Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 520226 (CVE-2014-3589) - <dev-python/pillow-2.5.3-r1: DoS in IcnsImagePlugin (CVE-2014-3589)
Summary: <dev-python/pillow-2.5.3-r1: DoS in IcnsImagePlugin (CVE-2014-3589)
Status: RESOLVED FIXED
Alias: CVE-2014-3589
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa]
Keywords:
Depends on: 522426
Blocks:
  Show dependency tree
 
Reported: 2014-08-19 06:31 UTC by Agostino Sarubbo
Modified: 2015-05-11 20:29 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
build.log (build.log,397.35 KB, text/plain)
2014-08-19 13:07 UTC, jospezial
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-08-19 06:31:54 UTC
From ${URL} :

A denial of service vulnerability was reported in the Python Image Library 
and all versions of its fork, Pillow.  If a user were able to supply date to 
the Image.open routine or similar APIs they could cause the application to 
crash due to inadequate input validation in the IcnsImagePlugin module.  This 
has been corrected in upstream version 2.3.2 [1] and 2.5.2 [2]; a patch is 
available [3].

[1] https://pypi.python.org/pypi/Pillow/2.3.2
[2] https://pypi.python.org/pypi/Pillow/2.5.2
[3] 
https://github.com/python-pillow/Pillow/commit/205e056f8f9b06ed7b925cf8aa0874bc4aaf8a7d



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Dirkjan Ochtman (RETIRED) gentoo-dev 2014-08-19 08:24:55 UTC
I've bumped it to 2.5.3, which includes a fix for the similar CVE-2014-3598 (denial of service vulnerability against JPEG 2K images).

https://github.com/python-pillow/Pillow/commit/05a169d65c19940495c26769ae66c5d1a001cb9f
Comment 2 jospezial 2014-08-19 13:07:03 UTC
Created attachment 383122 [details]
build.log
Comment 3 jospezial 2014-08-19 13:08:06 UTC
writing byte-compilation script '/var/tmp/portage/dev-python/pillow-2.5.3/temp/python2.7/tmpNDZaSk.py'
/usr/bin/python2.7 -OO /var/tmp/portage/dev-python/pillow-2.5.3/temp/python2.7/tmpNDZaSk.py
removing /var/tmp/portage/dev-python/pillow-2.5.3/temp/python2.7/tmpNDZaSk.py
running install_egg_info
Writing /var/tmp/portage/dev-python/pillow-2.5.3/image//_python2.7/usr/lib64/python2.7/site-packages/pysane-2.0-py2.7.egg-info
 * python2_7: running distutils-r1_run_phase python_install_all
/usr/bin/install: cannot stat ‘Sane/README’: No such file or directory
!!! dodoc: Sane/README does not exist
 * ERROR: dev-python/pillow-2.5.3::gentoo failed (install phase):
 *   dodoc failed
Comment 4 Dirkjan Ochtman (RETIRED) gentoo-dev 2014-08-19 17:00:29 UTC
That should be fixed now, please try it again.
Comment 5 jospezial 2014-08-20 10:01:43 UTC
emerging works now
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2014-08-25 17:24:42 UTC
Maintainers, please advise when ebuilds have had enough testing, and are ready for stabilization.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2014-10-05 12:59:09 UTC
Stabilization is being done in Bug 522426
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2015-01-04 00:57:34 UTC
CVE-2014-3589 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3589):
  PIL/IcnsImagePlugin.py in Python Imaging Library (PIL) and Pillow before
  2.3.2 and 2.5.x before 2.5.2 allows remote attackers to cause a denial of
  service via a crafted block size.
Comment 9 Justin Lecher (RETIRED) gentoo-dev 2015-04-03 19:35:28 UTC
All vulnerable versions removed.
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2015-04-04 16:47:14 UTC
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: No
Comment 11 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-05-11 20:06:58 UTC
GLSA vote: no.

Closing as [noglsa]