Debian Bug report logs -
#813905
pillow: CVE-2016-0740: Buffer overflow in TiffDecode.c
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 6 Feb 2016 15:15:02 UTC
Severity: important
Tags: fixed-upstream, patch, security, upstream
Found in version pillow/2.2.1-1
Fixed in version pillow/3.1.1-1
Done: Matthias Klose <doko@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Matthias Klose <doko@debian.org>:
Bug#813905; Package src:pillow.
(Sat, 06 Feb 2016 15:15:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Matthias Klose <doko@debian.org>.
(Sat, 06 Feb 2016 15:15:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: pillow
Version: 2.2.1-1
Severity: important
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for pillow.
CVE-2016-0740[0]:
Buffer overflow in TiffDecode.c
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
This is fixed in 3.1.1.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-0740
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1298874
[2] https://github.com/python-pillow/Pillow/commit/6dcbf5bd96b717c58d7b642949da8d323099928e
Regards,
Salvatore
Reply sent
to Matthias Klose <doko@debian.org>:
You have taken responsibility.
(Wed, 10 Feb 2016 10:24:14 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 10 Feb 2016 10:24:14 GMT) (full text, mbox, link).
Message #10 received at 813905-close@bugs.debian.org (full text, mbox, reply):
Source: pillow
Source-Version: 3.1.1-1
We believe that the bug you reported is fixed in the latest version of
pillow, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 813905@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matthias Klose <doko@debian.org> (supplier of updated pillow package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 10 Feb 2016 10:40:44 +0100
Source: pillow
Binary: python-pil python-pil-dbg python-pil.imagetk python-pil.imagetk-dbg python3-pil python3-pil-dbg python3-pil.imagetk python3-pil.imagetk-dbg python-pil-doc python-imaging
Architecture: source all amd64
Version: 3.1.1-1
Distribution: unstable
Urgency: medium
Maintainer: Matthias Klose <doko@debian.org>
Changed-By: Matthias Klose <doko@debian.org>
Description:
python-imaging - Python Imaging Library compatibility layer
python-pil - Python Imaging Library (Pillow fork)
python-pil-dbg - Python Imaging Library (debug extension)
python-pil-doc - Examples for the Python Imaging Library
python-pil.imagetk - Python Imaging Library - ImageTk Module (Pillow fork)
python-pil.imagetk-dbg - Python Imaging Library - ImageTk Module (debug extension)
python3-pil - Python Imaging Library (Python3)
python3-pil-dbg - Python Imaging Library (Python3 debug extension)
python3-pil.imagetk - Python Imaging Library - ImageTk Module (Python3)
python3-pil.imagetk-dbg - Python Imaging Library - ImageTk Module (Python3 debug extension)
Closes: 813905 813909
Changes:
pillow (3.1.1-1) unstable; urgency=medium
.
* Pillow 3.1.1 release.
- CVE-2016-0740: Fix buffer overflow in TiffDecode.c. Closes: #813905.
- CVE-2016-0775: Fix buffer overflow in FliDecode.c. Closes: #813909.
Checksums-Sha1:
d9315780863189a34c9582094423aa1721e05af9 2681 pillow_3.1.1-1.dsc
2ddf50ac4388fc829450b2c602868321bb7e49b6 7129916 pillow_3.1.1.orig.tar.xz
2aef9d33f70dcd4b02ce25c28cf7322a10396aa1 14468 pillow_3.1.1-1.debian.tar.xz
39428a40dc42a394093e363e75ea0cb9f00b9fd9 44370 python-imaging_3.1.1-1_all.deb
bf96761ec9750acbbec2544f81ac52093bd6d9f4 446724 python-pil-dbg_3.1.1-1_amd64.deb
c0db8c443e10fb0dd0c6afd82dbb4fcfc2c1570f 53494 python-pil-doc_3.1.1-1_all.deb
ede7d5f1a2f6e033fb33db3d6f91a702c7634287 13244 python-pil.imagetk-dbg_3.1.1-1_amd64.deb
002b7f2fdf5017826452c537b658dadfe82c7db3 48324 python-pil.imagetk_3.1.1-1_amd64.deb
7eafb7dafe15dcf97d7d5e757a44ba5fd981dcb2 353244 python-pil_3.1.1-1_amd64.deb
cd5f854a057bc10a395470f4a129debfab66397f 768634 python3-pil-dbg_3.1.1-1_amd64.deb
781f1231a9f279d317c8d766f4ac8b19a2d06499 18658 python3-pil.imagetk-dbg_3.1.1-1_amd64.deb
648c6d2c06950c94f6dd55ddfc056ea47a682722 48516 python3-pil.imagetk_3.1.1-1_amd64.deb
ad96d3cbbe3118b4541f4bfa0ec9c4265cb35b2d 354372 python3-pil_3.1.1-1_amd64.deb
Checksums-Sha256:
157d04c7c814b3fbc44a111bef8202e7522559c6dc65b69dedc85975874772ab 2681 pillow_3.1.1-1.dsc
a52564806d3e28aae9bbabe0af8d0b78868d48eb5a6990c0221bc0a8f2469d54 7129916 pillow_3.1.1.orig.tar.xz
40cfba4d61b8981b8b75240fe7bd5674465abf791bdf2ce0d89f776ef1450178 14468 pillow_3.1.1-1.debian.tar.xz
6be335a5919a0a2003ce7a52de75884b61e9baab080f3d16b50a61d9d37543ee 44370 python-imaging_3.1.1-1_all.deb
4b3ba6c4c062eaa87747296befbb1ee94e29031be2f83ebb4d475b5374a99b5f 446724 python-pil-dbg_3.1.1-1_amd64.deb
e17a104c6c5925e3ee3876e345078b8bc480bca5b10a51f08ae0e20b39a05b68 53494 python-pil-doc_3.1.1-1_all.deb
f6e9c23fad5f917d61e4955ac3067c073da3a88d226fa3d67cf0a1a89f10afbc 13244 python-pil.imagetk-dbg_3.1.1-1_amd64.deb
c715b937e7b90c48b7c238aa41ae87b0d8228bee6481e0d572865ec4ded36007 48324 python-pil.imagetk_3.1.1-1_amd64.deb
8fec2cd6ce08da604e6cc45bb1d9cced42bf560af02a011d0e5ae28bedc02536 353244 python-pil_3.1.1-1_amd64.deb
a5871356725482d3fbc54f1df4f79924dda96d504e12ddd9448357d51ed1c7ed 768634 python3-pil-dbg_3.1.1-1_amd64.deb
9ac8db5be58f94f88c149553d3042cb970f5dbe9fdd01dbed9e54a8e0378b95a 18658 python3-pil.imagetk-dbg_3.1.1-1_amd64.deb
0cda1556c6f04ca96835fdacee3fe81c628d685718d63d13751a815c47016c1f 48516 python3-pil.imagetk_3.1.1-1_amd64.deb
9223ac8ac72a7d8fa4e9413e97d821d4ce32026fe8f4f5cb7c4853982528fd4d 354372 python3-pil_3.1.1-1_amd64.deb
Files:
1497016fdefc9062f80d1547de6165b3 2681 python optional pillow_3.1.1-1.dsc
51312ede0e827ea9946703c17cb9ad87 7129916 python optional pillow_3.1.1.orig.tar.xz
bd02c4986d940217fb3f9b4efc40644d 14468 python optional pillow_3.1.1-1.debian.tar.xz
f0755a772d19561a0a627cad1f230fc7 44370 python optional python-imaging_3.1.1-1_all.deb
35faa3c59b5e6e996e963d687616ddbd 446724 debug extra python-pil-dbg_3.1.1-1_amd64.deb
ab69e208d658d22982e88b10428b7d48 53494 doc optional python-pil-doc_3.1.1-1_all.deb
61c0b4f9e43cdcaa2dd0558dcde456b0 13244 debug extra python-pil.imagetk-dbg_3.1.1-1_amd64.deb
7d68b03ce8e5c3a14365567999d2e90c 48324 python optional python-pil.imagetk_3.1.1-1_amd64.deb
01982a325bee904e297b8ca3c6aac759 353244 python optional python-pil_3.1.1-1_amd64.deb
d4a061c47c7a22855aecf4a830b9b028 768634 debug extra python3-pil-dbg_3.1.1-1_amd64.deb
ece5126362c911789422d32346980521 18658 debug extra python3-pil.imagetk-dbg_3.1.1-1_amd64.deb
69a80cb852404ee9e55347123684eb74 48516 python optional python3-pil.imagetk_3.1.1-1_amd64.deb
048a73c4ce065a51f85dad7a29683a38 354372 python optional python3-pil_3.1.1-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJWuwg6AAoJEL1+qmB3j6b1rxAQAIFP6Ce4RbUmQNDuL+qfvSFI
GFiQBWPmxBk6f/EowXy5OCKl3MZw/vm0JBwNUxK5VY0wSTzVBUpV7HBQStTt5nhf
MoCbYCheFEdidQOBGDXeXWmNa2EKPYWLZO5J0OKIvERlKaxtnV22OhTsgQR9MO38
Z6ffLtsivPHSY42i4SySRZKVPtq5DqVaojkmehq7lYhU/uUZKDvnF8TT0XcX3uWr
b6P2gphu33M0nsf7Uwx04urb7eDSvrstXFwfEAUYpfjPRTSE+05TM/bRgK2snSwH
RVNyIdz4IcZ/9zXaMpZtunO75eQlHWEWTIBxsle1zwNwAa53ZYe+DDVrn3DKvDOX
hCkVLuJgZ74s7pc8i1yHaArY8h9V+mh7SiVkVmjy0ZgHjmWKvO+2vcyhqcnvo2eD
HOoQH+ZelwxOy72QpCGq3MejlAPhayp7jF6o5KZZ7pvlVWlFskuw2hDVfisPudyl
sIuIN2OqapPxlW8np2itufGnD5pMPIMmloY+iwKuChABiYVkdQCfuXMR6HzELYfK
bAuvtjCAW01ZY5mzk2gjJZfEkhYYyKZq9XTXrY0cp41Jss//zfgJmaNC7MjCdlvt
0S3ChYZmT7XXVmnbDvGTxXMranOjwx7BljTNEmImqnvTvUfGV0qpj8TseY1HlVZN
eegRKFvibifaRr/JUJjG
=6rEF
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 15 Mar 2016 07:26:54 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:14:05 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon