Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 706202 (CVE-2019-19911, CVE-2020-5312, CVE-2020-5313)

Summary: <dev-python/pillow-6.2.2: multiple vulnerabilities (CVE-{2019-19911,2020-5312,2020,5313}) (CVE-2020-{5310,5311})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: mgorny, nobrowser, python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=701828
Whiteboard: B3 [noglsa cve]
Package list:
dev-python/pillow-6.2.2
 Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2020-01-23 21:41:31 UTC 
Incoming details.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2020-01-23 21:43:24 UTC 
* CVE-2019-19911: Prevent a denial-of-service vulnerability caused
  by FpxImagePlugin.py calling the range function on an unvalidated
  32-bit integer if the number of bands is large.

* CVE-2020-5312: PCX "P mode" buffer overflow.

* CVE-2020-5313: FLI buffer overflow.
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-01-25 20:49:38 UTC 
FWICS they're all fixed in 6.2.2.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2020-01-26 20:57:29 UTC 
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2020-01-27 12:12:21 UTC 
sparc stable
Comment 5 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-01-27 12:16:46 UTC 
arm stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-01-27 12:25:03 UTC 
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-01-27 12:45:06 UTC 
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-01-27 16:13:48 UTC 
ppc stable
Comment 9 Mart Raudsepp gentoo-dev 2020-03-29 16:19:32 UTC 
arm64 stable
Comment 10 Rolf Eike Beer archtester 2020-04-04 16:15:26 UTC 
~hppa is fine
Comment 11 NATTkA bot gentoo-dev Security 2020-04-06 14:57:17 UTC 
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-08 04:38:36 UTC 
Thanks arches.

@maintainer(s), please cleanup!
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2020-04-17 01:46:51 UTC 
CVE-2020-5311 (https://nvd.nist.gov/vuln/detail/CVE-2020-5311):
  libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer overflow.

CVE-2020-5310 (https://nvd.nist.gov/vuln/detail/CVE-2020-5310):
  libImaging/TiffDecode.c in Pillow before 6.2.2 has a TIFF decoding integer
  overflow, related to realloc.
Comment 14 Larry the Git Cow gentoo-dev 2020-05-04 01:22:21 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=815387495f790a66b5fbf74f014349535fe4bbbc

commit 815387495f790a66b5fbf74f014349535fe4bbbc
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2020-05-04 01:21:39 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2020-05-04 01:22:13 +0000

    dev-python/pillow: drop vulnerable
    
    Bug: https://bugs.gentoo.org/706202
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 dev-python/pillow/Manifest            |  1 -
 dev-python/pillow/pillow-6.2.1.ebuild | 98 -----------------------------------
 2 files changed, 99 deletions(-)