Bug 15115 - python-pillow new security issue CVE-2014-9601
Summary: python-pillow new security issue CVE-2014-9601
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/630331/
Whiteboard: has_procedure advisory mga4-64-ok MGA...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-01-22 18:58 CET by David Walser
Modified: 2015-03-02 01:12 CET (History)
4 users (show)

See Also:
Source RPM: python-pillow-2.5.3-4.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-01-22 18:58:04 CET
Fedora has issued an advisory on January 14:
https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148442.html

They backported the upstream patch to 2.6.1 in Fedora 21:
http://pkgs.fedoraproject.org/cgit/python-pillow.git/commit/?h=f21&id=7338abe1db1e84a0d71ce3611e0f3b86be83493c

I looked at backporting it to 2.5.3 in Cauldron, but some parts of the rediff look non-trivial, so I'm not sure how to handle this.  Maybe we should update it and sync it with Fedora 21.

Mageia 4 is presumably also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-01-22 18:59:10 CET
Fedora 20 has 2.2.1 as does Mageia 4, so we can wait to see what they do there for that one.

Whiteboard: (none) => MGA4TOO

Comment 2 Philippe Makowski 2015-01-24 18:11:46 CET
I will go to 2.6.2 (it include the security fix) for Mga5
For mga4, will see if I can backport the patch if needed.
Comment 3 Philippe Makowski 2015-01-25 18:02:28 CET
That's hard to backport, there were a lot of changes moving mga4 to 2.6.2 can be a better option, I think.
Comment 4 David Walser 2015-01-25 18:22:53 CET
That was my impression too when I tried to backport the patch.
Comment 5 Philippe Makowski 2015-01-25 18:25:52 CET
python-pillow-debuginfo-2.6.2-1.1.mga4.x86_64.rpm
python-pillow-doc-2.6.2-1.1.mga4.noarch.rpm
python3-pillow-2.6.2-1.1.mga4.x86_64.rpm
python3-pillow-tk-2.6.2-1.1.mga4.x86_64.rpm
python3-pillow-sane-2.6.2-1.1.mga4.x86_64.rpm
python-pillow-tk-2.6.2-1.1.mga4.x86_64.rpm
python3-pillow-devel-2.6.2-1.1.mga4.x86_64.rpm
python-pillow-devel-2.6.2-1.1.mga4.x86_64.rpm
python3-pillow-qt-2.6.2-1.1.mga4.x86_64.rpm
python3-pillow-doc-2.6.2-1.1.mga4.noarch.rpm
python-pillow-qt-2.6.2-1.1.mga4.x86_64.rpm
python-pillow-2.6.2-1.1.mga4.x86_64.rpm
python-pillow-sane-2.6.2-1.1.mga4.x86_64.rpm

From python-pillow-2.6.2-1.1.mga4.src.rpm

Are in core/updates_testing

And for Mageia 5 Cauldron after the freeze push (asked on devel list 2015-01-24):
python-pillow-debuginfo-2.6.2-1.mga5.x86_64.rpm
python-pillow-doc-2.6.2-1.mga5.noarch.rpm
python3-pillow-2.6.2-1.mga5.x86_64.rpm
python3-pillow-tk-2.6.2-1.mga5.x86_64.rpm
python3-pillow-sane-2.6.2-1.mga5.x86_64.rpm
python-pillow-tk-2.6.2-1.mga5.x86_64.rpm
python3-pillow-devel-2.6.2-1.mga5.x86_64.rpm
python-pillow-devel-2.6.2-1.mga5.x86_64.rpm
python3-pillow-qt-2.6.2-1.mga5.x86_64.rpm
python3-pillow-doc-2.6.2-1.mga5.noarch.rpm
python-pillow-qt-2.6.2-1.mga5.x86_64.rpm
python-pillow-2.6.2-1.mga5.x86_64.rpm
python-pillow-sane-2.6.2-1.mga5.x86_64.rpm

From python-pillow-2.6.2-1.mga5.src.rpm

Assignee: makowski.mageia => qa-bugs

Comment 6 David Walser 2015-01-25 19:07:59 CET
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=13075#c1

Advisory:
========================

Updated python-pillow packages fix security vulnerability:

Pillow before 2.7.0 allows remote attackers to cause a denial of service via
a compressed text chunk in a PNG image that has a large size when it is
decompressed (CVE-2014-9601).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9601
https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148442.html

Version: Cauldron => 4
Whiteboard: MGA4TOO => (none)

David Walser 2015-01-25 19:08:06 CET

Whiteboard: (none) => has_procedure

Comment 7 Philippe Makowski 2015-01-26 12:10:04 CET
David, I know that cve mitre say "Pillow before 2.7.0" but in fact the fix is also in 2.6.2, and we provide 2.6.2
cf https://github.com/python-pillow/Pillow/blob/master/CHANGES.rst

so maybe the advisory should say :

Advisory:
========================

Updated python-pillow packages fix security vulnerability:

Pillow before 2.7.0 and 2.6.2 allows remote attackers to cause a denial of service via a compressed text chunk in a PNG image that has a large size when it is decompressed (CVE-2014-9601).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9601
https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148442.html

CC: (none) => makowski.mageia

Comment 8 David Walser 2015-01-26 12:20:10 CET
No, the fix isn't in 2.6.2, Fedora backported a patch to 2.6.2 to fix the issue.  Hopefully we have the same patch...
Comment 9 David Walser 2015-01-26 15:39:15 CET
Ahh, my mistake.  Fedora has 2.6.1.  Version 2.6.2 does indeed include the patch.

Advisory:
========================

Updated python-pillow packages fix security vulnerability:

Pillow before 2.7.0 and 2.6.2 allows remote attackers to cause a denial of
service via a compressed text chunk in a PNG image that has a large size when
it is decompressed (CVE-2014-9601).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9601
https://github.com/python-pillow/Pillow/blob/master/CHANGES.rst
https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148442.html
Comment 10 claire robinson 2015-01-27 15:19:46 CET
Just sorting the rpm's to make it more readable

python-pillow-2.6.2-1.1.mga4.x86_64.rpm
python-pillow-doc-2.6.2-1.1.mga4.noarch.rpm
python-pillow-qt-2.6.2-1.1.mga4.x86_64.rpm
python-pillow-sane-2.6.2-1.1.mga4.x86_64.rpm
python-pillow-tk-2.6.2-1.1.mga4.x86_64.rpm
python3-pillow-2.6.2-1.1.mga4.x86_64.rpm
python3-pillow-doc-2.6.2-1.1.mga4.noarch.rpm
python3-pillow-qt-2.6.2-1.1.mga4.x86_64.rpm
python3-pillow-sane-2.6.2-1.1.mga4.x86_64.rpm
python3-pillow-tk-2.6.2-1.1.mga4.x86_64.rpm
Comment 11 claire robinson 2015-01-27 15:30:43 CET
Testing complete mga4 64

http://pillow.readthedocs.org/en/latest/handbook/tutorial.html

$ cat piltest.py 
from __future__ import print_function
from PIL import Image
im = Image.open("test.jpg")
print(im.format, im.size, im.mode)
im.show()

$ python piltest.py 
JPEG (150, 150) RGB

$ python3 piltest.py 
JPEG (150, 150) RGB

Both open the image test.jpg found in the same directory.

Whiteboard: has_procedure => has_procedure mga4-64-ok

Comment 12 olivier charles 2015-01-27 16:47:58 CET
Testing on Mageia 4x32 real hardware following procedure in Comment 11

From current packages :
---------------------
- python-pillow-2.2.1-0.6.mga4.i586
- python3-pillow-2.2.1-0.6.mga4.i586
...


To updated testing packages :
---------------------------
- python-pillow-2.6.2-1.1.mga4.i586
- python-pillow-doc-2.6.2-1.1.mga4.noarch
- python-pillow-qt-2.6.2-1.1.mga4.i586
- python-pillow-sane-2.6.2-1.1.mga4.i586
- python-pillow-tk-2.6.2-1.1.mga4.i586
- python3-pillow-2.6.2-1.1.mga4.i586
- python3-pillow-doc-2.6.2-1.1.mga4.noarch
- python3-pillow-qt-2.6.2-1.1.mga4.i586
- python3-pillow-sane-2.6.2-1.1.mga4.i586
- python3-pillow-tk-2.6.2-1.1.mga4.i586

Tests performed well each time.

CC: (none) => olchal
Whiteboard: has_procedure mga4-64-ok => has_procedure mga4-64-ok MGA4-32-OK

Comment 13 claire robinson 2015-01-27 18:39:19 CET
Validating. Please push to 4 updates.

Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 14 claire robinson 2015-01-27 18:43:22 CET
Advisory from comment 9 uploaded with mga4 srpm from comment 5

Whiteboard: has_procedure mga4-64-ok MGA4-32-OK => has_procedure advisory mga4-64-ok MGA4-32-OK

Comment 15 Mageia Robot 2015-01-27 22:09:01 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0039.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 16 Pascal Terjan 2015-03-02 01:12:16 CET
Mageia 4 got 2.6.2-1.1.mga4 while Cauldron got 2.6.2-1.mga5 which is lower (cf bug #15392).

CC: (none) => pterjan


Note You need to log in before you can comment on or make changes to this bug.