This release contains security fix for potential denial of service attacks using compressed text chunks (http://pillow.readthedocs.org/releasenotes/2.7.0.html#png-text-chunk-size-limits) Reproducible: Always
CVE-2014-9601 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9601): Pillow before 2.7.0 allows remote attackers to cause a denial of service via a compressed text chunk in a PNG image that has a large size when it is decompressed.
Thank you for the report.
+*pillow-2.8.1 (03 Apr 2015) + + 03 Apr 2015; Justin Lecher <jlec@gentoo.org> +pillow-2.8.1.ebuild, + -pillow-2.4.0-r1.ebuild, metadata.xml: + Version BUmp, with fix for CVE-2014-9601, #534748; drop old + We will wait for some time and then go for stable.
30+ days have passed. We ready for stable?
(In reply to Yury German from comment #4) > 30+ days have passed. We ready for stable? arrgs, forgot about this one. No bugs so far, @arches please stabilize dev-python/pillow-2.8.1
(since I am changing summary / whiteboard anyway, going to add targets) Arches, please test and mark stable: =dev-python/pillow-2.8.1 Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 spark x86" Thank you!
Stable for HPPA PPC64.
amd64 stable
arm stable
x86 stable
sparc stable
ppc stable
alpha stable
Can we finish stabilization on ia64? Only one left and we have been waiting for a while on it?
ia64 stable cleanup, please! GLSA vote: no.
GLSA Vote: No
Maintainer(s), please drop the vulnerable version(s).
(In reply to Yury German from comment #17) > Maintainer(s), please drop the vulnerable version(s). Done.
(In reply to Mike Gilbert from comment #18) > (In reply to Yury German from comment #17) > > Maintainer(s), please drop the vulnerable version(s). > > Done. pillow-2.8.1 was dropped not pillow-2.5.3-r1?
(In reply to Chris Mayo from comment #19) > pillow-2.8.1 was dropped not pillow-2.5.3-r1? So it was. Reverted and fixed, thanks!
(In reply to Mike Gilbert from comment #20) > (In reply to Chris Mayo from comment #19) > > pillow-2.8.1 was dropped not pillow-2.5.3-r1? > > So it was. Reverted and fixed, thanks! Can we clean up - 2.5.3-r1?
(In reply to Yury German from comment #21) > Can we clean up - 2.5.3-r1? it is gone commit d92be788da01b3fa07df2f02b75f84c1416d1d54 Author: Mike Gilbert <floppym@gentoo.org> Date: Mon Aug 10 14:59:25 2015 -0400 dev-python/pillow: Remove old Package-Manager: portage-2.2.20 :100644 100644 e5be260... 441f129... M dev-python/pillow/Manifest :100644 000000 23478df... 0000000... D dev-python/pillow/pillow-2.5.3-r1.ebuild
Maintainer(s), Thank you for you for cleanup.