Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 773559 (CVE-2021-25289, CVE-2021-25290, CVE-2021-25291, CVE-2021-25292, CVE-2021-25293)

Summary: <dev-python/pillow-8.1.1: Multiple vulnerabilities (CVE-2021-{25289,25290,25291,25292,25293)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: mgorny, python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa+ cve]
Package list:
Runtime testing required: ---
Bug Depends on: 774387    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-01 11:33:09 UTC
From 8.1.1 release notes:

CVE-2021-25289: The previous fix for CVE-2020-35654 was insufficent due to incorrect error checking in TiffDecode.c.

CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size

CVE-2021-25291: In TiffDecode.c, invalid tile boundaries could lead to an OOB Read in TiffReadRGBATile

CVE-2021-25292: The PDF parser has a catastrophic backtracking regex that could be used as a DOS attack.

CVE-2021-25293: There is an Out of Bounds Read in SGIRleDecode.c, since pillow 4.3.0.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-01 11:33:44 UTC
Please bump to 8.1.1.
Comment 2 NATTkA bot gentoo-dev 2021-03-01 11:40:50 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-03-01 11:56:55 UTC
All sanity-check issues have been resolved
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2021-03-01 17:18:41 UTC
x86 stable
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-01 18:31:21 UTC
amd64 done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-01 19:13:52 UTC
arm done
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-01 19:15:31 UTC
ppc done
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-01 19:15:39 UTC
ppc64 done
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-01 19:17:59 UTC
sparc done
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-02 03:16:48 UTC
arm64 done

all arches done
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-02 03:17:21 UTC
Please cleanup.
Comment 12 Larry the Git Cow gentoo-dev 2021-03-02 08:43:55 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=39b2f71aefaa6de7ff40d0850fe8eb6409eb828e

commit 39b2f71aefaa6de7ff40d0850fe8eb6409eb828e
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-03-02 08:41:56 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-03-02 08:43:52 +0000

    dev-python/pillow: Remove old
    
    Bug: https://bugs.gentoo.org/773559
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/pillow/Manifest            |  1 -
 dev-python/pillow/pillow-8.1.0.ebuild | 98 -----------------------------------
 2 files changed, 99 deletions(-)
Comment 13 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-03-05 05:07:26 UTC
A few more CVEs appear to be covered by this release which reference the Pillow-8.1.1 release notes, but the release notes do not reference the CVEs.
Comment 14 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-06 05:33:09 UTC
(In reply to John Helmert III from comment #13)
> A few more CVEs appear to be covered by this release which reference the
> Pillow-8.1.1 release notes, but the release notes do not reference the CVEs.

This turned out to be 8.1.2 instead: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.2.html.
Comment 15 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-13 01:09:26 UTC
GLSA request filed.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2021-07-14 03:18:14 UTC
This issue was resolved and addressed in
 GLSA 202107-33 at https://security.gentoo.org/glsa/202107-33
by GLSA coordinator John Helmert III (ajak).