Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 729672 (CVE-2020-10177, CVE-2020-10378, CVE-2020-10379, CVE-2020-10994, CVE-2020-11538) - <dev-python/pillow-7.2.0: Multiple vulnerabilities (CVE-2020-{11538,10994,10379,10378,10177})
Summary: <dev-python/pillow-7.2.0: Multiple vulnerabilities (CVE-2020-{11538,10994,103...
Status: RESOLVED FIXED
Alias: CVE-2020-10177, CVE-2020-10378, CVE-2020-10379, CVE-2020-10994, CVE-2020-11538
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: 717538 732396 732462 743535 CVE-2020-35653, CVE-2020-35654, CVE-2020-35655
Blocks:
  Show dependency tree
 
Reported: 2020-06-25 22:44 UTC by Sam James
Modified: 2021-01-18 00:34 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-06-25 22:44:58 UTC
* CVE-2020-11538

Description:
"In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311."

Fixed in 7.1.0.

URL: https://github.com/python-pillow/Pillow/pull/4504
URL: https://github.com/python-pillow/Pillow/pull/4538

* CVE-2020-10994

Description:
"In libImaging/Jpeg2KDecode.c in Pillow before 7.0.0, there are multiple out-of-bounds reads via a crafted JP2 file."

* CVE-2020-10379

Description:
"In Pillow before 6.2.3 and 7.x before 7.0.1, there are two Buffer Overflows in libImaging/TiffDecode.c."

* CVE-2020-10378

Description:
"In libImaging/PcxDecode.c in Pillow before 6.2.3 and 7.x before 7.0.1, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer."

* CVE-2020-10177

Description:
"Pillow before 6.2.3 and 7.x before 7.0.1 has multiple out-of-bounds reads in libImaging/FliDecode.c."
Comment 1 Sam James archtester gentoo-dev Security 2020-06-25 23:02:57 UTC
Need to bump to 6.2.3 at least, but 7.1.2 is fine.
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-07-01 02:54:56 UTC
(In reply to Sam James (sec padawan) from comment #1)
> Need to bump to 6.2.3 at least, but 7.1.2 is fine.

I don't see any 6.2.3 release.
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-07-01 03:07:25 UTC
Let's stabilize what we have first.
Comment 4 Sam James archtester gentoo-dev Security 2020-07-01 03:15:28 UTC
(In reply to Michał Górny from comment #2)
> (In reply to Sam James (sec padawan) from comment #1)
> > Need to bump to 6.2.3 at least, but 7.1.2 is fine.
> 
> I don't see any 6.2.3 release.

My fault. Don't trust CVE text, ever. Sorry!
Comment 5 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-07-01 04:39:30 UTC
There is 6.2.x branch upstream but I don't see any new commits after 6.2.2. I don't think they're going to fix it there, so I guess another urgent py2 cleanup.
Comment 6 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-07-01 09:16:06 UTC
Doesn't look that bad:
https://github.com/gentoo/gentoo/pull/16520#issuecomment-652192856
Comment 7 Sam James archtester gentoo-dev Security 2020-07-03 21:04:59 UTC
(In reply to Michał Górny from comment #5)
> There is 6.2.x branch upstream but I don't see any new commits after 6.2.2.
> I don't think they're going to fix it there, so I guess another urgent py2
> cleanup.

Yeah.. I was worried about this. We can backport it but what's the point?

(In reply to Michał Górny from comment #6)
> Doesn't look that bad:
> https://github.com/gentoo/gentoo/pull/16520#issuecomment-652192856

Scipy will be the ugly one.
Comment 8 Sam James archtester gentoo-dev Security 2020-07-03 21:05:39 UTC
> (In reply to Michał Górny from comment #6)
> > Doesn't look that bad:
> > https://github.com/gentoo/gentoo/pull/16520#issuecomment-652192856
> 
> Scipy will be the ugly one.

Actually, nvm!
Comment 9 Sam James archtester gentoo-dev Security 2020-07-04 12:56:18 UTC
arm64 stable
Comment 10 Sam James archtester gentoo-dev Security 2020-07-04 20:38:44 UTC
arm stable
Comment 11 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-07-05 13:53:44 UTC
amd64 done
Comment 12 Agostino Sarubbo gentoo-dev 2020-07-09 09:11:19 UTC
x86 stable
Comment 13 NATTkA bot gentoo-dev 2020-07-13 10:44:54 UTC Comment hidden (obsolete)
Comment 14 NATTkA bot gentoo-dev 2020-07-13 10:48:43 UTC Comment hidden (obsolete)
Comment 15 Larry the Git Cow gentoo-dev 2020-07-13 11:28:48 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1cdabc307639bd105b7da526dddfef6fdf6f99e6

commit 1cdabc307639bd105b7da526dddfef6fdf6f99e6
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-07-13 11:27:02 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-07-13 11:28:42 +0000

    package.mask: Last rite mid-profile <pillow-7 revdeps
    
    Bug: https://bugs.gentoo.org/729672
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 profiles/base/package.use.mask |  4 ++++
 profiles/package.mask          | 31 +++++++++++++++++++++++++++++++
 2 files changed, 35 insertions(+)
Comment 16 Till Schäfer 2020-07-13 15:20:29 UTC
(In reply to Sam James from comment #7)
> (In reply to Michał Górny from comment #5)
> > There is 6.2.x branch upstream but I don't see any new commits after 6.2.2.
> > I don't think they're going to fix it there, so I guess another urgent py2
> > cleanup.
> 
> Yeah.. I was worried about this. We can backport it but what's the point?
> 
> (In reply to Michał Górny from comment #6)
> > Doesn't look that bad:
> > https://github.com/gentoo/gentoo/pull/16520#issuecomment-652192856
> 
> Scipy will be the ugly one.

pillow for python 2.7 (i.e., < version 7) is still required for media-tv/kodi-18.7 (no scipy dep). Thus a patch on pillow-6.2.2 would be very much welcome. I guess kodi-18 will still be around for some time before 19 is released.
Comment 17 Rolf Eike Beer archtester 2020-09-11 17:18:05 UTC
sparc stable
Comment 18 NATTkA bot gentoo-dev 2020-09-18 15:33:04 UTC Comment hidden (obsolete)
Comment 19 NATTkA bot gentoo-dev 2020-09-18 15:45:09 UTC Comment hidden (obsolete)
Comment 20 Larry the Git Cow gentoo-dev 2020-11-10 10:21:09 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=acf1e47d617c6bfbec3c8b6a1f1c95bb0ebfedc3

commit acf1e47d617c6bfbec3c8b6a1f1c95bb0ebfedc3
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-11-10 10:19:08 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-11-10 10:21:05 +0000

    package.mask: Mask vulnerable dev-python/pillow and revdeps (kodi)
    
    Bug: https://bugs.gentoo.org/729672
    Bug: https://bugs.gentoo.org/717538
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 profiles/package.mask | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)
Comment 21 Larry the Git Cow gentoo-dev 2020-11-19 19:52:42 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a118277dadc83d19c50ff9628b4bc5bcfc0f4060

commit a118277dadc83d19c50ff9628b4bc5bcfc0f4060
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-11-19 19:51:08 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-11-19 19:51:14 +0000

    dev-python/pillow: Remove old
    
    Bug: https://bugs.gentoo.org/729672
    Closes: https://bugs.gentoo.org/717538
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/pillow/Manifest            |  1 -
 dev-python/pillow/pillow-6.2.2.ebuild | 83 -----------------------------------
 2 files changed, 84 deletions(-)
Comment 22 NATTkA bot gentoo-dev 2021-01-11 09:25:07 UTC
Unable to check for sanity:

> no match for package: dev-python/pillow-7.2.0
Comment 23 Sam James archtester gentoo-dev Security 2021-01-18 00:34:19 UTC
noglsa (it's covered by the more recent one), cleanup done.