520226 – (CVE-2014-3589) <dev-python/pillow-2.5.3-r1: DoS in IcnsImagePlugin (CVE-2014-3589)

Bug 520226 (CVE-2014-3589) - <dev-python/pillow-2.5.3-r1: DoS in IcnsImagePlugin (CVE-2014-3589)

Summary: <dev-python/pillow-2.5.3-r1: DoS in IcnsImagePlugin (CVE-2014-3589)

Status:	RESOLVED FIXED

Alias:	CVE-2014-3589

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:	522426
Blocks:
	Show dependency tree

Reported:	2014-08-19 06:31 UTC by Agostino Sarubbo
Modified:	2015-05-11 20:29 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
build.log (build.log,397.35 KB, text/plain) 2014-08-19 13:07 UTC, jospezial	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2014-08-19 06:31:54 UTC

From ${URL} :

A denial of service vulnerability was reported in the Python Image Library 
and all versions of its fork, Pillow.  If a user were able to supply date to 
the Image.open routine or similar APIs they could cause the application to 
crash due to inadequate input validation in the IcnsImagePlugin module.  This 
has been corrected in upstream version 2.3.2 [1] and 2.5.2 [2]; a patch is 
available [3].

[1] https://pypi.python.org/pypi/Pillow/2.3.2
[2] https://pypi.python.org/pypi/Pillow/2.5.2
[3] 
https://github.com/python-pillow/Pillow/commit/205e056f8f9b06ed7b925cf8aa0874bc4aaf8a7d



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Dirkjan Ochtman (RETIRED) gentoo-dev

2014-08-19 08:24:55 UTC

I've bumped it to 2.5.3, which includes a fix for the similar CVE-2014-3598 (denial of service vulnerability against JPEG 2K images).

https://github.com/python-pillow/Pillow/commit/05a169d65c19940495c26769ae66c5d1a001cb9f

Comment 2 jospezial 2014-08-19 13:07:03 UTC

Created attachment 383122 [details]
build.log

Comment 3 jospezial 2014-08-19 13:08:06 UTC

writing byte-compilation script '/var/tmp/portage/dev-python/pillow-2.5.3/temp/python2.7/tmpNDZaSk.py'
/usr/bin/python2.7 -OO /var/tmp/portage/dev-python/pillow-2.5.3/temp/python2.7/tmpNDZaSk.py
removing /var/tmp/portage/dev-python/pillow-2.5.3/temp/python2.7/tmpNDZaSk.py
running install_egg_info
Writing /var/tmp/portage/dev-python/pillow-2.5.3/image//_python2.7/usr/lib64/python2.7/site-packages/pysane-2.0-py2.7.egg-info
 * python2_7: running distutils-r1_run_phase python_install_all
/usr/bin/install: cannot stat ‘Sane/README’: No such file or directory
!!! dodoc: Sane/README does not exist
 * ERROR: dev-python/pillow-2.5.3::gentoo failed (install phase):
 *   dodoc failed

Comment 4 Dirkjan Ochtman (RETIRED) gentoo-dev

2014-08-19 17:00:29 UTC

That should be fixed now, please try it again.

Comment 5 jospezial 2014-08-20 10:01:43 UTC

emerging works now

Comment 6 Yury German Gentoo Infrastructure

2014-08-25 17:24:42 UTC

Maintainers, please advise when ebuilds have had enough testing, and are ready for stabilization.

Comment 7 Yury German Gentoo Infrastructure

2014-10-05 12:59:09 UTC

Stabilization is being done in Bug 522426

Comment 8 GLSAMaker/CVETool Bot gentoo-dev

2015-01-04 00:57:34 UTC

CVE-2014-3589 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3589):
  PIL/IcnsImagePlugin.py in Python Imaging Library (PIL) and Pillow before
  2.3.2 and 2.5.x before 2.5.2 allows remote attackers to cause a denial of
  service via a crafted block size.

Comment 9 Justin Lecher (RETIRED) gentoo-dev

2015-04-03 19:35:28 UTC

All vulnerable versions removed.

Comment 10 Yury German Gentoo Infrastructure

2015-04-04 16:47:14 UTC

Arches and Maintainer(s), Thank you for your work.

GLSA Vote: No

Comment 11 Mikle Kolyada (RETIRED) archtester

2015-05-11 20:06:58 UTC

GLSA vote: no.

Closing as [noglsa]