Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 779760 (CVE-2021-25287, CVE-2021-25288, CVE-2021-28675, CVE-2021-28676, CVE-2021-28677, CVE-2021-28678) - <dev-python/pillow-8.2.0: Multiple vulnerabilities
Summary: <dev-python/pillow-8.2.0: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2021-25287, CVE-2021-25288, CVE-2021-28675, CVE-2021-28676, CVE-2021-28677, CVE-2021-28678
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-01 22:40 UTC by Sam James
Modified: 2021-07-14 03:18 UTC (History)
2 users (show)

See Also:
Package list:
dev-python/pillow-8.2.0
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2021-04-01 22:40:50 UTC
Upstream bug: https://github.com/python-pillow/Pillow/pull/5377

From release notes (https://github.com/python-pillow/Pillow/pull/5377/commits/8ec027867f19633d9adfc5c8b7504d9b609fc5f1):

These were all found with `OSS-Fuzz`_.

 :cve:`CVE-2021-25287`, :cve:`CVE-2021-25288`: Fix OOB read in Jpeg2KDecode
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

 * For J2k images with multiple bands, it's legal to have different widths for each band,
   e.g. 1 byte for ``L``, 4 bytes for ``A``.
 * This dates to Pillow 2.4.0.

 :cve:`CVE-2021-28675`: Fix DOS in PsdImagePlugin
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

 * :py:class:`.PsdImagePlugin.PsdImageFile` did not sanity check the number of input
   layers with regard to the size of the data block, this could lead to a
   denial-of-service on :py:meth:`~PIL.Image.open` prior to
   :py:meth:`~PIL.Image.Image.load`.
 * This dates to the PIL fork.

 :cve:`CVE-2021-28676`: Fix FLI DOS
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

 * ``FliDecode.c`` did not properly check that the block advance was non-zero,
   potentially leading to an infinite loop on load.
 * This dates to the PIL fork.

 :cve:`CVE-2021-28677`: Fix EPS DOS on _open
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

 * The readline used in EPS has to deal with any combination of ``\r`` and ``\n`` as line
   endings. It accidentally used a quadratic method of accumulating lines while looking
   for a line ending.
 * A malicious EPS file could use this to perform a denial-of-service of Pillow in the
   open phase, before an image was accepted for opening.
 * This dates to the PIL fork.

 :cve:`CVE-2021-28678`: Fix BLP DOS
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

 * ``BlpImagePlugin`` did not properly check that reads after jumping to file offsets
   returned data. This could lead to a denial-of-service where the decoder could be run a
   large number of times on empty data.
 * This dates to Pillow 5.1.0.

 Fix memory DOS in ImageFont
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^

 * A corrupt or specially crafted TTF font could have font metrics that lead to
   unreasonably large sizes when rendering text in font. ``ImageFont.py`` did not check
   the image size before allocating memory for it.
 * This dates to the PIL fork.
Comment 1 Sam James archtester gentoo-dev Security 2021-04-02 14:09:45 UTC
x86 done
Comment 2 Sam James archtester gentoo-dev Security 2021-04-02 14:10:57 UTC
amd64 done
Comment 3 Rolf Eike Beer archtester 2021-04-04 13:08:11 UTC
sparc stable
Comment 4 Sam James archtester gentoo-dev Security 2021-04-22 23:33:43 UTC
ppc done
Comment 5 Sam James archtester gentoo-dev Security 2021-04-22 23:33:47 UTC
ppc64 done
Comment 6 Sam James archtester gentoo-dev Security 2021-04-25 15:20:19 UTC
arm64 done
Comment 7 Sam James archtester gentoo-dev Security 2021-04-26 19:24:22 UTC
arm done

all arches done
Comment 8 John Helmert III gentoo-dev Security 2021-04-26 23:45:20 UTC
Cleanup already done.
Comment 9 John Helmert III gentoo-dev Security 2021-07-13 01:09:28 UTC
GLSA request filed.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2021-07-14 03:18:22 UTC
This issue was resolved and addressed in
 GLSA 202107-33 at https://security.gentoo.org/glsa/202107-33
by GLSA coordinator John Helmert III (ajak).