /usr/bin/install: cannot stat ‘Sane/README’: No such file or directory !!! dodoc: Sane/README does not exist * ERROR: dev-python/pillow-2.5.3::gentoo failed (install phase): * dodoc failed That should be fixed now, please try it again. emerging works now Maintainers, please advise when ebuilds have had enough testing, and are ready for stabilization. Stabilization is being done in Bug 522426 CVE-2014-3589 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3589): PIL/IcnsImagePlugin.py in Python Imaging Library (PIL) and Pillow before 2.3.2 and 2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted block size. All vulnerable versions removed. Arches and Maintainer(s), Thank you for your work. GLSA Vote: No GLSA vote: no. Closing as [noglsa] |