Bug 18186

Summary:	python-pillow new security issue CVE-2016-3076
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	herman.viaene, sysadmin-bugs, tarazed25
Version:	5	Keywords:	validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/683316/
Whiteboard:	has_procedure advisory MGA5-32-OK MGA5-64-OK
Source RPM:	python-pillow-2.6.2-2.5.mga5.src.rpm	CVE:
Status comment:
Attachments:	Some simple scripts

Description David Walser 2016-04-11 19:21:12 CEST

Fedora has issued an advisory on April 10:
https://lists.fedoraproject.org/pipermail/package-announce/2016-April/181943.html

They backported a fix from upstream in this commit:
http://pkgs.fedoraproject.org/cgit/rpms/python-pillow.git/commit/?h=f22&id=f5fa4f5bc0a6e3cf38c3ca348f0d10f059c1eea8

Comment 1 Philippe Makowski 2016-04-12 11:02:43 CEST

This update fixes an integer overflow in Jpeg2KEncode.c causing a buffer
overflow (CVE-2016-3076).

Refs :
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3076
https://lists.fedoraproject.org/pipermail/package-announce/2016-April/181943.html

Packages in 5/core/updates_testing :

python-pillow-2.6.2-2.5.mga5
python-pillow-devel-2.6.2-2.5.mga5
python-pillow-doc-2.6.2-2.5.mga5.noarch
python-pillow-sane-2.6.2-2.5.mga5
python-pillow-tk-2.6.2-2.5.mga5
python-pillow-qt-2.6.2-2.5.mga5
python3-pillow-2.6.2-2.5.mga5
python3-pillow-devel-2.6.2-2.5.mga5
python3-pillow-doc-2.6.2-2.5.mga5.noarch
python3-pillow-sane-2.6.2-2.5.mga5
python3-pillow-tk-2.6.2-2.5.mga5
python3-pillow-qt-2.6.2-2.5.mga5

From :

python-pillow-2.6.2-2.5.mga5.src

Assignee: makowski.mageia => security

Rémi Verschelde 2016-04-12 11:57:04 CEST

Assignee: security => qa-bugs

Comment 2 Herman Viaene 2016-04-12 15:23:04 CEST

MGA5-32 on Acer D620 Xfce
No istallation issues.
Followed procedure as per bug 13075 Comment 1
at the CLI:
$ python ~/Documenten/piltest.py
JPEG (3264, 2448) RGB

and image is displayed OK

CC: (none) => herman.viaene
Whiteboard: (none) => has_procedure MGA5-32-OK

Comment 3 Len Lawrence 2016-04-13 16:52:02 CEST

x86_64  Mate

Assembled a few scripts based on the tutorial referenced by bug 13075 c#1.
Tested these out before the update then ran them again afterwards.
Tested image conversion  and display, identification and generating thumbnails.
All OK.
For convenience have attached the simple scripts as a tar file which expands into the ./pillow directory.  They can be run with e.g. ./convert or 
./thumbnail3 for python3.

CC: (none) => tarazed25

Len Lawrence 2016-04-13 17:09:10 CEST

Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OK

Comment 4 Len Lawrence 2016-04-13 17:10:42 CEST

Created attachment 7663 [details]
Some simple scripts

Len Lawrence 2016-04-13 17:11:10 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 claire robinson 2016-04-13 18:48:05 CEST

Advisory from comment 1 uploaded.

Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure advisory MGA5-32-OK MGA5-64-OK

Comment 6 Mageia Robot 2016-04-13 19:40:11 CEST

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0141.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED