A CVE has been requested for a buffer overflow in python-pillow: http://openwall.com/lists/oss-security/2016/02/02/5 The libImaging/PcdDecode.c part of the patch applies cleanly in both the Mageia 5 and Cauldron versions of python-pillow. Including the test case would require using git to apply the patch. Reproducible: Steps to Reproduce:
done in python-pillow-3.1.0-2.mga6 and python-pillow-2.6.2-2.4.mga5, advisory to come
No response to the CVE request yet. Updated packages: python-pillow-2.6.2-2.4.mga5 python-pillow-devel-2.6.2-2.4.mga5 python-pillow-doc-2.6.2-2.4.mga5 python-pillow-sane-2.6.2-2.4.mga5 python-pillow-tk-2.6.2-2.4.mga5 python-pillow-qt-2.6.2-2.4.mga5 python3-pillow-2.6.2-2.4.mga5 python3-pillow-devel-2.6.2-2.4.mga5 python3-pillow-doc-2.6.2-2.4.mga5 python3-pillow-sane-2.6.2-2.4.mga5 python3-pillow-tk-2.6.2-2.4.mga5 python3-pillow-qt-2.6.2-2.4.mga5 from python-pillow-2.6.2-2.4.mga5.src.rpm
FWIW, there were fixes for CVE-2016-0740 and CVE-2016-0775 and another buffer overflow included in the pillow-3.1.1 release, too. https://github.com/python-pillow/Pillow/commit/777ef4f523679a9ea0f3573efc224bf821b6abe7 All the 3.1.1 changes listed were security fixes, so it's probably worth just upgrading to that version in cauldron.
CC: (none) => dan
Thanks Dan! Fedora has issued an advisory for this on February 9: https://lists.fedoraproject.org/pipermail/package-announce/2016-February/176983.html
URL: (none) => http://lwn.net/Vulnerabilities/675049/
Additional security patches added. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=13075#c1 Advisory: ======================== Updated python-pillow packages fix security vulnerabilities: A buffer overflow in TiffDecode.c causing an arbitrary amount of memory to be overwritten when opening a specially crafted invalid TIFF file (CVE-2016-0740). A buffer overflow in FliDecode.c causing a segfault when opening FLI files (CVE-2016-0775). A buffer overflow in PcdDecode.c causing a segfault when opening PhotoCD files. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0740 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0775 http://openwall.com/lists/oss-security/2016/02/02/5 https://github.com/python-pillow/Pillow/blob/777ef4f523679a9ea0f3573efc224bf821b6abe7/docs/releasenotes/3.1.1.rst https://lists.fedoraproject.org/pipermail/package-announce/2016-February/176983.html ======================== Updated packages in core/updates_testing: ======================== python-pillow-2.6.2-2.5.mga5 python-pillow-devel-2.6.2-2.5.mga5 python-pillow-doc-2.6.2-2.5.mga5 python-pillow-sane-2.6.2-2.5.mga5 python-pillow-tk-2.6.2-2.5.mga5 python-pillow-qt-2.6.2-2.5.mga5 python3-pillow-2.6.2-2.5.mga5 python3-pillow-devel-2.6.2-2.5.mga5 python3-pillow-doc-2.6.2-2.5.mga5 python3-pillow-sane-2.6.2-2.5.mga5 python3-pillow-tk-2.6.2-2.5.mga5 python3-pillow-qt-2.6.2-2.5.mga5 from python-pillow-2.6.2-2.5.mga5.src.rpm
Whiteboard: (none) => has_procedure
Advisory, packages, testing procedure in Comment 5.
CC: (none) => makowski.mageiaAssignee: makowski.mageia => qa-bugs
I've confirmed that python-pillow-2.6.2-2.5.mga5 on x86 no longer segfaults with a PhotoCD file and still loads & resizes JPEG images.
Thanks again Dan.
Whiteboard: has_procedure => has_procedure MGA5-32-OK
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0066.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Updated advisory with CVE for the original issue. Please update in SVN. Advisory: ======================== Updated python-pillow packages fix security vulnerabilities: A buffer overflow in TiffDecode.c causing an arbitrary amount of memory to be overwritten when opening a specially crafted invalid TIFF file (CVE-2016-0740). A buffer overflow in FliDecode.c causing a segfault when opening FLI files (CVE-2016-0775). A buffer overflow in PcdDecode.c causing a segfault when opening PhotoCD files (CVE-2016-2533). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0740 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0775 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2533 http://openwall.com/lists/oss-security/2016/02/22/2 https://github.com/python-pillow/Pillow/blob/777ef4f523679a9ea0f3573efc224bf821b6abe7/docs/releasenotes/3.1.1.rst https://lists.fedoraproject.org/pipermail/package-announce/2016-February/176983.html
Summary: python-pillow new buffer overflow security issue => python-pillow new buffer overflow security issue (CVE-2016-0740, CVE-2016-0775, CVE-2016-2533)
LWN reference for CVE-2016-2533: http://lwn.net/Vulnerabilities/677959/