Bug 13916

Summary: python-pillow and python-imaging new security issue CVE-2014-3589
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: rverschelde, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/609186/
Whiteboard: MGA3TOO has_procedure advisory MGA4-64-OK mga3-32-ok
Source RPM: python-pillow-2.2.1-0.4.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-08-16 00:01:49 CEST 
Upstream has released version 2.3.2 on August 13 to fix a security issue:
https://pypi.python.org/pypi/Pillow/2.3.2

Philippe updated the package to version 2.3.2 in Cauldron.

The upstream patch commit to fix this is here:
https://github.com/python-pillow/Pillow/commit/205e056f8f9b06ed7b925cf8aa0874bc4aaf8a7d

Patched packages uploaded for Mageia 3 (python-imaging) and Mageia 4 (python-pillow).

Advisory:
========================

Updated python-imaging and python-pillow packages fix security vulnerabilities:

The Python Imaging Library is vulnerable to a denial of service attack in the
IcnsImagePlugin (CVE-2014-3589).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3589
https://pypi.python.org/pypi/Pillow/2.3.2
========================

Updated packages in core/updates_testing:
========================
python-imaging-1.1.7-7.2.mga3
python-imaging-devel-1.1.7-7.2.mga3
python-pillow-2.2.1-0.5.mga4
python-pillow-devel-2.2.1-0.5.mga4
python-pillow-doc-2.2.1-0.5.mga4
python-pillow-sane-2.2.1-0.5.mga4
python-pillow-tk-2.2.1-0.5.mga4
python-pillow-qt-2.2.1-0.5.mga4
python3-pillow-2.2.1-0.5.mga4
python3-pillow-devel-2.2.1-0.5.mga4
python3-pillow-doc-2.2.1-0.5.mga4
python3-pillow-sane-2.2.1-0.5.mga4
python3-pillow-tk-2.2.1-0.5.mga4
python3-pillow-qt-2.2.1-0.5.mga4

from SRPMS:
python-imaging-1.1.7-7.2.mga3.src.rpm
python-pillow-2.2.1-0.5.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-08-16 00:01:54 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2014-08-16 00:02:28 CEST 
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=13075#c1

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 2 RĂ©mi Verschelde 2014-08-19 19:31:18 CEST 
Testing complete on Mageia 4 64bit.

CC: (none) => remi
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-64-OK

Comment 3 claire robinson 2014-08-20 16:35:03 CEST 
Testing complete mga3 32

Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure MGA4-64-OK => MGA3TOO has_procedure advisory MGA4-64-OK mga3-32-ok
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2014-08-21 11:37:13 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0343.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2014-08-21 20:00:56 CEST

URL: (none) => http://lwn.net/Vulnerabilities/609186/