Bug 921566 - VUL-0: python-Pillow: multiple vulnerabilities
VUL-0: python-Pillow: multiple vulnerabilities
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:NVD:CVE-2014-1933:2.1:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-03-10 14:53 UTC by Andreas Stieger
Modified: 2016-03-11 10:35 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-03-10 14:53:05 UTC
From SES 1.0 security review:

SLE 11 SP3 (Cloud 5): python-Pillow 2.3.0
SLE 12 SPE (SES 1.0, Cloud 5): 2.5.1


2.7.0 (2015-01-01)
2.6.2 (2015-01-01)
    Fix CVE-2014-9601, potential PNG decompression DOS #1060 [wiredfool]
    Pillow before 2.7.0 allows remote attackers to cause a denial of service via a compressed text chunk in a PNG image that has a large size when it is decompressed.  
    
2.6.0-rc1 (2014-09-29)
    Fixed CVE-2014-3598, a DOS in the Jpeg2KImagePlugin [Andrew Drake]

2.6.0-rc1 (2014-09-29)
2.5.2 (2014-08-13)
2.3.2 (2014-08-13)
    Fixed CVE-2014-3589, a DOS in the IcnsImagePlugin [Andrew Drake]
    PIL/IcnsImagePlugin.py in Python Imaging Library (PIL) and Pillow before 2.3.2 and 2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted block size. 

2.4.0 (2014-04-01)
    Fixed DOS with invalid palette size or invalid image size in BMP file [wiredfool]
2.5.3 (2014-08-18)
    Fixed CVE-2014-3598, a DOS in the Jpeg2KImagePlugin (backport) [Andrew Drake]


These two below were fixed in python-images, but because python-Pillow is a fork these affect it as well.

2.3.1 (2014-03-14)
    Fix insecure use of tempfile.mktemp:
CVE-2014-1932
 The (1) load_djpeg function in JpegImagePlugin.py, (2) Ghostscript function in EpsImagePlugin.py, (3) load function in IptcImagePlugin.py, and (4) _copy function in Image.py in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 do not properly create temporary files, which allow local users to overwrite arbitrary files and obtain sensitive information via a symlink attack on the temporary file.

CVE-2014-1933
 The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the nam
Comment 1 Andreas Stieger 2015-03-10 15:00:46 UTC
Also affects openSUSE 13.2 which was released with python-Pillow 2.5.1.
Comment 2 Swamp Workflow Management 2015-03-10 23:00:24 UTC
bugbot adjusting priority
Comment 3 Swamp Workflow Management 2015-03-30 08:58:14 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-04-13.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61371
Comment 4 Swamp Workflow Management 2015-03-30 08:58:25 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-04-13.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61372
Comment 6 Bernhard Wiedemann 2015-04-21 15:00:08 UTC
This is an autogenerated message for OBS integration:
This bug (921566) was mentioned in
https://build.opensuse.org/request/show/298322 13.2 / python-Pillow
Comment 9 Swamp Workflow Management 2015-04-27 15:04:59 UTC
SUSE-SU-2015:0777-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 921566
CVE References: CVE-2014-1932,CVE-2014-1933,CVE-2014-3589,CVE-2014-3598,CVE-2014-9601
Sources used:
SUSE Cloud 5 (src):    python-Pillow-2.7.0-0.7.1
Comment 10 Swamp Workflow Management 2015-04-29 09:04:58 UTC
openSUSE-SU-2015:0798-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 921566
CVE References: CVE-2014-3589,CVE-2014-3598,CVE-2014-9601
Sources used:
openSUSE 13.2 (src):    python-Pillow-2.8.1-3.3.1
Comment 11 Dirk Mueller 2015-05-04 18:34:00 UTC
all submitted as far as I can see.
Comment 12 Marcus Meissner 2015-12-08 16:13:34 UTC
the SLE12 variants seem not be fixed.

SUSE:SLE-12:Update:Products:Cloud5         python-Pillow
SUSE:SLE-12:Update:Products:Cloud5:Update  python-Pillow
SUSE:SLE-12:Update:Products:SES2           python-Pillow
Comment 13 Dirk Mueller 2015-12-09 11:30:21 UTC
iosc ls SUSE:SLE-12:Update:Products:Cloud5:Update python-Pillow
#_link
# -> SUSE:SLE-12:Update:Products:Cloud5:Update python-Pillow.630 (latest)
Pillow-2.7.0.tar.gz

looks fixed.
Comment 14 Marcus Meissner 2015-12-09 11:40:16 UTC
ok, also ses2 seems to hgave 2.7.0. closing.