Bug 20070

Summary: python-pillow new security issue CVE-2016-4009
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Philippe Makowski <makowski.mageia>
Status: RESOLVED INVALID QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: marja11
Version: 5Keywords: Triaged
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://lwn.net/Vulnerabilities/710490/
Whiteboard:
Source RPM: python-pillow-2.6.2-2.6.mga5.src.rpm CVE:
Status comment:

Description David Walser 2017-01-03 20:54:06 CET 
Gentoo has issued an advisory on December 31:
https://security.gentoo.org/glsa/201612-52

This is the last issue reference in the 3.1.1 release notes:
https://github.com/python-pillow/Pillow/blob/777ef4f523679a9ea0f3573efc224bf821b6abe7/docs/releasenotes/3.1.1.rst

But I failed to include it in the Bug 17671 update.
Comment 1 Marja Van Waes 2017-01-03 21:47:52 CET 
Assigning to the registered maintainer.

Keywords: (none) => Triaged
CC: (none) => marja11
Assignee: bugsquad => makowski.mageia

Comment 2 Philippe Makowski 2017-01-04 12:16:12 CET 
So according to https://security.gentoo.org/glsa/201612-52

it have a CVE
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4009

and it is this upstream patch
https://github.com/python-pillow/Pillow/commit/4e0d9b0b9740d258ade40cce248c93777362ac1e

But according to https://security-tracker.debian.org/tracker/CVE-2016-4009
"Upstream confirmed that versions prior 2.7 are not vulnerable."

So I think we can close this bug, (in Cauldron we have 3.4.2 that have this issue fixed)

Status: NEW => RESOLVED
Resolution: (none) => INVALID