Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

pillow: CVE-2021-34552 - buffer overflow in Convert.c

Related Vulnerabilities: CVE-2021-34552  

Source

Debian Bug report logs - #991293
pillow: CVE-2021-34552 - buffer overflow in Convert.c

version graph

Package: src:pillow; Maintainer for src:pillow is Matthias Klose <doko@debian.org>;

Reported by: Neil Williams <codehelp@debian.org>

Date: Tue, 20 Jul 2021 05:39:01 UTC

Severity: grave

Tags: security

Found in version pillow/8.1.2+dfsg-0.2

Fixed in version pillow/8.1.2+dfsg-0.3

Done: Neil Williams <codehelp@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, codehelp@debian.org, team@security.debian.org, Matthias Klose <doko@debian.org>:
Bug#991293; Package src:pillow. (Tue, 20 Jul 2021 05:39:03 GMT) (full text, mbox, link).

Acknowledgement sent to Neil Williams <codehelp@debian.org>:
New Bug report received and forwarded. Copy sent to codehelp@debian.org, team@security.debian.org, Matthias Klose <doko@debian.org>. (Tue, 20 Jul 2021 05:39:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Neil Williams <codehelp@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: pillow: CVE-2021-34552 - buffer overflow in Convert.c
Date: Tue, 20 Jul 2021 06:36:44 +0100
Source: pillow
Version: 8.1.2+dfsg-0.2
Severity: grave
Tags: security
Justification: user security hole

https://security-tracker.debian.org/tracker/CVE-2021-34552

Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to
pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c.

This has been fixed upstream in version 8.3. The upstream fix can be
backported to 8.1 in unstable.

This is a tracking bug to ease migration of pillow into bullseye. 

I have an upload ready for unstable.

--

Neil Williams

Added tag(s) pending. Request was from Neil Williams <codehelp@debian.org> to control@bugs.debian.org. (Tue, 20 Jul 2021 05:45:03 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#991293; Package src:pillow. (Tue, 20 Jul 2021 05:57:02 GMT) (full text, mbox, link).

Acknowledgement sent to Neil Williams <codehelp@debian.org>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. (Tue, 20 Jul 2021 05:57:02 GMT) (full text, mbox, link).

Message #12 received at 991293@bugs.debian.org (full text, mbox, reply):

From: Neil Williams <codehelp@debian.org>
To: 991293@bugs.debian.org
Subject: Re: pillow: CVE-2021-34552 - buffer overflow in Convert.c
Date: Tue, 20 Jul 2021 06:52:52 +0100
[Message part 1 (text/plain, inline)]
On Tue, 20 Jul 2021 06:36:44 +0100 Neil Williams <codehelp@debian.org> wrote:
> This has been fixed upstream in version 8.3. The upstream fix can be
> backported to 8.1 in unstable.
> 
> This is a tracking bug to ease migration of pillow into bullseye. 
> 
> I have an upload ready for unstable.

Attaching the debdiff for this fix ahead of upload to unstable.


-- 
Neil Williams
=============
https://linux.codehelp.co.uk/

[991293.patch (text/x-patch, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Reply sent to Neil Williams <codehelp@debian.org>:
You have taken responsibility. (Tue, 20 Jul 2021 06:21:03 GMT) (full text, mbox, link).

Notification sent to Neil Williams <codehelp@debian.org>:
Bug acknowledged by developer. (Tue, 20 Jul 2021 06:21:03 GMT) (full text, mbox, link).

Message #17 received at 991293-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 991293-close@bugs.debian.org
Subject: Bug#991293: fixed in pillow 8.1.2+dfsg-0.3
Date: Tue, 20 Jul 2021 06:18:33 +0000
Source: pillow
Source-Version: 8.1.2+dfsg-0.3
Done: Neil Williams <codehelp@debian.org>

We believe that the bug you reported is fixed in the latest version of
pillow, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 991293@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Neil Williams <codehelp@debian.org> (supplier of updated pillow package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 20 Jul 2021 06:42:31 +0100
Source: pillow
Architecture: source
Version: 8.1.2+dfsg-0.3
Distribution: unstable
Urgency: high
Maintainer: Matthias Klose <doko@debian.org>
Changed-By: Neil Williams <codehelp@debian.org>
Closes: 991293
Changes:
 pillow (8.1.2+dfsg-0.3) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix "CVE-2021-34552 - buffer overflow in Convert.c. Replace sprintf with
     snprintf. Backport upstream change from 8.3 to 8.1. (Closes: #991293)
Checksums-Sha1:
 8376f696bb44666aa893c3c8ac0616bdf977e957 2440 pillow_8.1.2+dfsg-0.3.dsc
 f52ad94d4cdf4a061e94e40f56614ecccbcc8a57 21972 pillow_8.1.2+dfsg-0.3.debian.tar.xz
 10810fb51a53862e4287a821aaeccfa28925e5df 12625 pillow_8.1.2+dfsg-0.3_amd64.buildinfo
Checksums-Sha256:
 eef001db37bb4aa3dfe3ac94cd0b7eeca99adcfd6034ff48da45b42ecebeeeda 2440 pillow_8.1.2+dfsg-0.3.dsc
 685245e185a47f3c2bdd77419ae486110fbb8698641437c8e630b25a44c4a1af 21972 pillow_8.1.2+dfsg-0.3.debian.tar.xz
 969f94c11d29836b4f1bb4963fc3f61b5fef19dd5903c0551b662b154e8abab9 12625 pillow_8.1.2+dfsg-0.3_amd64.buildinfo
Files:
 1be8dd9de29fd59a97e9e27722eed238 2440 python optional pillow_8.1.2+dfsg-0.3.dsc
 7139b3d948f06ecd4b93a039c3dbc931 21972 python optional pillow_8.1.2+dfsg-0.3.debian.tar.xz
 0fe00441ca6af2b5eaef0b9a6fc9774f 12625 python optional pillow_8.1.2+dfsg-0.3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEf3HB6ceOc10DYMbM8WfkPIFDtoIFAmD2ZlAACgkQ8WfkPIFD
toJ/vA/7ByAusc52RDM+AyjrPAy8GdOv8EHBpoMZFayU1ufETYuzCoeKVM9aSIxe
qAN/sxDkzDS0oPKAjUfbu7zRqQ/jWrHChR5UzKV/FK2HOXDPBdbluUR9fuA8ha/n
lAIvhv25JY4HaV+5a0kFTUR8r1jiiRhRc2sRuqCDUP47Xzq3hHPg89Ouh4M5axwS
GxL1XXdECu0KVCKT51Foot1s5ZtznUIRK9SE0JPsaV0VOTGFUNh7XWKxoBgUJQDR
RxlOJn2EyIeYXf1uqn/jxt6tbuD8nfV4XahwsRPoLQ8dAyZNzfCLwtgfXqzkt0Gy
kCAttJCRBjiFXd7kmNYAnXrMgjjtHW22bAxNvcrzo+YXmFDZPoWzZ0T4zIVfiI8m
ps3WGHRZKLRCzPdvPwxbiOmGiAjqZCjjbVOflSTj4ijlm0xW8yiHlN+AW67/HVbw
90wyyDfQumNBBdsPpL+IzygDPfe1i0GEzcy+I4ZGK2R7bC0Zevx50WMW0nR7Jmox
3awdMBFKu627/MmopN8b9IsKW8EkqXYARdzTLpiD5XnwW7Gl/YmZjz9rrQuwSxVD
yfsYPmHG2pAse1fvwRv/lOGhUJzhT+A8NP9d2e2tAxGHhc/9unv15zd/BBAEnime
3LE1K5vSk0BxZRKsbpIfVk1PZdeFYpANH4oCec7/vgq0E93RDls=
=L53C
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Tue Jul 20 16:16:42 2021; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started