Bug 18186 - python-pillow new security issue CVE-2016-3076
Summary: python-pillow new security issue CVE-2016-3076
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/683316/
Whiteboard: has_procedure advisory MGA5-32-OK MGA...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-04-11 19:21 CEST by David Walser
Modified: 2016-04-13 19:40 CEST (History)
3 users (show)

See Also:
Source RPM: python-pillow-2.6.2-2.5.mga5.src.rpm
CVE:
Status comment:

Attachments
Some simple scripts (10.00 KB, application/octet-stream)
2016-04-13 17:10 CEST, Len Lawrence 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Comment 1 Philippe Makowski 2016-04-12 11:02:43 CEST 
This update fixes an integer overflow in Jpeg2KEncode.c causing a buffer
overflow (CVE-2016-3076).

Refs :
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3076
https://lists.fedoraproject.org/pipermail/package-announce/2016-April/181943.html

Packages in 5/core/updates_testing :

python-pillow-2.6.2-2.5.mga5
python-pillow-devel-2.6.2-2.5.mga5
python-pillow-doc-2.6.2-2.5.mga5.noarch
python-pillow-sane-2.6.2-2.5.mga5
python-pillow-tk-2.6.2-2.5.mga5
python-pillow-qt-2.6.2-2.5.mga5
python3-pillow-2.6.2-2.5.mga5
python3-pillow-devel-2.6.2-2.5.mga5
python3-pillow-doc-2.6.2-2.5.mga5.noarch
python3-pillow-sane-2.6.2-2.5.mga5
python3-pillow-tk-2.6.2-2.5.mga5
python3-pillow-qt-2.6.2-2.5.mga5

From :

python-pillow-2.6.2-2.5.mga5.src

Assignee: makowski.mageia => security

Rémi Verschelde 2016-04-12 11:57:04 CEST

Assignee: security => qa-bugs

Comment 2 Herman Viaene 2016-04-12 15:23:04 CEST 
MGA5-32 on Acer D620 Xfce
No istallation issues.
Followed procedure as per bug 13075 Comment 1
at the CLI:
$ python ~/Documenten/piltest.py
JPEG (3264, 2448) RGB

and image is displayed OK

CC: (none) => herman.viaene
Whiteboard: (none) => has_procedure MGA5-32-OK

Comment 3 Len Lawrence 2016-04-13 16:52:02 CEST 
x86_64  Mate

Assembled a few scripts based on the tutorial referenced by bug 13075 c#1.
Tested these out before the update then ran them again afterwards.
Tested image conversion  and display, identification and generating thumbnails.
All OK.
For convenience have attached the simple scripts as a tar file which expands into the ./pillow directory.  They can be run with e.g. ./convert or 
./thumbnail3 for python3.

CC: (none) => tarazed25

Len Lawrence 2016-04-13 17:09:10 CEST

Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OK

Comment 4 Len Lawrence 2016-04-13 17:10:42 CEST 
Created attachment 7663 [details]
Some simple scripts
Len Lawrence 2016-04-13 17:11:10 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 claire robinson 2016-04-13 18:48:05 CEST 
Advisory from comment 1 uploaded.

Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure advisory MGA5-32-OK MGA5-64-OK

Comment 6 Mageia Robot 2016-04-13 19:40:11 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0141.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.