Fedora has issued an advisory on July 4: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HOKHNWV2VS5GESY7IBD237E7C6T3I427/ The issues are fixed upstream in 7.1.0.
For Mageia 7, this SRPM has variable maintainers; so assigning this bug globally.
Assignee: bugsquad => pkg-bugs
CVE-2020-10379 probably does not affect Mageia 7. Ubuntu has issued advisories for this on July 22 and 23: https://ubuntu.com/security/notices/USN-4430-1 https://ubuntu.com/security/notices/USN-4430-2
python2-pillow-5.4.1-1.2.mga7.x86_64.rpm python2-pillow-debuginfo-5.4.1-1.2.mga7.x86_64.rpm python2-pillow-devel-5.4.1-1.2.mga7.x86_64.rpm python2-pillow-doc-5.4.1-1.2.mga7.noarch.rpm python2-pillow-qt-5.4.1-1.2.mga7.x86_64.rpm python2-pillow-tk-5.4.1-1.2.mga7.x86_64.rpm python2-pillow-tk-debuginfo-5.4.1-1.2.mga7.x86_64.rpm python3-pillow-5.4.1-1.2.mga7.x86_64.rpm python3-pillow-debuginfo-5.4.1-1.2.mga7.x86_64.rpm python3-pillow-devel-5.4.1-1.2.mga7.x86_64.rpm python3-pillow-doc-5.4.1-1.2.mga7.noarch.rpm python3-pillow-qt-5.4.1-1.2.mga7.x86_64.rpm python3-pillow-tk-5.4.1-1.2.mga7.x86_64.rpm python3-pillow-tk-debuginfo-5.4.1-1.2.mga7.x86_64.rpm python-pillow-debuginfo-5.4.1-1.2.mga7.x86_64.rpm python-pillow-debugsource-5.4.1-1.2.mga7.x86_64.rpm from python-pillow-5.4.1-1.2.mga7.src.rpm in 7/core/updates_testing
Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugsCC: (none) => makowski.mageia
Advisory: ======================== Updated python-pillow packages fix security vulnerabilities: In libImaging/PcxDecode.c in Pillow before 6.2.3 and 7.x before 7.0.1, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer (CVE-2020-10378). Pillow before 6.2.3 and 7.x before 7.0.1 has multiple out-of-bounds reads in libImaging/FliDecode.c (CVE-2020-10177). An out-of-bounds read flaw was found in python-pillow in the way JP2 images are parsed. An application that uses python-pillow to decode untrusted images may be vulnerable to this issue. This flaw allows an attacker to read data. The highest threat from this vulnerability is to confidentiality (CVE-2020-10994). An out-of-bounds read/write flaw was found in python-pillow, in the way SGI RLE images are decoded. An application that uses python-pillow to decode untrusted images may be vulnerable. This flaw allows an attacker to crash the application or potentially execute code on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability (CVE-2020-11538). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10378 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10177 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10994 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11538 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HOKHNWV2VS5GESY7IBD237E7C6T3I427/
mga7, x86_64 CVE-2020-10378.... No PoC files or procedures found for the vunerabilities. https://pillow.readthedocs.io/en/stable/releasenotes/7.1.0.html This site summarizes recent changes - no idea if testing those is relevant for this release. Reduced the package list to this: python2-pillow python2-pillow-devel python2-pillow-doc python2-pillow-qt python2-pillow-tk python3-pillow python3-pillow-devel python3-pillow-doc python3-pillow-qt python3-pillow-tk and pulled in 36 packages before update. Ran a python scriptlet to convert a png file to jpeg format and display it using internal IM call. $ ll -rw-r--r-- 1 lcl lcl 681855 Nov 17 2020 kappaCrucis.jpg -rw-r--r-- 1 lcl lcl 6891745 Apr 13 2016 kappaCrucis.png Ran update. $ rpm -qa | grep pillow python2-pillow-qt-5.4.1-1.2.mga7 python3-pillow-devel-5.4.1-1.2.mga7 python2-pillow-devel-5.4.1-1.2.mga7 python3-pillow-tk-5.4.1-1.2.mga7 python2-pillow-tk-5.4.1-1.2.mga7 python2-pillow-5.4.1-1.2.mga7 python3-pillow-doc-5.4.1-1.2.mga7 python3-pillow-5.4.1-1.2.mga7 python3-pillow-qt-5.4.1-1.2.mga7 python2-pillow-doc-5.4.1-1.2.mga7 The conversion script worked fine for TIFF, PCX, PNG to JPEG for both python2 and python3. Conversion from JP2 or J2K does not work because there is no jpeg2k decoder. Need to do some background reading to see what python-pillow provides. https://www.tutorialspoint.com/python_pillow/index.htm
CC: (none) => tarazed25
The tutorial does not help much. JPEG2000 is not mentioned anywhere - any attempt to open such images fails with python2 and python3. Tested the new API feature - writing images with zero quality specified. That does work. Not much more can be done with this. Don't have the energy to pursue image processing right now.
https://pillow.readthedocs.io/en/5.2.x/handbook/image-file-formats.html#jpeg-2000 indicates that jpeg2000 is fully supported. "PIL reads and writes JPEG 2000 files containing L, LA, RGB or RGBA data" $ file glenshiel.j2k glenshiel.j2k: JPEG 2000 codestream $ identify glenshiel.j2k glenshiel.j2k J2K 2304x1728 2304x1728+0+0 8-bit sRGB 0.000u 0:00.000 $ python3 Python 3.7.6 (default, Jan 21 2020, 20:43:18) [GCC 8.3.1 20190524] on linux Type "help", "copyright", "credits" or "license" for more information. >>> from __future__ import print_function >>> import os, sys >>> from PIL import Image >>> infile = "glenshiel.j2k" >>> outfile = "glenshiel.pcx" >>> Image.open(infile).save(outfile) Traceback (most recent call last): File "/usr/lib64/python3.7/site-packages/PIL/Image.py", line 455, in _getdecoder decoder = getattr(core, decoder_name + "_decoder") AttributeError: module 'PIL._imaging' has no attribute 'jpeg2k_decoder' During handling of the above exception, another exception occurred: Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib64/python3.7/site-packages/PIL/Image.py", line 1960, in save self.load() File "/usr/lib64/python3.7/site-packages/PIL/Jpeg2KImagePlugin.py", line 210, in load return ImageFile.ImageFile.load(self) File "/usr/lib64/python3.7/site-packages/PIL/ImageFile.py", line 212, in load args, self.decoderconfig) File "/usr/lib64/python3.7/site-packages/PIL/Image.py", line 458, in _getdecoder raise IOError("decoder %s not available" % decoder_name) OSError: decoder jpeg2k not available
MGA7-64 MATE on Peaq C1011. No installation issues. Repeated Len's tests from previous bug 25968 $ python Python 2.7.17 (default, Nov 1 2019, 09:28:08) [GCC 8.3.1 20190524] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> from PIL import Image >>> im = Image.open( "shelt0001.jpeg") >>> im.rotate( 45 ).show( ) >>> exit( ) shows tilted image OK $ python /home/tester7/Documents/thumbnail.py Created the thumbnails (I will upload this file, for future use: check your images suffix: is now jpeg in this file) $ identify shelt0001.thumbnail shelt0001.thumbnail JPEG 128x87 128x87+0+0 8-bit sRGB 2796B 0.000u 0:00.001 Seems all working OK.
CC: (none) => herman.viaene
Created attachment 12005 [details] test creatiing thumbnails of images in current working directory
Harking back to j2k decoding wondered if there might be a standalone extension tp python-pillow which we are missing, however blind guesswork comes up empty. $ pip install jpeg2k_decoder Collecting jpeg2k_decoder Could not find a version that satisfies the requirement jpeg2k_decoder (from versions: ) No matching distribution found for jpeg2k_decoder
https://pillow.readthedocs.io/en/stable/handbook/image-file-formats.html#jpeg-2000 "To enable JPEG 2000 support, you need to build and install the OpenJPEG library, version 2.0.0 or higher, before building the Python Imaging Library." Seems that we don't, or that the build don't detect it. I have the same error with https://github.com/python-pillow/Pillow/blob/master/Tests/images/rgb_trns_ycbc.j2k?raw=true and that even with the package 5.4.1-1.1.mga7
ok python-pillow is now built whith OPENJPEG (JPEG2000) support available python2-pillow python2-pillow-devel python2-pillow-doc python2-pillow-qt python2-pillow-tk python3-pillow python3-pillow-devel python3-pillow-doc python3-pillow-qt python3-pillow-tk from python-pillow-5.4.1-1.3.mga7.src.rpm are in 7/core/updates_testing The following test should work with https://github.com/python-pillow/Pillow/blob/master/Tests/images/rgb_trns_ycbc.j2k?raw=true $ python3 Python 3.7.6 (default, Jan 21 2020, 20:43:18) [GCC 8.3.1 20190524] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import os, sys >>> from PIL import Image >>> infile = "gb_trns_ycbc.j2k" >>> outfile = "gb_trns_ycbc.png" >>> Image.open(infile).save(outfile)
Advisory: ======================== Updated python-pillow packages fix security vulnerabilities: In libImaging/PcxDecode.c in Pillow before 6.2.3 and 7.x before 7.0.1, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer (CVE-2020-10378). Pillow before 6.2.3 and 7.x before 7.0.1 has multiple out-of-bounds reads in libImaging/FliDecode.c (CVE-2020-10177). An out-of-bounds read flaw was found in python-pillow in the way JP2 images are parsed. An application that uses python-pillow to decode untrusted images may be vulnerable to this issue. This flaw allows an attacker to read data. The highest threat from this vulnerability is to confidentiality (CVE-2020-10994). An out-of-bounds read/write flaw was found in python-pillow, in the way SGI RLE images are decoded. An application that uses python-pillow to decode untrusted images may be vulnerable. This flaw allows an attacker to crash the application or potentially execute code on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability (CVE-2020-11538). Also, python-pillow is now built with OpenJPEG2000 image support. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10378 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10177 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10994 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11538 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HOKHNWV2VS5GESY7IBD237E7C6T3I427/ ======================== Updated packages in core/updates_testing: ======================== python2-pillow-5.4.1-1.3.mga7 python2-pillow-devel-5.4.1-1.3.mga7 python2-pillow-doc-5.4.1-1.3.mga7 python2-pillow-tk-5.4.1-1.3.mga7 python2-pillow-qt-5.4.1-1.3.mga7 python3-pillow-5.4.1-1.3.mga7 python3-pillow-devel-5.4.1-1.3.mga7 python3-pillow-doc-5.4.1-1.3.mga7 python3-pillow-tk-5.4.1-1.3.mga7 python3-pillow-qt-5.4.1-1.3.mga7 from python-pillow-5.4.1-1.3.mga7.src.rpm
Thanks Philip, JPEG2000 now decoded and converted OK. We can probably let this go on the basis of earlier tests, comments 8 and 9 and others.
(In reply to Len Lawrence from comment #14) > Thanks Philip, JPEG2000 now decoded and converted OK. We can probably let > this go on the basis of earlier tests, comments 8 and 9 and others. Validating. Advisory pushed to SVN.
Keywords: (none) => advisory, validated_updateWhiteboard: (none) => MGA7-64-OKCC: (none) => ouaurelien, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0434.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED