Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 811450 (CVE-2021-23437)

Summary: <dev-python/pillow-8.3.2: buffer overflow due to color specifiers (?)
Product: Gentoo Security Reporter: Michał Górny <mgorny>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 811453    
Bug Blocks: 802090    

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-09-02 20:41:37 UTC 
Apparently the CVE has not been published yet but the changelogs says:

+- CVE-2021-23437 Raise ValueError if color specifier is too long
+  [hugovk, radarhere]
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-09-03 18:41:07 UTC 
CVE says it's a ReDoS.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-11-14 03:27:26 UTC 
Please cleanup
Comment 3 Larry the Git Cow gentoo-dev 2021-11-14 08:16:43 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=489350a86a27cbf30814583641081d7f76bad69a

commit 489350a86a27cbf30814583641081d7f76bad69a
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-11-14 08:08:10 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-11-14 08:16:38 +0000

    dev-python/pillow: Remove old
    
    Bug: https://bugs.gentoo.org/811450
    Bug: https://bugs.gentoo.org/802090
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/pillow/Manifest            |  3 --
 dev-python/pillow/pillow-8.2.0.ebuild | 98 -----------------------------------
 dev-python/pillow/pillow-8.3.0.ebuild | 98 -----------------------------------
 dev-python/pillow/pillow-8.3.1.ebuild | 98 -----------------------------------
 4 files changed, 297 deletions(-)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-11-14 14:32:52 UTC 
Thanks!
Comment 5 filip ambroz 2022-01-10 16:54:19 UTC 
There are new bugs affecting versions < 9.0.0: https://bugs.gentoo.org/830934
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-14 21:15:23 UTC 
GLSA request filed
Comment 7 Larry the Git Cow gentoo-dev 2022-11-22 04:01:30 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=65e54c1c2d5aa2b4a2012ca5e8d6771961ac4118

commit 65e54c1c2d5aa2b4a2012ca5e8d6771961ac4118
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-11-22 03:53:26 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-11-22 03:59:40 +0000

    [ GLSA 202211-10 ] Pillow: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/802090
    Bug: https://bugs.gentoo.org/811450
    Bug: https://bugs.gentoo.org/830934
    Bug: https://bugs.gentoo.org/832598
    Bug: https://bugs.gentoo.org/855683
    Bug: https://bugs.gentoo.org/878769
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202211-10.xml | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-22 04:05:50 UTC 
GLSA released, all done!