Debian-LTS has issued an advisory on November 7: http://lwn.net/Alerts/705898/ The issues are fixed upstream in 3.3.2.
updated packages python-pillow python3-pillow-2.6.2-2.6.mga5 python3-pillow-doc-2.6.2-2.6.mga5.noarch python-pillow-devel-2.6.2-2.6.mga5 python3-pillow-tk-2.6.2-2.6.mga5 python3-pillow-sane-2.6.2-2.6.mga5 python-pillow-doc-2.6.2-2.6.mga5.noarch python-pillow-qt-2.6.2-2.6.mga5 python3-pillow-devel-2.6.2-2.6.mga5 python-pillow-tk-2.6.2-2.6.mga5 python-pillow-sane-2.6.2-2.6.mga5 python-pillow-2.6.2-2.6.mga5 python3-pillow-qt-2.6.2-2.6.mga5 from python-pillow-2.6.2-2.6.mga5.src It was discovered that there were a number of memory overflow issues (CVE-2016-9189 and CVE-2016-9190) in python-pillow, a Python image manipulation library. ref: https://github.com/python-pillow/Pillow/issues/2105 https://github.com/python-pillow/Pillow/issues/2105 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9189 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9190
Assignee: makowski.mageia => qa-bugs
M5-64 : I shall have a go at this either later today or tomorrow.
CC: (none) => lewyssmith
Created attachment 8654 [details] Possible PoC test script for CVE-2016-9189
CC: (none) => tarazed25
@lewis CVE-2016-9189 There is a test script on github which uses a BMP image which can be downloaded from https://github.com/python-pillow/Pillow/tree/master/Tests/images/l2rgb_read.bmp by right-clicking the Download link. There is also a test script on github which I tried to run but which failed because of some missing resource. It might work with the pre-update packages installed. You could try it. $ python test_map.py Traceback (most recent call last): File "test_map.py", line 3, in <module> from helper import PillowTestCase, unittest ImportError: No module named helper CVE-2016-9190 There is a test image for this but the script is truncated so we probably cannot follow up on it without some expert help on github operations.
The script would need to be edited to point to the correct location for the test image on your system.
Installed the pre-updates and went looking for helper. https://helper.readthedocs.io/en/latest/ helper 2.4 helper is a command-line/daemon application wrapper package with the aim of creating a consistent and fast way to creating applications. It is available on the Python Package Index as helper.helper https://helper.readthedocs.io/en/latest/py-modindex.html Python Module Index h h - helper helper.parser None of this helps me understand how to install the helper module. We need a python master.
Created attachment 8656 [details] test case Here a test case. but IOError is raised also with python-pillow-2.6.2-2.5.mga5 and python3-pillow-2.6.2-2.5.mga5 so for us, it seems that the patch for CVE-2016-9189 wasn't absolutely needed, but it doesn't hurt, it is safer to have the patch. before update : $ python3 test_map.py ok CVE-2016-9189 nok CVE-2016-9190 $ python test_map.py ok CVE-2016-9189 nok CVE-2016-9190 after update : $ python test_map.py ok CVE-2016-9189 ok CVE-2016-9190 $ python3 test_map.py ok CVE-2016-9189 ok CVE-2016-9190
CC: (none) => makowski.mageia
Created attachment 8659 [details] Claire's little python-pillow test script ex Bug 13075 From Bug 13075 (Mageia 4). Call the script 'piltest.py'. It requires in the same directory an image file called "test.jpg". It prints its dimensions and displays it with ImageMagick. To minimise Python errors, best to have: python-pillow-tk-2.6.2-2.6.mga5 python-pillow-qt-2.6.2-2.6.mga5 python-pillow-2.6.2-2.6.mga5 python-pillow-sane-2.6.2-2.6.mga5 python3-pillow-qt-2.6.2-2.6.mga5 python3-pillow-sane-2.6.2-2.6.mga5 python3-pillow-2.6.2-2.6.mga5 python3-pillow-tk-2.6.2-2.6.mga5 Without (which?) one of the extras, Python3 throws an error. To run: $ python[3] piltest.py
(In reply to Lewis Smith from comment #8) > To minimise Python errors, best to have: > etc The version numbers are unimportant; I should have truncated them. (In reply to Philippe Makowski from comment #7) > Created attachment 8656 [details] > test case Thank you for this script 'test_map.py', which specifically tests the 2 CVEs, and requires the given image "l2rgb_read.bmp" [not viewable] in the same directory. I ended up with two similarly-named scripts from different places; the one that matters here is Philippe's which in my case is 729 bytes; the other is 864, and threw this error: " Traceback (most recent call last): File "test_map1.py", line 3, in <module> from helper import PillowTestCase, unittest ImportError: No module named helper" Testing Mageia 5 x64 BEFORE update: python-pillow-tk-2.6.2-2.5.mga5 python-pillow-2.6.2-2.5.mga5 python-pillow-sane-2.6.2-2.5.mga5 python-pillow-qt-2.6.2-2.5.mga5 python3-pillow-tk-2.6.2-2.5.mga5 python3-pillow-2.6.2-2.5.mga5 python3-pillow-sane-2.6.2-2.5.mga5 python3-pillow-qt-2.6.2-2.5.mga5 Claire's test: $ python piltest.py JPEG (966, 538) RGB [then displays the image with ImageMagick] $ python3 piltest.py JPEG (966, 538) RGB [then displays the image with ImageMagick] Philippe's test: $ python test_map.py ok CVE-2016-9189 Traceback (most recent call last): File "test_map.py", line 24, in <module> im = Image.core.open_ppm('./negative_size.ppm') MemoryError $ python3 test_map.py ok CVE-2016-9189 Traceback (most recent call last): File "test_map.py", line 24, in <module> im = Image.core.open_ppm('./negative_size.ppm') MemoryError AFTER update to version 2.6.2-2.6 of all 8 pkgs listed above: Claire's test: $ python[3] piltest.py Same OK results as before. Philppe's test: $ python test_map.py ok CVE-2016-9189 ok CVE-2016-9190 $ python3 test_map.py ok CVE-2016-9189 ok CVE-2016-9190 which is definite for 9190. This update OK.
Whiteboard: (none) => MGA5-64-OK
Thanks Philippe for your expert help rewriting the PoC script. Simple when you know how. @lewis: shall run this on i586 vbox at some stage Re comment #9 threw this error: " Traceback (most recent call last): File "test_map1.py", line 3, in <module> from helper import PillowTestCase, unittest ImportError: No module named helper" That is the error I got - luckily Philippe understood that the helper module was not needed - does not exist on our system probably.
Created attachment 8672 [details] 3 more little python-pillow test scripts ex Bug 18186 Adding these three (x 2, Python & Python 3) simple 'python-pillow' test scripts for future reference: convert[3], identify[3], thumbnail[3]. Read README, and view the scripts to see or guess what they do. They all take an image filename as a parameter.
(In reply to Len Lawrence from comment #10) > @lewis: shall run this on i586 vbox at some stage @Len: Kostiantyn would like to try this update for 32-bit. Can you leave it for him?
@lewis; comment 12: Of course. Go ahead.
Testing Mageia 5 i586 in vbox BEFORE update: $ rpm -qa *pillow* | sort python3-pillow-2.6.2-2.5.mga5 python3-pillow-devel-2.6.2-2.5.mga5 python3-pillow-doc-2.6.2-2.5.mga5 python3-pillow-qt-2.6.2-2.5.mga5 python3-pillow-sane-2.6.2-2.5.mga5 python3-pillow-tk-2.6.2-2.5.mga5 python-pillow-2.6.2-2.5.mga5 python-pillow-devel-2.6.2-2.5.mga5 python-pillow-doc-2.6.2-2.5.mga5 python-pillow-qt-2.6.2-2.5.mga5 python-pillow-sane-2.6.2-2.5.mga5 python-pillow-tk-2.6.2-2.5.mga5 Philippe's test: $ python test_map.py ok CVE-2016-9189 Traceback (most recent call last): File "test_map.py", line 24, in <module> im = Image.core.open_ppm('./negative_size.ppm') MemoryError $ python3 test_map.py ok CVE-2016-9189 Traceback (most recent call last): File "test_map.py", line 24, in <module> im = Image.core.open_ppm('./negative_size.ppm') MemoryError Claire's test: $ python piltest.py JPEG (600, 450) RGB [displays the image with ImageMagick] $ python3 piltest.py JPEG (600, 450) RGB [displays the image with ImageMagick] Tests provided by Lewis in attachment 8672 [details] from ex Bug 18186: $ python identify test.jpg test.jpg JPEG 600x450 RGB $ python3 identify3 test.jpg test.jpg JPEG 600x450 RGB $ python convert flowers.png [creates file flowers.jpg, displays two identical but differently sized images with ImageMagick] $ python3 convert3 flowers.png [the same result as above] $ python thumbnail test.jpg [creates file test.thumbnail] $ python3 thumbnail3 test.jpg [creates file test.thumbnail] The test provided by Len (attachment 8654 [details]) threw an error because it required the submodule helper from the Pillow.Tests module, which probably was stripped from the release version of the package. (https://github.com/python-pillow/Pillow/tree/master/Tests) AFTER update: $ rpm -qa *pillow* | sort python3-pillow-2.6.2-2.6.mga5 python3-pillow-devel-2.6.2-2.6.mga5 python3-pillow-doc-2.6.2-2.6.mga5 python3-pillow-qt-2.6.2-2.6.mga5 python3-pillow-sane-2.6.2-2.6.mga5 python3-pillow-tk-2.6.2-2.6.mga5 python-pillow-2.6.2-2.6.mga5 python-pillow-devel-2.6.2-2.6.mga5 python-pillow-doc-2.6.2-2.6.mga5 python-pillow-qt-2.6.2-2.6.mga5 python-pillow-sane-2.6.2-2.6.mga5 python-pillow-tk-2.6.2-2.6.mga5 Philippe's test: $ python test_map.py ok CVE-2016-9189 ok CVE-2016-9190 $ python3 test_map.py ok CVE-2016-9189 ok CVE-2016-9190 The results of the other tests were OK as before update. The update is OK.
CC: (none) => c.kravchukWhiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK
@Kostiantyn : a great job, which becomes a reference test procedure for this package. Validating; Adivisory from Comment 1 uploaded.
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisoryCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0383.html
Status: NEW => RESOLVEDResolution: (none) => FIXED