Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

pillow: CVE-2014-9601

Related Vulnerabilities: CVE-2014-9601  

Source

Debian Bug report logs - #776303
pillow: CVE-2014-9601

version graph

Package: src:pillow; Maintainer for src:pillow is Matthias Klose <doko@debian.org>;

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Mon, 26 Jan 2015 13:21:02 UTC

Severity: important

Tags: fixed-upstream, security, upstream

Fixed in version pillow/2.6.1-2

Done: Matthias Klose <doko@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Matthias Klose <doko@debian.org>:
Bug#776303; Package src:pillow. (Mon, 26 Jan 2015 13:21:07 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Matthias Klose <doko@debian.org>. (Mon, 26 Jan 2015 13:21:07 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2014-9601
Date: Mon, 26 Jan 2015 14:18:59 +0100
Source: pillow
Severity: important
Tags: security

This was fixed upstream in 2.7.0 and was assigned CVE-2014-9601:
http://pillow.readthedocs.org/releasenotes/2.7.0.html#png-text-chunk-size-limits

Isolated fix is here:
https://github.com/python-pillow/Pillow/commit/b3e09122e527ae554eb590741bbd7611d5710e40

Cheers,
        Moritz

Changed Bug title to 'pillow: CVE-2014-9601' from 'CVE-2014-9601' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 26 Jan 2015 15:15:15 GMT) (full text, mbox, link).

Added tag(s) upstream and fixed-upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 26 Jan 2015 15:15:16 GMT) (full text, mbox, link).

Reply sent to Matthias Klose <doko@debian.org>:
You have taken responsibility. (Mon, 23 Mar 2015 11:03:05 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Mon, 23 Mar 2015 11:03:06 GMT) (full text, mbox, link).

Message #14 received at 776303-close@bugs.debian.org (full text, mbox, reply):

From: Matthias Klose <doko@debian.org>
To: 776303-close@bugs.debian.org
Subject: Bug#776303: fixed in pillow 2.6.1-2
Date: Mon, 23 Mar 2015 11:00:22 +0000
Source: pillow
Source-Version: 2.6.1-2

We believe that the bug you reported is fixed in the latest version of
pillow, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 776303@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthias Klose <doko@debian.org> (supplier of updated pillow package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 08 Mar 2015 12:40:13 +0100
Source: pillow
Binary: python-pil python-pil-dbg python-pil.imagetk python-pil.imagetk-dbg python-imaging-tk python-sane python-sane-dbg python3-pil python3-pil-dbg python3-pil.imagetk python3-pil.imagetk-dbg python3-sane python3-sane-dbg python-pil-doc python-imaging
Architecture: source all amd64
Version: 2.6.1-2
Distribution: unstable
Urgency: medium
Maintainer: Matthias Klose <doko@debian.org>
Changed-By: Matthias Klose <doko@debian.org>
Description:
 python-imaging - Python Imaging Library compatibility layer
 python-imaging-tk - transitional dummy package for smooth upgrades to python-pil.imag
 python-pil - Python Imaging Library (Pillow fork)
 python-pil-dbg - Python Imaging Library (debug extension)
 python-pil-doc - Examples for the Python Imaging Library
 python-pil.imagetk - Python Imaging Library - ImageTk Module (Pillow fork)
 python-pil.imagetk-dbg - Python Imaging Library - ImageTk Module (debug extension)
 python-sane - Python Imaging Library - SANE interface (Pillow fork)
 python-sane-dbg - Python Imaging Library - SANE interface (debug extension)
 python3-pil - Python Imaging Library (Python3)
 python3-pil-dbg - Python Imaging Library (Python3 debug extension)
 python3-pil.imagetk - Python Imaging Library - ImageTk Module (Python3)
 python3-pil.imagetk-dbg - Python Imaging Library - ImageTk Module (Python3 debug extension)
 python3-sane - Python Imaging Library - SANE interface (Python3)
 python3-sane-dbg - Python Imaging Library - SANE interface (Python3 debug extension)
Closes: 776303 776483
Changes:
 pillow (2.6.1-2) unstable; urgency=medium
 .
   * Fix potential PNG decompression DOS. Closes: #776303. CVE-2014-9601.
   * Add a python-imaging-tk transitional package. Closes: #776483.
Checksums-Sha1:
 4bb542a2afe7cda9168d566fb948c1c876ecac69 2965 pillow_2.6.1-2.dsc
 386fb4b88a7ffaa0d690a46f1069183767d4f66a 15824 pillow_2.6.1-2.debian.tar.xz
 6d32cf5406a7fe54b6e6bf573e3ddc259ce932ed 7986 python-imaging-tk_2.6.1-2_all.deb
 f22134d765fa6d55edb0265a4c8bbcb7ce22100b 19400 python-pil-doc_2.6.1-2_all.deb
 7e4f2cab1915ba001cbf1b3b4cc5f9d6dd5ed379 9614 python-imaging_2.6.1-2_all.deb
 35742480d247d057b472068e949474f69efb8a46 304416 python-pil_2.6.1-2_amd64.deb
 c891c6a22c2aad71130b6b9bb42d476dd5a4e8d9 436556 python-pil-dbg_2.6.1-2_amd64.deb
 03015285309b5dc45736252e755a39e71137cf47 13620 python-pil.imagetk_2.6.1-2_amd64.deb
 4cad8d242b1b1d318a3609a4365b6a47b50522a8 13054 python-pil.imagetk-dbg_2.6.1-2_amd64.deb
 60e66f8232bd46438950eb5212d3e80fad967c57 24828 python-sane_2.6.1-2_amd64.deb
 37b57f3bc60eea30d6923f9cd9cc538d4b7654a4 29856 python-sane-dbg_2.6.1-2_amd64.deb
 d285cb5b0f818afc9589ee25a8555c769309f825 305040 python3-pil_2.6.1-2_amd64.deb
 2deedc1f1338a445d8374732159548b5f082342c 443234 python3-pil-dbg_2.6.1-2_amd64.deb
 cf1fb9870904e8d9fe581f021b430e19dbdc29cc 13718 python3-pil.imagetk_2.6.1-2_amd64.deb
 f7307d9090c24cddb2ef5a1c7c83ec29cfc3497f 12978 python3-pil.imagetk-dbg_2.6.1-2_amd64.deb
 ecc046c0d929be22c657a06b0fa56577304614c1 20572 python3-sane_2.6.1-2_amd64.deb
 d5486924bbe7ef0ef41a10ddd59f9e839cf6b783 30924 python3-sane-dbg_2.6.1-2_amd64.deb
Checksums-Sha256:
 b73aa0ae1fb4ba7ab84eb308640b007ee4bcf87c43df68db344043233cede643 2965 pillow_2.6.1-2.dsc
 d60f44ec82e30fe2776194e7ebfb1eb4fd1a175b2027e3272d7cd0971519e74d 15824 pillow_2.6.1-2.debian.tar.xz
 b4c11714300aaac27de2a2d3a9cdf0ac1fd3e2adf385eec6a00a72becf56e49b 7986 python-imaging-tk_2.6.1-2_all.deb
 bdd62d9d654ae2ea9337febe5b7d3cadb1360b8ff9109d7c351266582b9e229d 19400 python-pil-doc_2.6.1-2_all.deb
 85c3a02cb90fc55ccecc61afd0e3c0cf51a21d6118d19ddbc0d1585c0a809d27 9614 python-imaging_2.6.1-2_all.deb
 c9822536ede7651e841c02d6424956f9b59ce83cadbafa4b3d68932bede01274 304416 python-pil_2.6.1-2_amd64.deb
 e4eb58cba02ce8886f0d11e94ae0c80b37013ebeb62c195af09da3f4b16fc4c8 436556 python-pil-dbg_2.6.1-2_amd64.deb
 85a60620e0eec1ee075262221f17003d358b6bbf0b8fdf4c5adf1cc741cf5650 13620 python-pil.imagetk_2.6.1-2_amd64.deb
 9ab13a2795434e173ada4a957bf0b5f7746f7311f8d963033c6f502c2ae8513c 13054 python-pil.imagetk-dbg_2.6.1-2_amd64.deb
 7d5c6cc3002df500cd4c74957cf0d37f1cdc3c767a7ab7b52a8439feea580aa8 24828 python-sane_2.6.1-2_amd64.deb
 6a3c416a025b14c48c7dc0a530ea83c692729c8fd51962f59aea1bb965218bc6 29856 python-sane-dbg_2.6.1-2_amd64.deb
 8bfc38c1433fd9ba81c680cbb29a3b684bcbcca811c7b1407b6cada44427634e 305040 python3-pil_2.6.1-2_amd64.deb
 8e11a88193d481193bcfd1ec512d51a66023171914acff8e99723da5824a810c 443234 python3-pil-dbg_2.6.1-2_amd64.deb
 9543244dc49d97c9fd8322f0e4b91cbc54b47e06d98c5ce27c7b5c161d2e555a 13718 python3-pil.imagetk_2.6.1-2_amd64.deb
 e5a90d23940053f9f0477894b0575eecc8f8c1896b956d5be3e45344fc5b6093 12978 python3-pil.imagetk-dbg_2.6.1-2_amd64.deb
 3f5635c515ce9ab97e52199c52f35aad51c8911b43a92a1200b7c4c4321da1d9 20572 python3-sane_2.6.1-2_amd64.deb
 81021477b400c9812194b41fd5fccc618113cc015c1d1d91f6456cf8a30344dc 30924 python3-sane-dbg_2.6.1-2_amd64.deb
Files:
 99ee1a978594ab910832fa956907eb76 2965 python optional pillow_2.6.1-2.dsc
 4263402e140af44d0cb2c83bc99ff7e7 15824 python optional pillow_2.6.1-2.debian.tar.xz
 d10d2f51d72ac087f747edc025310a73 7986 python optional python-imaging-tk_2.6.1-2_all.deb
 2d9c08b8b501e2a22a685f2e173239c1 19400 doc optional python-pil-doc_2.6.1-2_all.deb
 5eebc05eba3dfb78112193d4d17114ef 9614 python optional python-imaging_2.6.1-2_all.deb
 38131f063c0c1593dd1787d54856703d 304416 python optional python-pil_2.6.1-2_amd64.deb
 41ab356239ad6f84dffec09fca8fb7d6 436556 debug extra python-pil-dbg_2.6.1-2_amd64.deb
 423cd0dd8c78a8673dc0b7ef27821779 13620 python optional python-pil.imagetk_2.6.1-2_amd64.deb
 dec70048beeda6192870fffa785aeee9 13054 debug extra python-pil.imagetk-dbg_2.6.1-2_amd64.deb
 81ebc0256d4560cc636b315e955ab2d6 24828 python optional python-sane_2.6.1-2_amd64.deb
 ade65c152da6874c10c5cd8d18c9fb41 29856 debug extra python-sane-dbg_2.6.1-2_amd64.deb
 d309296c2ea52449a20bc8c6dcd2bd26 305040 python optional python3-pil_2.6.1-2_amd64.deb
 14d57f6397f44ec77d6296167867d07f 443234 debug extra python3-pil-dbg_2.6.1-2_amd64.deb
 29afffe98712efb4a623ebd385ce72ca 13718 python optional python3-pil.imagetk_2.6.1-2_amd64.deb
 0844060e8e9364e82e0804e6cfba589b 12978 debug extra python3-pil.imagetk-dbg_2.6.1-2_amd64.deb
 f7eaa876a24c3e4bde073e64bd6bcc87 20572 python optional python3-sane_2.6.1-2_amd64.deb
 eaa0c2c8bc606e5d93a67ae9ead57b08 30924 debug extra python3-sane-dbg_2.6.1-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJU/DsEAAoJEL1+qmB3j6b1VVcP/2TnxkMQ4aH2dH5f/3K6SwzB
W1ZXV06IvZXs0ItZJ41ZNANXsizkU+SZcnM8Mqjeir5FLJ2B/vJqbxH53t8D/PVz
GD9W1GZUccNwcgqoTLEBjSSUB7D4UD+yxMFr6+Pij9Yu/58wxkI1cfgwfKSpqb5f
zg3keHafLlhtLRfoa08U5XtJL//3itygfx94aCVgDuYkYDNEa21Lo/MFf8Z3gHZM
d9/VcMgOgFlSZ6Mnx+SmUHGXCus9NlSyT4XjyJCT/tVPSOH7nlZZFID26X8TYHo6
q82gyRtC3WOdwp0FkignFXOCAHMEb48mzTuQfpVXts2mlCFZrZr1PtOarysOdZtc
IP7J+iIKKa1eZFMhgg2pKXvUZL7VFhroCyiqO83qpv0+ve3vnYJrhFZ3IbyrBRrO
ijYNwijnWY4I+vmsINOgEwD1M4PC9eNJXT67oYdHbqJhcc4NF1/8eN4nACtuis3h
Gi7PxsIl7cXd4F1UL2TXUkuk4nvIoWjrcbpb4pfoNo0gKHxNBTlMWC7ykl38w3Er
IcawJJHFa1gdPjNnSBwsy1BIB1mbi5uFarTZqfbIKBpfwciYryXTUDuTJ9du+cvh
Mn/8URwvGQyMMC0c+l4XjUhkKjASL5+xEMBJ6KjH+Wr+WpIr9aMM7qTJWUhq6nR7
L/YFojlb+Pe5Zmxv+zcx
=Kqax
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 26 Apr 2015 07:26:17 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:58:06 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started