Bug 20070 - python-pillow new security issue CVE-2016-4009
Summary: python-pillow new security issue CVE-2016-4009
Status: RESOLVED INVALID
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Philippe Makowski
QA Contact: Sec team
URL: https://lwn.net/Vulnerabilities/710490/
Whiteboard:
Keywords: Triaged
Depends on:
Blocks:
 
Reported: 2017-01-03 20:54 CET by David Walser
Modified: 2017-01-04 12:16 CET (History)
1 user (show)

See Also:
Source RPM: python-pillow-2.6.2-2.6.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-01-03 20:54:06 CET 
Gentoo has issued an advisory on December 31:
https://security.gentoo.org/glsa/201612-52

This is the last issue reference in the 3.1.1 release notes:
https://github.com/python-pillow/Pillow/blob/777ef4f523679a9ea0f3573efc224bf821b6abe7/docs/releasenotes/3.1.1.rst

But I failed to include it in the Bug 17671 update.
Comment 1 Marja Van Waes 2017-01-03 21:47:52 CET 
Assigning to the registered maintainer.

Keywords: (none) => Triaged
CC: (none) => marja11
Assignee: bugsquad => makowski.mageia

Comment 2 Philippe Makowski 2017-01-04 12:16:12 CET 
So according to https://security.gentoo.org/glsa/201612-52

it have a CVE
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4009

and it is this upstream patch
https://github.com/python-pillow/Pillow/commit/4e0d9b0b9740d258ade40cce248c93777362ac1e

But according to https://security-tracker.debian.org/tracker/CVE-2016-4009
"Upstream confirmed that versions prior 2.7 are not vulnerable."

So I think we can close this bug, (in Cauldron we have 3.4.2 that have this issue fixed)

Status: NEW => RESOLVED
Resolution: (none) => INVALID
Note You need to log in before you can comment on or make changes to this bug.