From 8.1.1 release notes:
CVE-2021-25289: The previous fix for CVE-2020-35654 was insufficent due to incorrect error checking in TiffDecode.c.
CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size
CVE-2021-25291: In TiffDecode.c, invalid tile boundaries could lead to an OOB Read in TiffReadRGBATile
CVE-2021-25292: The PDF parser has a catastrophic backtracking regex that could be used as a DOS attack.
CVE-2021-25293: There is an Out of Bounds Read in SGIRleDecode.c, since pillow 4.3.0.
Please bump to 8.1.1.
Unable to check for sanity:
> no match for package: dev-python/pillow-8.1.1
All sanity-check issues have been resolved
all arches done
The bug has been referenced in the following commit(s):
Author: Michał Górny <firstname.lastname@example.org>
AuthorDate: 2021-03-02 08:41:56 +0000
Commit: Michał Górny <email@example.com>
CommitDate: 2021-03-02 08:43:52 +0000
dev-python/pillow: Remove old
Signed-off-by: Michał Górny <firstname.lastname@example.org>
dev-python/pillow/Manifest | 1 -
dev-python/pillow/pillow-8.1.0.ebuild | 98 -----------------------------------
2 files changed, 99 deletions(-)
A few more CVEs appear to be covered by this release which reference the Pillow-8.1.1 release notes, but the release notes do not reference the CVEs.
(In reply to John Helmert III from comment #13)
> A few more CVEs appear to be covered by this release which reference the
> Pillow-8.1.1 release notes, but the release notes do not reference the CVEs.
This turned out to be 8.1.2 instead: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.2.html.
GLSA request filed.
This issue was resolved and addressed in
GLSA 202107-33 at https://security.gentoo.org/glsa/202107-33
by GLSA coordinator John Helmert III (ajak).