Bug 17671

Summary: python-pillow new buffer overflow security issue (CVE-2016-0740, CVE-2016-0775, CVE-2016-2533)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: dan, davidwhodgins, makowski.mageia, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/675049/
Whiteboard: has_procedure MGA5-32-OK advisory
Source RPM: python-pillow-2.6.2-2.3.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-02-03 15:52:42 CET 
A CVE has been requested for a buffer overflow in python-pillow:
http://openwall.com/lists/oss-security/2016/02/02/5

The libImaging/PcdDecode.c part of the patch applies cleanly in both the Mageia 5 and Cauldron versions of python-pillow.

Including the test case would require using git to apply the patch.

Reproducible: 

Steps to Reproduce:
Comment 1 Philippe Makowski 2016-02-04 22:29:45 CET 
done in python-pillow-3.1.0-2.mga6 and python-pillow-2.6.2-2.4.mga5, advisory to come
Comment 2 David Walser 2016-02-05 17:10:21 CET 
No response to the CVE request yet.

Updated packages:
python-pillow-2.6.2-2.4.mga5
python-pillow-devel-2.6.2-2.4.mga5
python-pillow-doc-2.6.2-2.4.mga5
python-pillow-sane-2.6.2-2.4.mga5
python-pillow-tk-2.6.2-2.4.mga5
python-pillow-qt-2.6.2-2.4.mga5
python3-pillow-2.6.2-2.4.mga5
python3-pillow-devel-2.6.2-2.4.mga5
python3-pillow-doc-2.6.2-2.4.mga5
python3-pillow-sane-2.6.2-2.4.mga5
python3-pillow-tk-2.6.2-2.4.mga5
python3-pillow-qt-2.6.2-2.4.mga5

from python-pillow-2.6.2-2.4.mga5.src.rpm
Comment 3 Dan Fandrich 2016-02-06 10:49:27 CET 
FWIW, there were fixes for CVE-2016-0740 and CVE-2016-0775 and another buffer overflow included in the pillow-3.1.1 release, too. https://github.com/python-pillow/Pillow/commit/777ef4f523679a9ea0f3573efc224bf821b6abe7  All the 3.1.1 changes listed were security fixes, so it's probably worth just upgrading to that version in cauldron.

CC: (none) => dan

Comment 4 David Walser 2016-02-10 21:11:25 CET 
Thanks Dan!

Fedora has issued an advisory for this on February 9:
https://lists.fedoraproject.org/pipermail/package-announce/2016-February/176983.html

URL: (none) => http://lwn.net/Vulnerabilities/675049/

Comment 5 David Walser 2016-02-15 18:20:29 CET 
Additional security patches added.

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=13075#c1

Advisory:
========================

Updated python-pillow packages fix security vulnerabilities:

A buffer overflow in TiffDecode.c causing an arbitrary amount of memory to be
overwritten when opening a specially crafted invalid TIFF file (CVE-2016-0740).

A buffer overflow in FliDecode.c causing a segfault when opening FLI files
(CVE-2016-0775).

A buffer overflow in PcdDecode.c causing a segfault when opening PhotoCD files. 

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0740
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0775
http://openwall.com/lists/oss-security/2016/02/02/5
https://github.com/python-pillow/Pillow/blob/777ef4f523679a9ea0f3573efc224bf821b6abe7/docs/releasenotes/3.1.1.rst
https://lists.fedoraproject.org/pipermail/package-announce/2016-February/176983.html
========================

Updated packages in core/updates_testing:
========================
python-pillow-2.6.2-2.5.mga5
python-pillow-devel-2.6.2-2.5.mga5
python-pillow-doc-2.6.2-2.5.mga5
python-pillow-sane-2.6.2-2.5.mga5
python-pillow-tk-2.6.2-2.5.mga5
python-pillow-qt-2.6.2-2.5.mga5
python3-pillow-2.6.2-2.5.mga5
python3-pillow-devel-2.6.2-2.5.mga5
python3-pillow-doc-2.6.2-2.5.mga5
python3-pillow-sane-2.6.2-2.5.mga5
python3-pillow-tk-2.6.2-2.5.mga5
python3-pillow-qt-2.6.2-2.5.mga5

from python-pillow-2.6.2-2.5.mga5.src.rpm

Whiteboard: (none) => has_procedure

Comment 6 David Walser 2016-02-15 18:22:35 CET 
Advisory, packages, testing procedure in Comment 5.

CC: (none) => makowski.mageia
Assignee: makowski.mageia => qa-bugs

Comment 7 Dan Fandrich 2016-02-15 22:50:21 CET 
I've confirmed that python-pillow-2.6.2-2.5.mga5 on x86 no longer segfaults with a PhotoCD file and still loads & resizes JPEG images.
Comment 8 David Walser 2016-02-15 22:56:10 CET 
Thanks again Dan.

Whiteboard: has_procedure => has_procedure MGA5-32-OK

Dave Hodgins 2016-02-17 17:43:13 CET

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 9 Mageia Robot 2016-02-17 20:21:43 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0066.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 10 David Walser 2016-02-22 14:39:48 CET 
Updated advisory with CVE for the original issue.  Please update in SVN.

Advisory:
========================

Updated python-pillow packages fix security vulnerabilities:

A buffer overflow in TiffDecode.c causing an arbitrary amount of memory to be
overwritten when opening a specially crafted invalid TIFF file (CVE-2016-0740).

A buffer overflow in FliDecode.c causing a segfault when opening FLI files
(CVE-2016-0775).

A buffer overflow in PcdDecode.c causing a segfault when opening PhotoCD files
(CVE-2016-2533).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0740
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0775
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2533
http://openwall.com/lists/oss-security/2016/02/22/2
https://github.com/python-pillow/Pillow/blob/777ef4f523679a9ea0f3573efc224bf821b6abe7/docs/releasenotes/3.1.1.rst
https://lists.fedoraproject.org/pipermail/package-announce/2016-February/176983.html

Summary: python-pillow new buffer overflow security issue => python-pillow new buffer overflow security issue (CVE-2016-0740, CVE-2016-0775, CVE-2016-2533)

Comment 11 David Walser 2016-02-29 23:12:09 CET 
LWN reference for CVE-2016-2533:
http://lwn.net/Vulnerabilities/677959/