Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 779760 (CVE-2021-25287, CVE-2021-25288, CVE-2021-28675, CVE-2021-28676, CVE-2021-28677, CVE-2021-28678) - <dev-python/pillow-8.2.0: Multiple vulnerabilities
Summary: <dev-python/pillow-8.2.0: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2021-25287, CVE-2021-25288, CVE-2021-28675, CVE-2021-28676, CVE-2021-28677, CVE-2021-28678
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-01 22:40 UTC by Sam James
Modified: 2021-07-14 03:18 UTC (History)
2 users (show)

See Also:
Package list:
dev-python/pillow-8.2.0
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-01 22:40:50 UTC 
Upstream bug: https://github.com/python-pillow/Pillow/pull/5377

From release notes (https://github.com/python-pillow/Pillow/pull/5377/commits/8ec027867f19633d9adfc5c8b7504d9b609fc5f1):

These were all found with `OSS-Fuzz`_.

 :cve:`CVE-2021-25287`, :cve:`CVE-2021-25288`: Fix OOB read in Jpeg2KDecode
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

 * For J2k images with multiple bands, it's legal to have different widths for each band,
   e.g. 1 byte for ``L``, 4 bytes for ``A``.
 * This dates to Pillow 2.4.0.

 :cve:`CVE-2021-28675`: Fix DOS in PsdImagePlugin
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

 * :py:class:`.PsdImagePlugin.PsdImageFile` did not sanity check the number of input
   layers with regard to the size of the data block, this could lead to a
   denial-of-service on :py:meth:`~PIL.Image.open` prior to
   :py:meth:`~PIL.Image.Image.load`.
 * This dates to the PIL fork.

 :cve:`CVE-2021-28676`: Fix FLI DOS
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

 * ``FliDecode.c`` did not properly check that the block advance was non-zero,
   potentially leading to an infinite loop on load.
 * This dates to the PIL fork.

 :cve:`CVE-2021-28677`: Fix EPS DOS on _open
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

 * The readline used in EPS has to deal with any combination of ``\r`` and ``\n`` as line
   endings. It accidentally used a quadratic method of accumulating lines while looking
   for a line ending.
 * A malicious EPS file could use this to perform a denial-of-service of Pillow in the
   open phase, before an image was accepted for opening.
 * This dates to the PIL fork.

 :cve:`CVE-2021-28678`: Fix BLP DOS
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

 * ``BlpImagePlugin`` did not properly check that reads after jumping to file offsets
   returned data. This could lead to a denial-of-service where the decoder could be run a
   large number of times on empty data.
 * This dates to Pillow 5.1.0.

 Fix memory DOS in ImageFont
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^

 * A corrupt or specially crafted TTF font could have font metrics that lead to
   unreasonably large sizes when rendering text in font. ``ImageFont.py`` did not check
   the image size before allocating memory for it.
 * This dates to the PIL fork.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-02 14:09:45 UTC 
x86 done
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-02 14:10:57 UTC 
amd64 done
Comment 3 Rolf Eike Beer archtester 2021-04-04 13:08:11 UTC 
sparc stable
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-22 23:33:43 UTC 
ppc done
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-22 23:33:47 UTC 
ppc64 done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-25 15:20:19 UTC 
arm64 done
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-26 19:24:22 UTC 
arm done

all arches done
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-04-26 23:45:20 UTC 
Cleanup already done.
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-13 01:09:28 UTC 
GLSA request filed.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2021-07-14 03:18:22 UTC 
This issue was resolved and addressed in
 GLSA 202107-33 at https://security.gentoo.org/glsa/202107-33
by GLSA coordinator John Helmert III (ajak).