Bug 29002

Fedora has issued an advisory for some of these issues on March 15:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZ/

Assigning to the Python people; CC'ing Philippe (registered maintainer).

CC: (none) => makowski.mageia
Assignee: bugsquad => python

Fedora has issued an advisory for more of these issues today (May 30):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3LXQLR356JK5OP4XVQ7R6K53WQUYMVAN/

Removing Mageia 7 from whiteboard due to EOL:
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Whiteboard: MGA8TOO, MGA7TOO => MGA8TOO

Debian-LTS has issued an advisory on July 22:
https://www.debian.org/lts/security/2021/dla-2716

The newest CVE is fixed upstream in 8.3.0:
https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow

Status comment: Fixed upstream in 8.2.0 => Fixed upstream in 8.3.0
Severity: major => critical
Summary: python-pillow new security issues CVE-2021-2528[7-9], CVE-2021-2529[0-3], CVE-2021-2792[1-3], CVE-2021-2867[5-8] => python-pillow new security issues CVE-2021-2528[7-9], CVE-2021-2529[0-3], CVE-2021-2792[1-3], CVE-2021-2867[5-8], CVE-2021-34552

CVE-2021-2529[0-3] is already fixed in pillow 8.1.1

CC: (none) => mageia

CVE-2021-2792[1-3] is fixed in 8.1.2

Fixed in mga8/9:


src:
    - python-pillow-8.1.2-1.mga8


CVE Fixed in the update:
CVE-2021-25287,CVE-2021-25288, CVE-2021-28675, CVE-2021-28676, CVE-2021-28677; CVE-2021-28678, CVE-2021-34552

Status comment: Fixed upstream in 8.3.0 => (none)
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Assignee: python => qa-bugs

python3-pillow-tk-8.1.2-1.mga8
python3-pillow-devel-8.1.2-1.mga8
python3-pillow-8.1.2-1.mga8
python3-pillow-qt-8.1.2-1.mga8
python3-pillow-doc-8.1.2-1.mga8

from python-pillow-8.1.2-1.mga8.src.rpm

Fedora advisory for CVE-2021-34552 (from today, August 2):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OVZ5XXNB4NVJY7STDRPWCTFK7LCEA7JR/

Created attachment 12885 [details]
PIL image conversion

Make script executable first then:
$ ./convertx file1.png file2.tif file3.pcx .....
Generates JPEG output files.

CC: (none) => tarazed25

Created attachment 12886 [details]
Convert images to PNG format.

$ ./convertz file1.jpg file2.tif ....

MGA8-64 Plasma on Lenovo B50
No installation issues
Ref bug 26919 Comment 8 for tests
$ python3 /home/tester8/Documenten/thumbnail.py 
creates thumbnail for all jpeg files in the working directory: OK
$ python3
Python 3.8.11 (default, Jul 25 2021, 20:38:23) 
[GCC 10.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from PIL import Image
>>> im = Image.open( "0004.jpg")
>>> im.rotate( 45 ).show( )

shows rotated image 
>>> exit( )

All looks OK for me and Len seems haappy too.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Thanks Herman, but I had not started testing.  This is the afternoon's work.

mga8, x64

Tried out the scripts attached before updating - resulted in new images files which were displayed on the fly.

Updated the five packages.

The test scripts worked fine.
So did these:
$ python
Python 3.8.11 (default, Jul 25 2021, 20:38:23) 
[GCC 10.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from PIL import Image
>>> im = Image.open( "bookstudy.jpg" )
>>> im.rotate( 45 ).show( )
>>> exit()

$ python
>>> from PIL import Image
>>> import glob, os
>>> 
>>> size = 128, 128
>>> 
>>> for infile in glob.glob( "*.jpg" ):
...     file, ext = os.path.splitext( infile )
...     im = Image.open( infile )
...     im.thumbnail( size )
...     im.save( file + ".thumbnail", "JPEG" )
... 
>>> exit()
lcl@canopus:python-pillow $ ls *.thumbnail
bookstudy.thumbnail  ikapati.thumbnail      kappaCrucis.thumbnail
fox.thumbnail        JessicaAlba.thumbnail  kappaCru.thumbnail
hello2.thumbnail     jessica.thumbnail

The output thumbnails displayed fine with ImageMagick or eom and the 'next' function.

$ python
>>> from PIL import Image
>>> import numpy as np
>>> im = Image.open( "glenshiel.tiff" )
>>> a = np.asarray( im )
>>> im = Image.fromarray( a )
>>> im.show( )
>>> exit( )

That converted the input image to an array of data which was reassembled as a PNG image and displayed correctly.

From bug 25968
$ cat rgb.py
from PIL import Image

rgb2xyz = (
    0.412453, 0.357580, 0.180423, 0,
    0.212671, 0.715160, 0.072169, 0,
    0.019334, 0.119193, 0.950227, 0 )
im = Image.open( "glenshiel.tiff" )
out = im.convert( "RGB", rgb2xyz )    
out.show( )

$ python rgb.py
The displayed PNG image looked fine.

$ python
>>> from PIL import Image
>>> im = Image.open( "kappaCrucis.jpg" )
>>> im.show( )
>>> print( im.info )
{'jfif': 257, 'jfif_version': (1, 1), 'jfif_unit': 0, 'jfif_density': (1, 1)}
>>> print( im.palette )
None
>>> print( im.width, im.height )
2552 1702
>>> exit()

Philippe's test for j2k images:
$ wget https://github.com/python-pillow/Pillow/blob/master/Tests/images/rgb_trns_ycbc.j2k?raw=true
$ python
>>> import os, sys
>>> from PIL import Image
>>> infile = "rgb_trns_ycbc.j2k"
>>> outfile = "rgb_trns_ycbc.png"
>>> Image.open(infile).save(outfile)
>>> exit()

The output PNG image looks fine.

Good enough, although python3dist(pillow) is listed by urpmq --requires for calibre.  It might be difficult to trace that though so this gets the OK on the basis of the interactive tests.

$ urpmq --whatrequires python3-pillow | sort -u | wc -l
counts 48 applications, or 22 excluding python3.

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0389.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED