Summary: | <dev-python/pillow-2.8.1: potential PNG decompression DOS (CVE-2014-9601) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | neko259 <neko259> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | aklhfex, hanno, python |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/python-pillow/Pillow/pull/1060 | ||
Whiteboard: | B3 [noglsa/cve] | ||
Package list: | Runtime testing required: | --- |
Description
neko259
2015-01-05 08:54:10 UTC
CVE-2014-9601 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9601): Pillow before 2.7.0 allows remote attackers to cause a denial of service via a compressed text chunk in a PNG image that has a large size when it is decompressed. Thank you for the report. +*pillow-2.8.1 (03 Apr 2015) + + 03 Apr 2015; Justin Lecher <jlec@gentoo.org> +pillow-2.8.1.ebuild, + -pillow-2.4.0-r1.ebuild, metadata.xml: + Version BUmp, with fix for CVE-2014-9601, #534748; drop old + We will wait for some time and then go for stable. 30+ days have passed. We ready for stable? (In reply to Yury German from comment #4) > 30+ days have passed. We ready for stable? arrgs, forgot about this one. No bugs so far, @arches please stabilize dev-python/pillow-2.8.1 (since I am changing summary / whiteboard anyway, going to add targets) Arches, please test and mark stable: =dev-python/pillow-2.8.1 Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 spark x86" Thank you! Stable for HPPA PPC64. amd64 stable arm stable x86 stable sparc stable ppc stable alpha stable Can we finish stabilization on ia64? Only one left and we have been waiting for a while on it? ia64 stable cleanup, please! GLSA vote: no. GLSA Vote: No Maintainer(s), please drop the vulnerable version(s). (In reply to Yury German from comment #17) > Maintainer(s), please drop the vulnerable version(s). Done. (In reply to Mike Gilbert from comment #18) > (In reply to Yury German from comment #17) > > Maintainer(s), please drop the vulnerable version(s). > > Done. pillow-2.8.1 was dropped not pillow-2.5.3-r1? (In reply to Chris Mayo from comment #19) > pillow-2.8.1 was dropped not pillow-2.5.3-r1? So it was. Reverted and fixed, thanks! (In reply to Mike Gilbert from comment #20) > (In reply to Chris Mayo from comment #19) > > pillow-2.8.1 was dropped not pillow-2.5.3-r1? > > So it was. Reverted and fixed, thanks! Can we clean up - 2.5.3-r1? (In reply to Yury German from comment #21) > Can we clean up - 2.5.3-r1? it is gone commit d92be788da01b3fa07df2f02b75f84c1416d1d54 Author: Mike Gilbert <floppym@gentoo.org> Date: Mon Aug 10 14:59:25 2015 -0400 dev-python/pillow: Remove old Package-Manager: portage-2.2.20 :100644 100644 e5be260... 441f129... M dev-python/pillow/Manifest :100644 000000 23478df... 0000000... D dev-python/pillow/pillow-2.5.3-r1.ebuild Maintainer(s), Thank you for you for cleanup. |