Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 534748 (CVE-2014-9601) - <dev-python/pillow-2.8.1: potential PNG decompression DOS (CVE-2014-9601)
Summary: <dev-python/pillow-2.8.1: potential PNG decompression DOS (CVE-2014-9601)
Status: RESOLVED FIXED
Alias: CVE-2014-9601
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/python-pillow/Pill...
Whiteboard: B3 [noglsa/cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-05 08:54 UTC by neko259
Modified: 2015-08-11 13:36 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description neko259 2015-01-05 08:54:10 UTC
This release contains security fix for potential denial of service attacks using compressed text chunks (http://pillow.readthedocs.org/releasenotes/2.7.0.html#png-text-chunk-size-limits)

Reproducible: Always
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-01-17 21:28:49 UTC
CVE-2014-9601 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9601):
  Pillow before 2.7.0 allows remote attackers to cause a denial of service via
  a compressed text chunk in a PNG image that has a large size when it is
  decompressed.
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2015-01-17 21:30:22 UTC
Thank you for the report.
Comment 3 Justin Lecher (RETIRED) gentoo-dev 2015-04-03 19:40:37 UTC
+*pillow-2.8.1 (03 Apr 2015)
+
+  03 Apr 2015; Justin Lecher <jlec@gentoo.org> +pillow-2.8.1.ebuild,
+  -pillow-2.4.0-r1.ebuild, metadata.xml:
+  Version BUmp, with fix for CVE-2014-9601, #534748; drop old
+

We will wait for some time and then go for stable.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2015-06-06 13:55:22 UTC
30+ days have passed. We ready for stable?
Comment 5 Justin Lecher (RETIRED) gentoo-dev 2015-06-06 15:36:08 UTC
(In reply to Yury German from comment #4)
> 30+ days have passed. We ready for stable?

arrgs, forgot about this one. No bugs so far,

@arches please stabilize 

dev-python/pillow-2.8.1
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2015-06-06 16:02:37 UTC
(since I am changing summary / whiteboard anyway, going to add targets)

Arches, please test and mark stable:

=dev-python/pillow-2.8.1

Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 spark x86"

Thank you!
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2015-06-07 06:57:12 UTC
Stable for HPPA PPC64.
Comment 8 Agostino Sarubbo gentoo-dev 2015-06-08 10:44:43 UTC
amd64 stable
Comment 9 Markus Meier gentoo-dev 2015-06-09 18:32:15 UTC
arm stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-06-11 07:17:54 UTC
x86 stable
Comment 11 Agostino Sarubbo gentoo-dev 2015-06-17 08:51:37 UTC
sparc stable
Comment 12 Agostino Sarubbo gentoo-dev 2015-06-24 07:53:54 UTC
ppc stable
Comment 13 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-06-28 15:33:30 UTC
alpha stable
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2015-07-16 12:21:57 UTC
Can we finish stabilization on ia64? Only one left and we have been waiting for a while on it?
Comment 15 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-07-22 15:25:00 UTC
ia64 stable

cleanup, please!

GLSA vote: no.
Comment 16 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-07-22 15:31:04 UTC
GLSA Vote: No
Comment 17 Yury German Gentoo Infrastructure gentoo-dev 2015-08-10 15:23:43 UTC
Maintainer(s), please drop the vulnerable version(s).
Comment 18 Mike Gilbert gentoo-dev 2015-08-10 16:25:38 UTC
(In reply to Yury German from comment #17)
> Maintainer(s), please drop the vulnerable version(s).

Done.
Comment 19 Chris Mayo 2015-08-10 18:30:48 UTC
(In reply to Mike Gilbert from comment #18)
> (In reply to Yury German from comment #17)
> > Maintainer(s), please drop the vulnerable version(s).
> 
> Done.

pillow-2.8.1 was dropped not pillow-2.5.3-r1?
Comment 20 Mike Gilbert gentoo-dev 2015-08-10 19:00:35 UTC
(In reply to Chris Mayo from comment #19)
> pillow-2.8.1 was dropped not pillow-2.5.3-r1?

So it was. Reverted and fixed, thanks!
Comment 21 Yury German Gentoo Infrastructure gentoo-dev 2015-08-11 13:25:35 UTC
(In reply to Mike Gilbert from comment #20)
> (In reply to Chris Mayo from comment #19)
> > pillow-2.8.1 was dropped not pillow-2.5.3-r1?
> 
> So it was. Reverted and fixed, thanks!

Can we clean up - 2.5.3-r1?
Comment 22 Justin Lecher (RETIRED) gentoo-dev 2015-08-11 13:33:58 UTC
(In reply to Yury German from comment #21)
> Can we clean up - 2.5.3-r1?

it is gone

commit d92be788da01b3fa07df2f02b75f84c1416d1d54
Author: Mike Gilbert <floppym@gentoo.org>
Date:   Mon Aug 10 14:59:25 2015 -0400

    dev-python/pillow: Remove old
    
    Package-Manager: portage-2.2.20

:100644 100644 e5be260... 441f129... M  dev-python/pillow/Manifest
:100644 000000 23478df... 0000000... D  dev-python/pillow/pillow-2.5.3-r1.ebuild
Comment 23 Yury German Gentoo Infrastructure gentoo-dev 2015-08-11 13:36:16 UTC
Maintainer(s), Thank you for you for cleanup.