Bug 25968

Assigning globally; CC'ing Shlomi & DavidG as recent committers.

Assignee: bugsquad => pkg-bugs
CC: (none) => geiger.david68210, shlomif

Debian-LTS has issued an advisory on January 6:
https://www.debian.org/lts/security/2020/dla-2057

These new issues are fixed upstream in 6.2.2.

Summary: python-pillow new security issue CVE-2019-16865 => python-pillow new security issues CVE-2019-16865, CVE-2019-19911, CVE-2020-5312, CVE-2020-5313
Status comment: Fixed upstream in 6.2.0 => Fixed upstream in 6.2.2

python-pillow-6.2.2-1.mga8 uploaded for Cauldron by Shlomi.

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Fedora has issued an advisory on January 31:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2MMU3WT2X64GS5WHDPKKC2WZA7UIIQ3A/

It lists a couple more CVEs, also fixed in 6.2.2.

Summary: python-pillow new security issues CVE-2019-16865, CVE-2019-19911, CVE-2020-5312, CVE-2020-5313 => python-pillow new security issues CVE-2019-16865, CVE-2019-19911, CVE-2020-531[0-3]

Ubuntu has issued an advisory for this on February 6:
https://usn.ubuntu.com/4272-1/

Done for mga7!

Advisory:
========================

Updated python-pillow packages fix security vulnerabilities:

It was discovered that Pillow incorrectly handled certain images. An attacker
could possibly use this issue to cause a denial of service (CVE-2019-16865, CVE-2019-19911).

It was discovered that Pillow incorrectly handled certain TIFF images. An
attacker could possibly use this issue to cause a crash (CVE-2020-5310).

It was discovered that Pillow incorrectly handled certain SGI images. An
attacker could possibly use this issue to execute arbitrary code or cause a
crash (CVE-2020-5311).

It was discovered that Pillow incorrectly handled certain PCX images. An
attacker could possibly use this issue to execute arbitrary code or cause a
crash (CVE-2020-5312).

It was discovered that Pillow incorrectly handled certain Flip images. An
attacker could possibly use this issue to execute arbitrary code or cause a
crash (CVE-2020-5313).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16865
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19911
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5310
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5311
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5312
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5313
https://usn.ubuntu.com/4272-1/
========================

Updated packages in core/updates_testing:
========================
python2-pillow-5.4.1-1.1.mga7
python2-pillow-devel-5.4.1-1.1.mga7
python2-pillow-doc-5.4.1-1.1.mga7
python2-pillow-tk-5.4.1-1.1.mga7
python2-pillow-qt-5.4.1-1.1.mga7
python3-pillow-5.4.1-1.1.mga7
python3-pillow-devel-5.4.1-1.1.mga7
python3-pillow-doc-5.4.1-1.1.mga7
python3-pillow-tk-5.4.1-1.1.mga7
python3-pillow-qt-5.4.1-1.1.mga7

from python-pillow-5.4.1-1.1.mga7.src.rpm

Assignee: pkg-bugs => qa-bugs

Mageia7, x86_64

No PoCs can be found starting with the CVEs.

Updated all packages and ran some of the examples from the documentation, viewed in a browser:
$ firefox file:///usr/share/doc/python2-pillow-doc/html/reference/index.html

$ python
Python 2.7.17 (default, Nov  1 2019, 09:28:08) 
>>> from PIL import Image
>>> im = Image.open( "bookstudy.jpg" )
>>> im.rotate( 45 ).show( )
>>> exit( )
The image was displayed by ImageMagick with an anticlockwise rotation but the window title implied that the output had been treated as a PNG image.

thumbnail.py =
----------------------------
from PIL import Image
import glob, os

size = 128, 128

for infile in glob.glob( "*.jpg" ):
    file, ext = os.path.splitext( infile )
    im = Image.open( infile )
    im.thumbnail( size )
    im.save( file + ".thumbnail", "JPEG" )
----------------------------
Running this in an image test directory generated JPEG thumbnails of the 70 .jpg files.
e.g.
$ identify LochLubnaig_10.thumbnail
LochLubnaig_10.thumbnail JPEG 128x96 128x96+0+0 8-bit sRGB 3097B 0.000u 0:00.000

>>> from PIL import Image
>>> import numpy as np
>>> im = Image.open( "GlenShiel.tif" )
>>> a = np.asarray( im )
>>> im = Image.fromarray( a )
>>> im.show( )
>>> exit( )

IM showed the rebuilt image OK.

$ cat rgb.py
from PIL import Image

rgb2xyz = (
    0.412453, 0.357580, 0.180423, 0,
    0.212671, 0.715160, 0.072169, 0,
    0.019334, 0.119193, 0.950227, 0 )
im = Image.open( "GlenShiel.tif" )
out = im.convert( "RGB", rgb2xyz )    
out.show( )

This supposedly converts an image from the RGB colour space to "CIE XYZ".  Not entirely sure about the procedure but in the out image there is a notable shift to the blue so something has changed.

Show various image attributes:
>>> from PIL import Image
>>> im = Image.open( "AnnaPopplewell_4.jpg" )
>>> im.show( )
>>> info = im.info
>>> print( info )
{'jfif_version': (1, 1), 'jfif': 257, 'jfif_unit': 1, 'jfif_density': (1, 1), 'dpi': (1, 1)}
>>> print( im.palette )
None
>>> print( im.width, im.height )
(1440, 1080)

That all looks fine.
Halted there and ran the same tests for python3 with an occasional variation.
No problems.

python-pillow is required by a large number of applications including calibre, kodi, kraft, qgis and task astronomy.  calibre certainly uses python but I did not know what to look for in the trace.  For kodi and celestia there was no sign of python, let alone python-pillow.  Anyway, the simple interactive tests show that the basic features are working.  Giving this the OK.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

Validating. Advisory in Comment 7.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0088.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED