Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 774387 (CVE-2021-27921, CVE-2021-27922, CVE-2021-27923)

Summary: <dev-python/pillow-8.1.2: Multiple vulnerabilities (CVE-2021-{27921,27922,27923})
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: mgorny, python, sam
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa+ cve]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 773559    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-06 05:33:49 UTC 
From 8.1.2 release notes:
"There is an exhaustion of memory DOS in the BLP (CVE-2021-27921), ICNS (CVE-2021-27922) and ICO (CVE-2021-27923) container formats where Pillow did not properly check the reported size of the contained image. These images could cause arbitrarily large memory allocations. This was reported by Jiayi Lin, Luke Shaffer, Xinran Xie, and Akshay Ajayan of Arizona State University."
Comment 1 Larry the Git Cow gentoo-dev 2021-03-06 07:31:27 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=db72e351cef669fd3d42a1c391cf94f503799845

commit db72e351cef669fd3d42a1c391cf94f503799845
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-03-06 07:28:38 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-03-06 07:31:24 +0000

    dev-python/pillow: Bump to 8.1.2
    
    Bug: https://bugs.gentoo.org/774387
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/pillow/Manifest            |  1 +
 dev-python/pillow/pillow-8.1.2.ebuild | 98 +++++++++++++++++++++++++++++++++++
 2 files changed, 99 insertions(+)
Comment 2 Rolf Eike Beer archtester 2021-03-07 19:49:58 UTC 
sparc stable
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-08 10:27:57 UTC 
arm64 done
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-08 10:28:30 UTC 
arm done
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-08 10:42:12 UTC 
ppc done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-08 23:01:32 UTC 
amd64 done
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-08 23:02:07 UTC 
x86 done
Comment 8 ernsteiswuerfel archtester 2021-03-17 15:51:31 UTC 
Looking mostly good on ppc64.

1 test fails (bug #763309).
rdep scipy fails tests (bug #776949).

 # cat /mnt/mychroot/root/tatt/pillow-774387.report 
USE tests started on Mi 17. Mär 01:54:32 CET 2021

USE='jpeg2k' FEATURES=' test' failed for =dev-python/pillow-8.1.2

revdep tests started on Mi 17. Mär 01:59:48 CET 2021

FEATURES=' test' USE='-minimal python_single_target_python3_8 scanner' succeeded for net-print/hplip
FEATURES=' test' USE='' succeeded for dev-python/sphinx-gallery
FEATURES=' test' USE='python_single_target_python3_8 scripts' succeeded for app-office/scribus
FEATURES=' test' USE='' succeeded for dev-python/blockdiag
FEATURES=' test' USE='' succeeded for dev-python/matplotlib
 FEATURES=' test' failed for dev-python/scipy
FEATURES=' test' USE='' succeeded for dev-python/reportlab
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-28 13:53:47 UTC 
ppc64 done

all arches done
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-03-28 14:52:55 UTC 
Please cleanup
Comment 11 Larry the Git Cow gentoo-dev 2021-03-28 15:57:05 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=949d542a6510885cb705b5802fe2a1a2f54dc821

commit 949d542a6510885cb705b5802fe2a1a2f54dc821
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-03-28 15:55:28 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-03-28 15:56:11 +0000

    dev-python/pillow: Remove old
    
    Bug: https://bugs.gentoo.org/774387
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/pillow/Manifest            |  1 -
 dev-python/pillow/pillow-8.1.1.ebuild | 98 -----------------------------------
 2 files changed, 99 deletions(-)
Comment 12 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-03-28 16:00:29 UTC 
Thanks!
Comment 13 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-13 01:09:27 UTC 
GLSA request filed.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2021-07-14 03:18:17 UTC 
This issue was resolved and addressed in
 GLSA 202107-33 at https://security.gentoo.org/glsa/202107-33
by GLSA coordinator John Helmert III (ajak).