Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 802090 (CVE-2021-34552) - <dev-python/pillow-8.3.0: buffer overflow (CVE-2021-34552)
Summary: <dev-python/pillow-8.3.0: buffer overflow (CVE-2021-34552)
Status: IN_PROGRESS
Alias: CVE-2021-34552
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://pillow.readthedocs.io/en/stab...
Whiteboard: A2 [glsa+]
Keywords:
Depends on: CVE-2021-23437
Blocks:
  Show dependency tree
 
Reported: 2021-07-14 02:52 UTC by John Helmert III
Modified: 2022-11-22 04:05 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-14 02:52:49 UTC
CVE-2021-34552:

Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c.


Please stabilize 8.3.0.
Comment 1 Rolf Eike Beer archtester 2021-07-21 19:40:36 UTC
sparc stable
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-22 02:49:51 UTC
amd64 done
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-22 02:50:28 UTC
x86 done
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-26 04:36:57 UTC
arm64 done
Comment 5 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-08-07 07:14:16 UTC
Ping.
Comment 6 Larry the Git Cow gentoo-dev 2021-10-16 02:28:08 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=11523faea2b3008fd55f6c371dd218267d91cb6f

commit 11523faea2b3008fd55f6c371dd218267d91cb6f
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-10-16 02:27:26 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-10-16 02:27:26 +0000

    dev-python/pillow: add USE=truetype to test REQUIRED_USE
    
    See 11131c2b5d5252fdca56643a4b976c6ac0ca11ea.
    
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=811453
    Bug: https://bugs.gentoo.org/802090
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-python/pillow/pillow-8.3.0.ebuild | 2 +-
 dev-python/pillow/pillow-8.3.1.ebuild | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-10-17 00:12:59 UTC
arm done
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-11-11 15:56:31 UTC
Ping ppc, ppc64
Comment 9 NATTkA bot gentoo-dev 2021-11-14 03:32:38 UTC
Resetting sanity check; package list is empty or all packages are done.
Comment 10 Larry the Git Cow gentoo-dev 2021-11-14 08:16:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=489350a86a27cbf30814583641081d7f76bad69a

commit 489350a86a27cbf30814583641081d7f76bad69a
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-11-14 08:08:10 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-11-14 08:16:38 +0000

    dev-python/pillow: Remove old
    
    Bug: https://bugs.gentoo.org/811450
    Bug: https://bugs.gentoo.org/802090
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/pillow/Manifest            |  3 --
 dev-python/pillow/pillow-8.2.0.ebuild | 98 -----------------------------------
 dev-python/pillow/pillow-8.3.0.ebuild | 98 -----------------------------------
 dev-python/pillow/pillow-8.3.1.ebuild | 98 -----------------------------------
 4 files changed, 297 deletions(-)
Comment 11 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-14 21:15:13 UTC
GLSA request filed
Comment 12 Larry the Git Cow gentoo-dev 2022-11-22 04:01:17 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=65e54c1c2d5aa2b4a2012ca5e8d6771961ac4118

commit 65e54c1c2d5aa2b4a2012ca5e8d6771961ac4118
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-11-22 03:53:26 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-11-22 03:59:40 +0000

    [ GLSA 202211-10 ] Pillow: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/802090
    Bug: https://bugs.gentoo.org/811450
    Bug: https://bugs.gentoo.org/830934
    Bug: https://bugs.gentoo.org/832598
    Bug: https://bugs.gentoo.org/855683
    Bug: https://bugs.gentoo.org/878769
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202211-10.xml | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)
Comment 13 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-22 04:05:57 UTC
GLSA released, all done!