Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 811450 (CVE-2021-23437) - <dev-python/pillow-8.3.2: buffer overflow due to color specifiers (?)
Summary: <dev-python/pillow-8.3.2: buffer overflow due to color specifiers (?)
Status: IN_PROGRESS
Alias: CVE-2021-23437
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa?]
Keywords:
Depends on: 811453
Blocks: CVE-2021-34552
  Show dependency tree
 
Reported: 2021-09-02 20:41 UTC by Michał Górny
Modified: 2022-01-10 16:54 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-09-02 20:41:37 UTC
Apparently the CVE has not been published yet but the changelogs says:

+- CVE-2021-23437 Raise ValueError if color specifier is too long
+  [hugovk, radarhere]
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-09-03 18:41:07 UTC
CVE says it's a ReDoS.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-11-14 03:27:26 UTC
Please cleanup
Comment 3 Larry the Git Cow gentoo-dev 2021-11-14 08:16:43 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=489350a86a27cbf30814583641081d7f76bad69a

commit 489350a86a27cbf30814583641081d7f76bad69a
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-11-14 08:08:10 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-11-14 08:16:38 +0000

    dev-python/pillow: Remove old
    
    Bug: https://bugs.gentoo.org/811450
    Bug: https://bugs.gentoo.org/802090
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/pillow/Manifest            |  3 --
 dev-python/pillow/pillow-8.2.0.ebuild | 98 -----------------------------------
 dev-python/pillow/pillow-8.3.0.ebuild | 98 -----------------------------------
 dev-python/pillow/pillow-8.3.1.ebuild | 98 -----------------------------------
 4 files changed, 297 deletions(-)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-11-14 14:32:52 UTC
Thanks!
Comment 5 filip ambroz 2022-01-10 16:54:19 UTC
There are new bugs affecting versions < 9.0.0: https://bugs.gentoo.org/830934