Bug 779760 (CVE-2021-25287, CVE-2021-25288, CVE-2021-28675, CVE-2021-28676, CVE-2021-28677, CVE-2021-28678)

Summary:	<dev-python/pillow-8.2.0: Multiple vulnerabilities
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	mgorny, python
Priority:	Normal	Flags:	nattka: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	A3 [glsa+ cve]
Package list:	dev-python/pillow-8.2.0	Runtime testing required:	---

Description Sam James archtester

2021-04-01 22:40:50 UTC

Upstream bug: https://github.com/python-pillow/Pillow/pull/5377

From release notes (https://github.com/python-pillow/Pillow/pull/5377/commits/8ec027867f19633d9adfc5c8b7504d9b609fc5f1):

These were all found with `OSS-Fuzz`_.

 :cve:`CVE-2021-25287`, :cve:`CVE-2021-25288`: Fix OOB read in Jpeg2KDecode
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

 * For J2k images with multiple bands, it's legal to have different widths for each band,
   e.g. 1 byte for ``L``, 4 bytes for ``A``.
 * This dates to Pillow 2.4.0.

 :cve:`CVE-2021-28675`: Fix DOS in PsdImagePlugin
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

 * :py:class:`.PsdImagePlugin.PsdImageFile` did not sanity check the number of input
   layers with regard to the size of the data block, this could lead to a
   denial-of-service on :py:meth:`~PIL.Image.open` prior to
   :py:meth:`~PIL.Image.Image.load`.
 * This dates to the PIL fork.

 :cve:`CVE-2021-28676`: Fix FLI DOS
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

 * ``FliDecode.c`` did not properly check that the block advance was non-zero,
   potentially leading to an infinite loop on load.
 * This dates to the PIL fork.

 :cve:`CVE-2021-28677`: Fix EPS DOS on _open
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

 * The readline used in EPS has to deal with any combination of ``\r`` and ``\n`` as line
   endings. It accidentally used a quadratic method of accumulating lines while looking
   for a line ending.
 * A malicious EPS file could use this to perform a denial-of-service of Pillow in the
   open phase, before an image was accepted for opening.
 * This dates to the PIL fork.

 :cve:`CVE-2021-28678`: Fix BLP DOS
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

 * ``BlpImagePlugin`` did not properly check that reads after jumping to file offsets
   returned data. This could lead to a denial-of-service where the decoder could be run a
   large number of times on empty data.
 * This dates to Pillow 5.1.0.

 Fix memory DOS in ImageFont
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^

 * A corrupt or specially crafted TTF font could have font metrics that lead to
   unreasonably large sizes when rendering text in font. ``ImageFont.py`` did not check
   the image size before allocating memory for it.
 * This dates to the PIL fork.

Comment 1 Sam James archtester

2021-04-02 14:09:45 UTC

x86 done

Comment 2 Sam James archtester

2021-04-02 14:10:57 UTC

amd64 done

Comment 3 Rolf Eike Beer archtester

2021-04-04 13:08:11 UTC

sparc stable

Comment 4 Sam James archtester

2021-04-22 23:33:43 UTC

ppc done

Comment 5 Sam James archtester

2021-04-22 23:33:47 UTC

ppc64 done

Comment 6 Sam James archtester

2021-04-25 15:20:19 UTC

arm64 done

Comment 7 Sam James archtester

2021-04-26 19:24:22 UTC

arm done

all arches done

Comment 8 John Helmert III archtester

2021-04-26 23:45:20 UTC

Cleanup already done.

Comment 9 John Helmert III archtester

2021-07-13 01:09:28 UTC

GLSA request filed.

Comment 10 GLSAMaker/CVETool Bot gentoo-dev

2021-07-14 03:18:22 UTC

This issue was resolved and addressed in
 GLSA 202107-33 at https://security.gentoo.org/glsa/202107-33
by GLSA coordinator John Helmert III (ajak).