Fedora has issued an advisory on January 14: https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148442.html They backported the upstream patch to 2.6.1 in Fedora 21: http://pkgs.fedoraproject.org/cgit/python-pillow.git/commit/?h=f21&id=7338abe1db1e84a0d71ce3611e0f3b86be83493c I looked at backporting it to 2.5.3 in Cauldron, but some parts of the rediff look non-trivial, so I'm not sure how to handle this. Maybe we should update it and sync it with Fedora 21. Mageia 4 is presumably also affected. Reproducible: Steps to Reproduce:
Fedora 20 has 2.2.1 as does Mageia 4, so we can wait to see what they do there for that one.
Whiteboard: (none) => MGA4TOO
I will go to 2.6.2 (it include the security fix) for Mga5 For mga4, will see if I can backport the patch if needed.
That's hard to backport, there were a lot of changes moving mga4 to 2.6.2 can be a better option, I think.
That was my impression too when I tried to backport the patch.
python-pillow-debuginfo-2.6.2-1.1.mga4.x86_64.rpm python-pillow-doc-2.6.2-1.1.mga4.noarch.rpm python3-pillow-2.6.2-1.1.mga4.x86_64.rpm python3-pillow-tk-2.6.2-1.1.mga4.x86_64.rpm python3-pillow-sane-2.6.2-1.1.mga4.x86_64.rpm python-pillow-tk-2.6.2-1.1.mga4.x86_64.rpm python3-pillow-devel-2.6.2-1.1.mga4.x86_64.rpm python-pillow-devel-2.6.2-1.1.mga4.x86_64.rpm python3-pillow-qt-2.6.2-1.1.mga4.x86_64.rpm python3-pillow-doc-2.6.2-1.1.mga4.noarch.rpm python-pillow-qt-2.6.2-1.1.mga4.x86_64.rpm python-pillow-2.6.2-1.1.mga4.x86_64.rpm python-pillow-sane-2.6.2-1.1.mga4.x86_64.rpm From python-pillow-2.6.2-1.1.mga4.src.rpm Are in core/updates_testing And for Mageia 5 Cauldron after the freeze push (asked on devel list 2015-01-24): python-pillow-debuginfo-2.6.2-1.mga5.x86_64.rpm python-pillow-doc-2.6.2-1.mga5.noarch.rpm python3-pillow-2.6.2-1.mga5.x86_64.rpm python3-pillow-tk-2.6.2-1.mga5.x86_64.rpm python3-pillow-sane-2.6.2-1.mga5.x86_64.rpm python-pillow-tk-2.6.2-1.mga5.x86_64.rpm python3-pillow-devel-2.6.2-1.mga5.x86_64.rpm python-pillow-devel-2.6.2-1.mga5.x86_64.rpm python3-pillow-qt-2.6.2-1.mga5.x86_64.rpm python3-pillow-doc-2.6.2-1.mga5.noarch.rpm python-pillow-qt-2.6.2-1.mga5.x86_64.rpm python-pillow-2.6.2-1.mga5.x86_64.rpm python-pillow-sane-2.6.2-1.mga5.x86_64.rpm From python-pillow-2.6.2-1.mga5.src.rpm
Assignee: makowski.mageia => qa-bugs
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=13075#c1 Advisory: ======================== Updated python-pillow packages fix security vulnerability: Pillow before 2.7.0 allows remote attackers to cause a denial of service via a compressed text chunk in a PNG image that has a large size when it is decompressed (CVE-2014-9601). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9601 https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148442.html
Version: Cauldron => 4Whiteboard: MGA4TOO => (none)
Whiteboard: (none) => has_procedure
David, I know that cve mitre say "Pillow before 2.7.0" but in fact the fix is also in 2.6.2, and we provide 2.6.2 cf https://github.com/python-pillow/Pillow/blob/master/CHANGES.rst so maybe the advisory should say : Advisory: ======================== Updated python-pillow packages fix security vulnerability: Pillow before 2.7.0 and 2.6.2 allows remote attackers to cause a denial of service via a compressed text chunk in a PNG image that has a large size when it is decompressed (CVE-2014-9601). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9601 https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148442.html
CC: (none) => makowski.mageia
No, the fix isn't in 2.6.2, Fedora backported a patch to 2.6.2 to fix the issue. Hopefully we have the same patch...
Ahh, my mistake. Fedora has 2.6.1. Version 2.6.2 does indeed include the patch. Advisory: ======================== Updated python-pillow packages fix security vulnerability: Pillow before 2.7.0 and 2.6.2 allows remote attackers to cause a denial of service via a compressed text chunk in a PNG image that has a large size when it is decompressed (CVE-2014-9601). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9601 https://github.com/python-pillow/Pillow/blob/master/CHANGES.rst https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148442.html
Just sorting the rpm's to make it more readable python-pillow-2.6.2-1.1.mga4.x86_64.rpm python-pillow-doc-2.6.2-1.1.mga4.noarch.rpm python-pillow-qt-2.6.2-1.1.mga4.x86_64.rpm python-pillow-sane-2.6.2-1.1.mga4.x86_64.rpm python-pillow-tk-2.6.2-1.1.mga4.x86_64.rpm python3-pillow-2.6.2-1.1.mga4.x86_64.rpm python3-pillow-doc-2.6.2-1.1.mga4.noarch.rpm python3-pillow-qt-2.6.2-1.1.mga4.x86_64.rpm python3-pillow-sane-2.6.2-1.1.mga4.x86_64.rpm python3-pillow-tk-2.6.2-1.1.mga4.x86_64.rpm
Testing complete mga4 64 http://pillow.readthedocs.org/en/latest/handbook/tutorial.html $ cat piltest.py from __future__ import print_function from PIL import Image im = Image.open("test.jpg") print(im.format, im.size, im.mode) im.show() $ python piltest.py JPEG (150, 150) RGB $ python3 piltest.py JPEG (150, 150) RGB Both open the image test.jpg found in the same directory.
Whiteboard: has_procedure => has_procedure mga4-64-ok
Testing on Mageia 4x32 real hardware following procedure in Comment 11 From current packages : --------------------- - python-pillow-2.2.1-0.6.mga4.i586 - python3-pillow-2.2.1-0.6.mga4.i586 ... To updated testing packages : --------------------------- - python-pillow-2.6.2-1.1.mga4.i586 - python-pillow-doc-2.6.2-1.1.mga4.noarch - python-pillow-qt-2.6.2-1.1.mga4.i586 - python-pillow-sane-2.6.2-1.1.mga4.i586 - python-pillow-tk-2.6.2-1.1.mga4.i586 - python3-pillow-2.6.2-1.1.mga4.i586 - python3-pillow-doc-2.6.2-1.1.mga4.noarch - python3-pillow-qt-2.6.2-1.1.mga4.i586 - python3-pillow-sane-2.6.2-1.1.mga4.i586 - python3-pillow-tk-2.6.2-1.1.mga4.i586 Tests performed well each time.
CC: (none) => olchalWhiteboard: has_procedure mga4-64-ok => has_procedure mga4-64-ok MGA4-32-OK
Validating. Please push to 4 updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory from comment 9 uploaded with mga4 srpm from comment 5
Whiteboard: has_procedure mga4-64-ok MGA4-32-OK => has_procedure advisory mga4-64-ok MGA4-32-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0039.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Mageia 4 got 2.6.2-1.1.mga4 while Cauldron got 2.6.2-1.mga5 which is lower (cf bug #15392).
CC: (none) => pterjan