Bug 19739 - python-pillow new security issues CVE-2016-9189 and CVE-2016-9190
Summary: python-pillow new security issues CVE-2016-9189 and CVE-2016-9190
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/705913/
Whiteboard: MGA5-64-OK MGA5-32-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-11-08 18:19 CET by David Walser
Modified: 2016-11-17 17:37 CET (History)
5 users (show)

See Also:
Source RPM: python-pillow-2.6.2-2.5.mga5.src.rpm
CVE:
Status comment:


Attachments
Possible PoC test script for CVE-2016-9189 (864 bytes, text/x-python)
2016-11-13 10:39 CET, Len Lawrence
Details
test case (9.50 KB, application/x-xz)
2016-11-13 15:05 CET, Philippe Makowski
Details
Claire's little python-pillow test script ex Bug 13075 (134 bytes, text/plain)
2016-11-13 20:36 CET, Lewis Smith
Details
3 more little python-pillow test scripts ex Bug 18186 (10.00 KB, application/x-tar)
2016-11-16 10:15 CET, Lewis Smith
Details

Description David Walser 2016-11-08 18:19:13 CET
Debian-LTS has issued an advisory on November 7:
http://lwn.net/Alerts/705898/

The issues are fixed upstream in 3.3.2.
Comment 1 Philippe Makowski 2016-11-11 14:12:50 CET
updated packages python-pillow

python3-pillow-2.6.2-2.6.mga5
python3-pillow-doc-2.6.2-2.6.mga5.noarch
python-pillow-devel-2.6.2-2.6.mga5
python3-pillow-tk-2.6.2-2.6.mga5
python3-pillow-sane-2.6.2-2.6.mga5
python-pillow-doc-2.6.2-2.6.mga5.noarch
python-pillow-qt-2.6.2-2.6.mga5
python3-pillow-devel-2.6.2-2.6.mga5
python-pillow-tk-2.6.2-2.6.mga5
python-pillow-sane-2.6.2-2.6.mga5
python-pillow-2.6.2-2.6.mga5
python3-pillow-qt-2.6.2-2.6.mga5

from python-pillow-2.6.2-2.6.mga5.src


It was discovered that there were a number of memory overflow issues (CVE-2016-9189 and CVE-2016-9190) in
python-pillow, a Python image manipulation library.

ref: 
https://github.com/python-pillow/Pillow/issues/2105
https://github.com/python-pillow/Pillow/issues/2105
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9189
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9190

Assignee: makowski.mageia => qa-bugs

Comment 2 Lewis Smith 2016-11-12 16:15:42 CET
M5-64 : I shall have a go at this either later today or tomorrow.

CC: (none) => lewyssmith

Comment 3 Len Lawrence 2016-11-13 10:39:56 CET
Created attachment 8654 [details]
Possible PoC test script for CVE-2016-9189

CC: (none) => tarazed25

Comment 4 Len Lawrence 2016-11-13 10:42:35 CET
@lewis
CVE-2016-9189
There is a test script on github which uses a BMP image which can be downloaded from
https://github.com/python-pillow/Pillow/tree/master/Tests/images/l2rgb_read.bmp
by right-clicking the Download link.  There is also a test script on github which I tried to run but which failed because of some missing resource.  It might work with the pre-update packages installed.  You could try it.

$ python test_map.py
Traceback (most recent call last):
  File "test_map.py", line 3, in <module>
    from helper import PillowTestCase, unittest
ImportError: No module named helper


CVE-2016-9190
There is a test image for this but the script is truncated so we probably cannot follow up on it without some expert help on github operations.
Comment 5 Len Lawrence 2016-11-13 10:46:06 CET
The script would need to be edited to point to the correct location for the test image on your system.
Comment 6 Len Lawrence 2016-11-13 12:14:07 CET
Installed the pre-updates and went looking for helper.

https://helper.readthedocs.io/en/latest/

helper 2.4

helper is a command-line/daemon application wrapper package with the aim of creating a
consistent and fast way to creating applications. It is available on the Python Package
Index as helper.helper

https://helper.readthedocs.io/en/latest/py-modindex.html

Python Module Index
h
	 	
	h	
- 	helper	
	    helper.parser	

 
None of this helps me understand how to install the helper module.  We need a python master.
Comment 7 Philippe Makowski 2016-11-13 15:05:46 CET
Created attachment 8656 [details]
test case

Here a test case.

but IOError is raised also with python-pillow-2.6.2-2.5.mga5 and python3-pillow-2.6.2-2.5.mga5
so for us, it seems that the patch for CVE-2016-9189 wasn't absolutely needed, but it doesn't hurt, it is safer to have the patch.


before update :
$ python3 test_map.py 
ok CVE-2016-9189
nok CVE-2016-9190
$ python test_map.py 
ok CVE-2016-9189
nok CVE-2016-9190


after update :
$ python test_map.py 
ok CVE-2016-9189
ok CVE-2016-9190
$ python3 test_map.py 
ok CVE-2016-9189
ok CVE-2016-9190

CC: (none) => makowski.mageia

Comment 8 Lewis Smith 2016-11-13 20:36:39 CET
Created attachment 8659 [details]
Claire's little python-pillow test script ex Bug 13075

From Bug 13075 (Mageia 4). Call the script 'piltest.py'. It requires in the same directory an image file called "test.jpg". It prints its dimensions and displays it with ImageMagick.
To minimise Python errors, best to have:
 python-pillow-tk-2.6.2-2.6.mga5
 python-pillow-qt-2.6.2-2.6.mga5
 python-pillow-2.6.2-2.6.mga5
 python-pillow-sane-2.6.2-2.6.mga5

 python3-pillow-qt-2.6.2-2.6.mga5
 python3-pillow-sane-2.6.2-2.6.mga5
 python3-pillow-2.6.2-2.6.mga5
 python3-pillow-tk-2.6.2-2.6.mga5
Without (which?) one of the extras, Python3 throws an error.

To run: $ python[3] piltest.py
Comment 9 Lewis Smith 2016-11-13 21:04:42 CET
(In reply to Lewis Smith from comment #8)
> To minimise Python errors, best to have:
> etc
The version numbers are unimportant; I should have truncated them.

(In reply to Philippe Makowski from comment #7)
> Created attachment 8656 [details]
> test case
Thank you for this script 'test_map.py', which specifically tests the 2 CVEs, and requires the given image "l2rgb_read.bmp" [not viewable] in the same directory. I ended up with two similarly-named scripts from different places; the one that matters here is Philippe's which in my case is 729 bytes; the other is 864, and threw this error:
" Traceback (most recent call last):
  File "test_map1.py", line 3, in <module>
    from helper import PillowTestCase, unittest
ImportError: No module named helper"

Testing Mageia 5 x64

BEFORE update:
 python-pillow-tk-2.6.2-2.5.mga5
 python-pillow-2.6.2-2.5.mga5
 python-pillow-sane-2.6.2-2.5.mga5
 python-pillow-qt-2.6.2-2.5.mga5

 python3-pillow-tk-2.6.2-2.5.mga5
 python3-pillow-2.6.2-2.5.mga5
 python3-pillow-sane-2.6.2-2.5.mga5
 python3-pillow-qt-2.6.2-2.5.mga5

Claire's test:
 $ python piltest.py
 JPEG (966, 538) RGB         [then displays the image with ImageMagick]
 $ python3 piltest.py
 JPEG (966, 538) RGB         [then displays the image with ImageMagick]

Philippe's test:
 $ python test_map.py
ok CVE-2016-9189
Traceback (most recent call last):
  File "test_map.py", line 24, in <module>
    im = Image.core.open_ppm('./negative_size.ppm')
MemoryError
 $ python3 test_map.py
ok CVE-2016-9189
Traceback (most recent call last):
  File "test_map.py", line 24, in <module>
    im = Image.core.open_ppm('./negative_size.ppm')
MemoryError

AFTER update to version 2.6.2-2.6 of all 8 pkgs listed above:
Claire's test:
 $ python[3] piltest.py
Same OK results as before.

Philppe's test:
 $ python test_map.py
ok CVE-2016-9189
ok CVE-2016-9190
 $ python3 test_map.py
ok CVE-2016-9189
ok CVE-2016-9190
which is definite for 9190. This update OK.

Whiteboard: (none) => MGA5-64-OK

Comment 10 Len Lawrence 2016-11-13 21:45:47 CET
Thanks Philippe for your expert help rewriting the PoC script.  Simple when you know how.
@lewis: shall run this on i586 vbox at some stage

Re comment #9
threw this error:
" Traceback (most recent call last):
  File "test_map1.py", line 3, in <module>
    from helper import PillowTestCase, unittest
ImportError: No module named helper"

That is the error I got - luckily Philippe understood that the helper module was not needed - does not exist on our system probably.
Comment 11 Lewis Smith 2016-11-16 10:15:09 CET
Created attachment 8672 [details]
3 more little python-pillow test scripts ex Bug 18186

Adding these three (x 2, Python & Python 3) simple 'python-pillow' test scripts for future reference: convert[3], identify[3], thumbnail[3].
Read README, and view the scripts to see or guess what they do. They all take an image filename as a parameter.
Comment 12 Lewis Smith 2016-11-16 10:17:22 CET
(In reply to Len Lawrence from comment #10)
> @lewis: shall run this on i586 vbox at some stage
@Len: Kostiantyn would like to try this update for 32-bit. Can you leave it for him?
Comment 13 Len Lawrence 2016-11-16 11:55:55 CET
@lewis; comment 12: Of course.  Go ahead.
Comment 14 Kostiantyn Kravchuk 2016-11-17 12:42:05 CET
Testing Mageia 5 i586 in vbox

BEFORE update:

$ rpm -qa *pillow* | sort
python3-pillow-2.6.2-2.5.mga5
python3-pillow-devel-2.6.2-2.5.mga5
python3-pillow-doc-2.6.2-2.5.mga5
python3-pillow-qt-2.6.2-2.5.mga5
python3-pillow-sane-2.6.2-2.5.mga5
python3-pillow-tk-2.6.2-2.5.mga5
python-pillow-2.6.2-2.5.mga5
python-pillow-devel-2.6.2-2.5.mga5
python-pillow-doc-2.6.2-2.5.mga5
python-pillow-qt-2.6.2-2.5.mga5
python-pillow-sane-2.6.2-2.5.mga5
python-pillow-tk-2.6.2-2.5.mga5


Philippe's test:

$ python test_map.py
ok CVE-2016-9189
Traceback (most recent call last):
  File "test_map.py", line 24, in <module>
    im = Image.core.open_ppm('./negative_size.ppm')
MemoryError

$ python3 test_map.py
ok CVE-2016-9189
Traceback (most recent call last):
  File "test_map.py", line 24, in <module>
    im = Image.core.open_ppm('./negative_size.ppm')
MemoryError

Claire's test:
$ python piltest.py
JPEG (600, 450) RGB   [displays the image with ImageMagick]
$ python3 piltest.py
JPEG (600, 450) RGB   [displays the image with ImageMagick]


Tests provided by Lewis in attachment 8672 [details] from ex Bug 18186:

$ python identify test.jpg
test.jpg JPEG 600x450 RGB
$ python3 identify3 test.jpg
test.jpg JPEG 600x450 RGB

$ python convert flowers.png     [creates file flowers.jpg,
                                   displays two identical but differently sized
                                   images with ImageMagick]
$ python3 convert3 flowers.png   [the same result as above]

$ python thumbnail test.jpg      [creates file test.thumbnail]
$ python3 thumbnail3 test.jpg    [creates file test.thumbnail]


The test provided by Len (attachment 8654 [details]) threw an error because it required the submodule helper from the Pillow.Tests module, which probably was stripped from the release version of the  package. 
(https://github.com/python-pillow/Pillow/tree/master/Tests)


AFTER update:

$ rpm -qa *pillow* | sort
python3-pillow-2.6.2-2.6.mga5
python3-pillow-devel-2.6.2-2.6.mga5
python3-pillow-doc-2.6.2-2.6.mga5
python3-pillow-qt-2.6.2-2.6.mga5
python3-pillow-sane-2.6.2-2.6.mga5
python3-pillow-tk-2.6.2-2.6.mga5
python-pillow-2.6.2-2.6.mga5
python-pillow-devel-2.6.2-2.6.mga5
python-pillow-doc-2.6.2-2.6.mga5
python-pillow-qt-2.6.2-2.6.mga5
python-pillow-sane-2.6.2-2.6.mga5
python-pillow-tk-2.6.2-2.6.mga5

Philippe's test:
$ python test_map.py 
ok CVE-2016-9189
ok CVE-2016-9190
$ python3 test_map.py 
ok CVE-2016-9189
ok CVE-2016-9190

The results of the other tests were OK as before update.

The update is OK.

CC: (none) => c.kravchuk
Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK

Comment 15 Lewis Smith 2016-11-17 16:09:28 CET
@Kostiantyn : a great job, which becomes a reference test procedure for this package.
Validating; Adivisory from Comment 1 uploaded.

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisory
CC: (none) => sysadmin-bugs

Comment 16 Mageia Robot 2016-11-17 17:37:50 CET
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0383.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.