* CVE-2020-11538 Description: "In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311." Fixed in 7.1.0. URL: https://github.com/python-pillow/Pillow/pull/4504 URL: https://github.com/python-pillow/Pillow/pull/4538 * CVE-2020-10994 Description: "In libImaging/Jpeg2KDecode.c in Pillow before 7.0.0, there are multiple out-of-bounds reads via a crafted JP2 file." * CVE-2020-10379 Description: "In Pillow before 6.2.3 and 7.x before 7.0.1, there are two Buffer Overflows in libImaging/TiffDecode.c." * CVE-2020-10378 Description: "In libImaging/PcxDecode.c in Pillow before 6.2.3 and 7.x before 7.0.1, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer." * CVE-2020-10177 Description: "Pillow before 6.2.3 and 7.x before 7.0.1 has multiple out-of-bounds reads in libImaging/FliDecode.c."
Need to bump to 6.2.3 at least, but 7.1.2 is fine.
(In reply to Sam James (sec padawan) from comment #1) > Need to bump to 6.2.3 at least, but 7.1.2 is fine. I don't see any 6.2.3 release.
Let's stabilize what we have first.
(In reply to Michał Górny from comment #2) > (In reply to Sam James (sec padawan) from comment #1) > > Need to bump to 6.2.3 at least, but 7.1.2 is fine. > > I don't see any 6.2.3 release. My fault. Don't trust CVE text, ever. Sorry!
There is 6.2.x branch upstream but I don't see any new commits after 6.2.2. I don't think they're going to fix it there, so I guess another urgent py2 cleanup.
Doesn't look that bad: https://github.com/gentoo/gentoo/pull/16520#issuecomment-652192856
(In reply to Michał Górny from comment #5) > There is 6.2.x branch upstream but I don't see any new commits after 6.2.2. > I don't think they're going to fix it there, so I guess another urgent py2 > cleanup. Yeah.. I was worried about this. We can backport it but what's the point? (In reply to Michał Górny from comment #6) > Doesn't look that bad: > https://github.com/gentoo/gentoo/pull/16520#issuecomment-652192856 Scipy will be the ugly one.
> (In reply to Michał Górny from comment #6) > > Doesn't look that bad: > > https://github.com/gentoo/gentoo/pull/16520#issuecomment-652192856 > > Scipy will be the ugly one. Actually, nvm!
arm64 stable
arm stable
amd64 done
x86 stable
Unable to check for sanity: > dependent bug #732462 is missing keywords
All sanity-check issues have been resolved
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1cdabc307639bd105b7da526dddfef6fdf6f99e6 commit 1cdabc307639bd105b7da526dddfef6fdf6f99e6 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-07-13 11:27:02 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-07-13 11:28:42 +0000 package.mask: Last rite mid-profile <pillow-7 revdeps Bug: https://bugs.gentoo.org/729672 Signed-off-by: Michał Górny <mgorny@gentoo.org> profiles/base/package.use.mask | 4 ++++ profiles/package.mask | 31 +++++++++++++++++++++++++++++++ 2 files changed, 35 insertions(+)
(In reply to Sam James from comment #7) > (In reply to Michał Górny from comment #5) > > There is 6.2.x branch upstream but I don't see any new commits after 6.2.2. > > I don't think they're going to fix it there, so I guess another urgent py2 > > cleanup. > > Yeah.. I was worried about this. We can backport it but what's the point? > > (In reply to Michał Górny from comment #6) > > Doesn't look that bad: > > https://github.com/gentoo/gentoo/pull/16520#issuecomment-652192856 > > Scipy will be the ugly one. pillow for python 2.7 (i.e., < version 7) is still required for media-tv/kodi-18.7 (no scipy dep). Thus a patch on pillow-6.2.2 would be very much welcome. I guess kodi-18 will still be around for some time before 19 is released.
sparc stable
Unable to check for sanity: > no match for package: dev-python/pillow-7.1.2
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=acf1e47d617c6bfbec3c8b6a1f1c95bb0ebfedc3 commit acf1e47d617c6bfbec3c8b6a1f1c95bb0ebfedc3 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-11-10 10:19:08 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-11-10 10:21:05 +0000 package.mask: Mask vulnerable dev-python/pillow and revdeps (kodi) Bug: https://bugs.gentoo.org/729672 Bug: https://bugs.gentoo.org/717538 Signed-off-by: Michał Górny <mgorny@gentoo.org> profiles/package.mask | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a118277dadc83d19c50ff9628b4bc5bcfc0f4060 commit a118277dadc83d19c50ff9628b4bc5bcfc0f4060 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-11-19 19:51:08 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-11-19 19:51:14 +0000 dev-python/pillow: Remove old Bug: https://bugs.gentoo.org/729672 Closes: https://bugs.gentoo.org/717538 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-python/pillow/Manifest | 1 - dev-python/pillow/pillow-6.2.2.ebuild | 83 ----------------------------------- 2 files changed, 84 deletions(-)
Unable to check for sanity: > no match for package: dev-python/pillow-7.2.0
noglsa (it's covered by the more recent one), cleanup done.