Debian Bug report logs -
#948224
pillow: CVE-2019-19911 CVE-2020-5310 CVE-2020-5311 CVE-2020-5312 CVE-2020-5313
Reported by: Markus Koschany <apo@debian.org>
Date: Sun, 5 Jan 2020 15:33:01 UTC
Severity: grave
Tags: security
Found in version 6.2.1-2
Fixed in version 7.0.0-1
Done: Salvatore Bonaccorso <carnil@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Matthias Klose <doko@debian.org>:
Bug#948224; Package pillow.
(Sun, 05 Jan 2020 15:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Matthias Klose <doko@debian.org>.
(Sun, 05 Jan 2020 15:33:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: pillow
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for pillow. It appears they
are fixed in version 6.2.2.
CVE-2020-5310[0]:
| libImaging/TiffDecode.c in Pillow before 6.2.2 has a TIFF decoding
| integer overflow, related to realloc.
CVE-2020-5311[1]:
| libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer
| overflow.
CVE-2020-5312[2]:
| libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer
| overflow.
CVE-2020-5313[3]:
| libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer
| overflow.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-5310
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5310
[1] https://security-tracker.debian.org/tracker/CVE-2020-5311
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5311
[2] https://security-tracker.debian.org/tracker/CVE-2020-5312
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5312
[3] https://security-tracker.debian.org/tracker/CVE-2020-5313
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5313
Please adjust the affected versions in the BTS as needed.
Regards,
Markus
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#948224; Package pillow.
(Sun, 05 Jan 2020 16:54:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>.
(Sun, 05 Jan 2020 16:54:02 GMT) (full text, mbox, link).
Message #10 received at 948224@bugs.debian.org (full text, mbox, reply):
Control: found -1 6.2.1-2
Control: retitle pillow: CVE-2019-19911 CVE-2020-5310 CVE-2020-5311 CVE-2020-5312 CVE-2020-5313
Hi,
On Sun, Jan 05, 2020 at 04:30:36PM +0100, Markus Koschany wrote:
> The following vulnerabilities were published for pillow. It appears they
> are fixed in version 6.2.2.
Additionally there is CVE-2019-19911, fixed by
https://github.com/python-pillow/Pillow/commit/774e53bb132461d8d5ebefec1162e29ec0ebc63d
as well adressed in 6.2.2. Thus track it here with same bug.
Regards,
Salvatore
Marked as found in versions 6.2.1-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 948224-submit@bugs.debian.org.
(Sun, 05 Jan 2020 16:54:03 GMT) (full text, mbox, link).
Changed Bug title to 'pillow: CVE-2019-19911 CVE-2020-5310 CVE-2020-5311 CVE-2020-5312 CVE-2020-5313' from 'pillow: CVE-2020-5310 CVE-2020-5311 CVE-2020-5312 CVE-2020-5313'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 05 Jan 2020 16:57:05 GMT) (full text, mbox, link).
Marked as fixed in versions 7.0.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 06 Jan 2020 15:39:02 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 06 Jan 2020 15:39:03 GMT) (full text, mbox, link).
Notification sent
to Markus Koschany <apo@debian.org>:
Bug acknowledged by developer.
(Mon, 06 Jan 2020 15:39:03 GMT) (full text, mbox, link).
Message sent on
to Markus Koschany <apo@debian.org>:
Bug#948224.
(Mon, 06 Jan 2020 15:39:07 GMT) (full text, mbox, link).
Message #23 received at 948224-submitter@bugs.debian.org (full text, mbox, reply):
# fixed in 7.0.0 but bug was not closed
close 948224 7.0.0-1
thanks
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jan 8 10:20:15 2020;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon