Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 763210 (CVE-2020-35653, CVE-2020-35654, CVE-2020-35655) - <dev-python/pillow-8.1.0: Multiple vulnerabilities (CVE-2020-{35653,35654,35655})
Summary: <dev-python/pillow-8.1.0: Multiple vulnerabilities (CVE-2020-{35653,35654,356...
Status: RESOLVED FIXED
Alias: CVE-2020-35653, CVE-2020-35654, CVE-2020-35655
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa+]
Keywords:
Depends on:
Blocks: CVE-2020-10177, CVE-2020-10378, CVE-2020-10379, CVE-2020-10994, CVE-2020-11538
  Show dependency tree
 
Reported: 2021-01-02 23:41 UTC by Sam James
Modified: 2021-01-18 00:34 UTC (History)
2 users (show)

See Also:
Package list:
dev-python/pillow-8.1.0
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-02 23:41:26 UTC
From the 8.10. changelog:
* Fix TIFF OOB Write error. CVE-2020-35654 #5175 [wiredfool]
* Fix for Read Overflow in PCX Decoding. CVE-2020-35653 #5174 [wiredfool, radarhere]
* Fix for SGI Decode buffer overrun. CVE-2020-35655 #5173 [wiredfool, radarhere]
* Fix OOB Read when saving GIF of xsize=1 #5149 [wiredfool]
* Fix OOB Read when writing TIFF with custom Metadata #5148 [wiredfool]
* Fixed dereferencing potential null pointers #5108, #5111 [cgohlke, radarhere]
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-01-02 23:56:24 UTC
Do you remember the times when we could wait 30 days before stabilizing stuff? ;-)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-03 01:17:38 UTC
amd64 done
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-03 19:38:17 UTC
arm64 done
Comment 4 Rolf Eike Beer archtester 2021-01-03 19:46:37 UTC
sparc stable
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-06 03:45:49 UTC
x86 done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-07 05:09:58 UTC
ppc done
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-09 16:22:23 UTC
arm done
Comment 8 ernsteiswuerfel archtester 2021-01-11 00:33:34 UTC
Looking good on ppc64.

3 tests fail, which is an improvement over 7.0.0 (bug #706570).

 # cat pillow-763210.report 
USE tests started on So 10. Jan 23:14:49 CET 2021

 FEATURES=' test' failed for =dev-python/pillow-8.1.0

revdep tests started on Mo 11. Jan 00:53:52 CET 2021

FEATURES=' test' USE='-minimal python_single_target_python3_8 scanner' succeeded for net-print/hplip
FEATURES=' test' USE='' succeeded for dev-python/sphinx-gallery
FEATURES=' test' USE='' succeeded for dev-python/scipy
FEATURES=' test' USE='python_single_target_python3_8 scripts' succeeded for app-office/scribus
FEATURES=' test' USE='' succeeded for dev-python/matplotlib
FEATURES=' test' USE='' succeeded for dev-python/reportlab
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2021-01-11 09:16:55 UTC
This issue was resolved and addressed in
 GLSA 202101-08 at https://security.gentoo.org/glsa/202101-08
by GLSA coordinator Sam James (sam_c).
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-11 09:17:37 UTC
Reopening for ppc64.
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-11 09:18:46 UTC
ppc64 done

all arches done
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-11 09:19:26 UTC
(In reply to ernsteiswuerfel from comment #8)
> Looking good on ppc64.
> 
> 3 tests fail, which is an improvement over 7.0.0 (bug #706570).
> 

Thank you! (And thank you for comparing, it helps in situations like this!)

@maintainers, please cleanup.
Comment 13 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-18 00:34:35 UTC
(In reply to Michał Górny from comment #1)
> Do you remember the times when we could wait 30 days before stabilizing
> stuff? ;-)

I try to make that hard to do!