Bug 15115

Fedora 20 has 2.2.1 as does Mageia 4, so we can wait to see what they do there for that one.

Whiteboard: (none) => MGA4TOO

I will go to 2.6.2 (it include the security fix) for Mga5
For mga4, will see if I can backport the patch if needed.

That's hard to backport, there were a lot of changes moving mga4 to 2.6.2 can be a better option, I think.

That was my impression too when I tried to backport the patch.

python-pillow-debuginfo-2.6.2-1.1.mga4.x86_64.rpm
python-pillow-doc-2.6.2-1.1.mga4.noarch.rpm
python3-pillow-2.6.2-1.1.mga4.x86_64.rpm
python3-pillow-tk-2.6.2-1.1.mga4.x86_64.rpm
python3-pillow-sane-2.6.2-1.1.mga4.x86_64.rpm
python-pillow-tk-2.6.2-1.1.mga4.x86_64.rpm
python3-pillow-devel-2.6.2-1.1.mga4.x86_64.rpm
python-pillow-devel-2.6.2-1.1.mga4.x86_64.rpm
python3-pillow-qt-2.6.2-1.1.mga4.x86_64.rpm
python3-pillow-doc-2.6.2-1.1.mga4.noarch.rpm
python-pillow-qt-2.6.2-1.1.mga4.x86_64.rpm
python-pillow-2.6.2-1.1.mga4.x86_64.rpm
python-pillow-sane-2.6.2-1.1.mga4.x86_64.rpm

From python-pillow-2.6.2-1.1.mga4.src.rpm

Are in core/updates_testing

And for Mageia 5 Cauldron after the freeze push (asked on devel list 2015-01-24):
python-pillow-debuginfo-2.6.2-1.mga5.x86_64.rpm
python-pillow-doc-2.6.2-1.mga5.noarch.rpm
python3-pillow-2.6.2-1.mga5.x86_64.rpm
python3-pillow-tk-2.6.2-1.mga5.x86_64.rpm
python3-pillow-sane-2.6.2-1.mga5.x86_64.rpm
python-pillow-tk-2.6.2-1.mga5.x86_64.rpm
python3-pillow-devel-2.6.2-1.mga5.x86_64.rpm
python-pillow-devel-2.6.2-1.mga5.x86_64.rpm
python3-pillow-qt-2.6.2-1.mga5.x86_64.rpm
python3-pillow-doc-2.6.2-1.mga5.noarch.rpm
python-pillow-qt-2.6.2-1.mga5.x86_64.rpm
python-pillow-2.6.2-1.mga5.x86_64.rpm
python-pillow-sane-2.6.2-1.mga5.x86_64.rpm

From python-pillow-2.6.2-1.mga5.src.rpm

Assignee: makowski.mageia => qa-bugs

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=13075#c1

Advisory:
========================

Updated python-pillow packages fix security vulnerability:

Pillow before 2.7.0 allows remote attackers to cause a denial of service via
a compressed text chunk in a PNG image that has a large size when it is
decompressed (CVE-2014-9601).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9601
https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148442.html

Version: Cauldron => 4
Whiteboard: MGA4TOO => (none)

David, I know that cve mitre say "Pillow before 2.7.0" but in fact the fix is also in 2.6.2, and we provide 2.6.2
cf https://github.com/python-pillow/Pillow/blob/master/CHANGES.rst

so maybe the advisory should say :

Advisory:
========================

Updated python-pillow packages fix security vulnerability:

Pillow before 2.7.0 and 2.6.2 allows remote attackers to cause a denial of service via a compressed text chunk in a PNG image that has a large size when it is decompressed (CVE-2014-9601).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9601
https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148442.html

CC: (none) => makowski.mageia

No, the fix isn't in 2.6.2, Fedora backported a patch to 2.6.2 to fix the issue.  Hopefully we have the same patch...

Ahh, my mistake.  Fedora has 2.6.1.  Version 2.6.2 does indeed include the patch.

Advisory:
========================

Updated python-pillow packages fix security vulnerability:

Pillow before 2.7.0 and 2.6.2 allows remote attackers to cause a denial of
service via a compressed text chunk in a PNG image that has a large size when
it is decompressed (CVE-2014-9601).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9601
https://github.com/python-pillow/Pillow/blob/master/CHANGES.rst
https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148442.html

Just sorting the rpm's to make it more readable

python-pillow-2.6.2-1.1.mga4.x86_64.rpm
python-pillow-doc-2.6.2-1.1.mga4.noarch.rpm
python-pillow-qt-2.6.2-1.1.mga4.x86_64.rpm
python-pillow-sane-2.6.2-1.1.mga4.x86_64.rpm
python-pillow-tk-2.6.2-1.1.mga4.x86_64.rpm
python3-pillow-2.6.2-1.1.mga4.x86_64.rpm
python3-pillow-doc-2.6.2-1.1.mga4.noarch.rpm
python3-pillow-qt-2.6.2-1.1.mga4.x86_64.rpm
python3-pillow-sane-2.6.2-1.1.mga4.x86_64.rpm
python3-pillow-tk-2.6.2-1.1.mga4.x86_64.rpm

Testing complete mga4 64

http://pillow.readthedocs.org/en/latest/handbook/tutorial.html

$ cat piltest.py 
from __future__ import print_function
from PIL import Image
im = Image.open("test.jpg")
print(im.format, im.size, im.mode)
im.show()

$ python piltest.py 
JPEG (150, 150) RGB

$ python3 piltest.py 
JPEG (150, 150) RGB

Both open the image test.jpg found in the same directory.

Whiteboard: has_procedure => has_procedure mga4-64-ok

Testing on Mageia 4x32 real hardware following procedure in Comment 11

From current packages :
---------------------
- python-pillow-2.2.1-0.6.mga4.i586
- python3-pillow-2.2.1-0.6.mga4.i586
...


To updated testing packages :
---------------------------
- python-pillow-2.6.2-1.1.mga4.i586
- python-pillow-doc-2.6.2-1.1.mga4.noarch
- python-pillow-qt-2.6.2-1.1.mga4.i586
- python-pillow-sane-2.6.2-1.1.mga4.i586
- python-pillow-tk-2.6.2-1.1.mga4.i586
- python3-pillow-2.6.2-1.1.mga4.i586
- python3-pillow-doc-2.6.2-1.1.mga4.noarch
- python3-pillow-qt-2.6.2-1.1.mga4.i586
- python3-pillow-sane-2.6.2-1.1.mga4.i586
- python3-pillow-tk-2.6.2-1.1.mga4.i586

Tests performed well each time.

CC: (none) => olchal
Whiteboard: has_procedure mga4-64-ok => has_procedure mga4-64-ok MGA4-32-OK

Validating. Please push to 4 updates.

Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Advisory from comment 9 uploaded with mga4 srpm from comment 5

Whiteboard: has_procedure mga4-64-ok MGA4-32-OK => has_procedure advisory mga4-64-ok MGA4-32-OK

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0039.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Mageia 4 got 2.6.2-1.1.mga4 while Cauldron got 2.6.2-1.mga5 which is lower (cf bug #15392).

CC: (none) => pterjan