Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 774387 (CVE-2021-27921, CVE-2021-27922, CVE-2021-27923) - <dev-python/pillow-8.1.2: Multiple vulnerabilities (CVE-2021-{27921,27922,27923})
Summary: <dev-python/pillow-8.1.2: Multiple vulnerabilities (CVE-2021-{27921,27922,279...
Status: RESOLVED FIXED
Alias: CVE-2021-27921, CVE-2021-27922, CVE-2021-27923
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on:
Blocks: CVE-2021-25289, CVE-2021-25290, CVE-2021-25291, CVE-2021-25292, CVE-2021-25293
  Show dependency tree
 
Reported: 2021-03-06 05:33 UTC by Sam James
Modified: 2021-07-14 03:18 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2021-03-06 05:33:49 UTC
From 8.1.2 release notes:
"There is an exhaustion of memory DOS in the BLP (CVE-2021-27921), ICNS (CVE-2021-27922) and ICO (CVE-2021-27923) container formats where Pillow did not properly check the reported size of the contained image. These images could cause arbitrarily large memory allocations. This was reported by Jiayi Lin, Luke Shaffer, Xinran Xie, and Akshay Ajayan of Arizona State University."
Comment 1 Larry the Git Cow gentoo-dev 2021-03-06 07:31:27 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=db72e351cef669fd3d42a1c391cf94f503799845

commit db72e351cef669fd3d42a1c391cf94f503799845
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-03-06 07:28:38 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-03-06 07:31:24 +0000

    dev-python/pillow: Bump to 8.1.2
    
    Bug: https://bugs.gentoo.org/774387
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/pillow/Manifest            |  1 +
 dev-python/pillow/pillow-8.1.2.ebuild | 98 +++++++++++++++++++++++++++++++++++
 2 files changed, 99 insertions(+)
Comment 2 Rolf Eike Beer archtester 2021-03-07 19:49:58 UTC
sparc stable
Comment 3 Sam James archtester gentoo-dev Security 2021-03-08 10:27:57 UTC
arm64 done
Comment 4 Sam James archtester gentoo-dev Security 2021-03-08 10:28:30 UTC
arm done
Comment 5 Sam James archtester gentoo-dev Security 2021-03-08 10:42:12 UTC
ppc done
Comment 6 Sam James archtester gentoo-dev Security 2021-03-08 23:01:32 UTC
amd64 done
Comment 7 Sam James archtester gentoo-dev Security 2021-03-08 23:02:07 UTC
x86 done
Comment 8 ernsteiswuerfel archtester 2021-03-17 15:51:31 UTC
Looking mostly good on ppc64.

1 test fails (bug #763309).
rdep scipy fails tests (bug #776949).

 # cat /mnt/mychroot/root/tatt/pillow-774387.report 
USE tests started on Mi 17. Mär 01:54:32 CET 2021

USE='jpeg2k' FEATURES=' test' failed for =dev-python/pillow-8.1.2

revdep tests started on Mi 17. Mär 01:59:48 CET 2021

FEATURES=' test' USE='-minimal python_single_target_python3_8 scanner' succeeded for net-print/hplip
FEATURES=' test' USE='' succeeded for dev-python/sphinx-gallery
FEATURES=' test' USE='python_single_target_python3_8 scripts' succeeded for app-office/scribus
FEATURES=' test' USE='' succeeded for dev-python/blockdiag
FEATURES=' test' USE='' succeeded for dev-python/matplotlib
 FEATURES=' test' failed for dev-python/scipy
FEATURES=' test' USE='' succeeded for dev-python/reportlab
Comment 9 Sam James archtester gentoo-dev Security 2021-03-28 13:53:47 UTC
ppc64 done

all arches done
Comment 10 John Helmert III gentoo-dev Security 2021-03-28 14:52:55 UTC
Please cleanup
Comment 11 Larry the Git Cow gentoo-dev 2021-03-28 15:57:05 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=949d542a6510885cb705b5802fe2a1a2f54dc821

commit 949d542a6510885cb705b5802fe2a1a2f54dc821
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-03-28 15:55:28 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-03-28 15:56:11 +0000

    dev-python/pillow: Remove old
    
    Bug: https://bugs.gentoo.org/774387
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/pillow/Manifest            |  1 -
 dev-python/pillow/pillow-8.1.1.ebuild | 98 -----------------------------------
 2 files changed, 99 deletions(-)
Comment 12 John Helmert III gentoo-dev Security 2021-03-28 16:00:29 UTC
Thanks!
Comment 13 John Helmert III gentoo-dev Security 2021-07-13 01:09:27 UTC
GLSA request filed.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2021-07-14 03:18:17 UTC
This issue was resolved and addressed in
 GLSA 202107-33 at https://security.gentoo.org/glsa/202107-33
by GLSA coordinator John Helmert III (ajak).