[ubuntu/groovy-proposed] pillow 7.0.0-4ubuntu1 (Accepted)
Marc Deslauriers
marc.deslauriers at ubuntu.com
Tue Jul 7 18:11:16 UTC 2020
pillow (7.0.0-4ubuntu1) groovy; urgency=medium
* SECURITY UPDATE: multiple out of bounds reads
- debian/patches/CVE-2020-10177-1.patch: fix issue in
src/libImaging/FliDecode.c.
- debian/patches/CVE-2020-10177-2.patch: refactor to macro in
src/libImaging/FliDecode.c.
- debian/patches/CVE-2020-10177-3.patch: fix OOB Reads in SS2 Chunk in
src/libImaging/FliDecode.c.
- debian/patches/CVE-2020-10177-4.patch: fix OOB in LC packet in
src/libImaging/FliDecode.c.
- debian/patches/CVE-2020-10177-5.patch: fix OOB Advance Values in
src/libImaging/FliDecode.c.
- debian/patches/CVE-2020-10177-6.patch: fix OOB Read in FLI Copy Chunk
in src/libImaging/FliDecode.c.
- debian/patches/CVE-2020-10177-7.patch: fix comments in
src/libImaging/FliDecode.c.
- debian/patches/CVE-2020-10177-8.patch: additional FLI check in
src/libImaging/FliDecode.c.
- CVE-2020-10177
* SECURITY UPDATE: out of bounds read with PCX files
- debian/patches/CVE-2020-10378.patch: fix OOB Access in
src/libImaging/PcxDecode.c.
- CVE-2020-10378
* SECURITY UPDATE: two buffer overflows
- debian/patches/CVE-2020-10379-1.patch: ensure that Tiff's concept of
Strip and Tilesize matches Pillow's in src/libImaging/TiffDecode.c.
- debian/patches/CVE-2020-10379-2.patch: avoid uninitialized read in
src/libImaging/TiffDecode.c.
- debian/patches/CVE-2020-10379-3.patch: fix typos in
src/libImaging/TiffDecode.c.
- CVE-2020-10379
* SECURITY UPDATE: out-of-bounds read via JP2 file
- debian/patches/CVE-2020-10994-1.patch: fix for OOB Read in
src/libImaging/Jpeg2KDecode.c.
- debian/patches/CVE-2020-10994-2.patch: fix typo in
src/libImaging/Jpeg2KDecode.c.
- CVE-2020-10994
* SECURITY UPDATE: out-of-bounds read via SGI file
- debian/patches/CVE-2020-11538.patch: track number of pixels, not the
number of runs in src/libImaging/SgiRleDecode.c.
- CVE-2020-11538
Date: Tue, 07 Jul 2020 13:14:10 -0400
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/pillow/7.0.0-4ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 07 Jul 2020 13:14:10 -0400
Source: pillow
Architecture: source
Version: 7.0.0-4ubuntu1
Distribution: groovy
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Changes:
pillow (7.0.0-4ubuntu1) groovy; urgency=medium
.
* SECURITY UPDATE: multiple out of bounds reads
- debian/patches/CVE-2020-10177-1.patch: fix issue in
src/libImaging/FliDecode.c.
- debian/patches/CVE-2020-10177-2.patch: refactor to macro in
src/libImaging/FliDecode.c.
- debian/patches/CVE-2020-10177-3.patch: fix OOB Reads in SS2 Chunk in
src/libImaging/FliDecode.c.
- debian/patches/CVE-2020-10177-4.patch: fix OOB in LC packet in
src/libImaging/FliDecode.c.
- debian/patches/CVE-2020-10177-5.patch: fix OOB Advance Values in
src/libImaging/FliDecode.c.
- debian/patches/CVE-2020-10177-6.patch: fix OOB Read in FLI Copy Chunk
in src/libImaging/FliDecode.c.
- debian/patches/CVE-2020-10177-7.patch: fix comments in
src/libImaging/FliDecode.c.
- debian/patches/CVE-2020-10177-8.patch: additional FLI check in
src/libImaging/FliDecode.c.
- CVE-2020-10177
* SECURITY UPDATE: out of bounds read with PCX files
- debian/patches/CVE-2020-10378.patch: fix OOB Access in
src/libImaging/PcxDecode.c.
- CVE-2020-10378
* SECURITY UPDATE: two buffer overflows
- debian/patches/CVE-2020-10379-1.patch: ensure that Tiff's concept of
Strip and Tilesize matches Pillow's in src/libImaging/TiffDecode.c.
- debian/patches/CVE-2020-10379-2.patch: avoid uninitialized read in
src/libImaging/TiffDecode.c.
- debian/patches/CVE-2020-10379-3.patch: fix typos in
src/libImaging/TiffDecode.c.
- CVE-2020-10379
* SECURITY UPDATE: out-of-bounds read via JP2 file
- debian/patches/CVE-2020-10994-1.patch: fix for OOB Read in
src/libImaging/Jpeg2KDecode.c.
- debian/patches/CVE-2020-10994-2.patch: fix typo in
src/libImaging/Jpeg2KDecode.c.
- CVE-2020-10994
* SECURITY UPDATE: out-of-bounds read via SGI file
- debian/patches/CVE-2020-11538.patch: track number of pixels, not the
number of runs in src/libImaging/SgiRleDecode.c.
- CVE-2020-11538
Checksums-Sha1:
26442cb692ae8ca4dad2d120fb7b8d7c7b36dc46 2480 pillow_7.0.0-4ubuntu1.dsc
82fac2797fcf2bf6b9012509f534af683ee8f053 20360 pillow_7.0.0-4ubuntu1.debian.tar.xz
264e9fd4b24b381306ed5b9ca10727d784fba340 11104 pillow_7.0.0-4ubuntu1_source.buildinfo
Checksums-Sha256:
3bd99f463efdd006203145cf30bd5695c55d043b2905abbb6d822f6c7538cd48 2480 pillow_7.0.0-4ubuntu1.dsc
7bae31b88a853825b85000a04d4d6d57da6109f40fe8633f3725032906db081d 20360 pillow_7.0.0-4ubuntu1.debian.tar.xz
2212668c8f70f418c0e68fd08fc900ff25f1e65da39314a6f8a15fe104ba8015 11104 pillow_7.0.0-4ubuntu1_source.buildinfo
Files:
6642ab76926b99106c0762d988ec5b9f 2480 python optional pillow_7.0.0-4ubuntu1.dsc
8ba33176b8e2ec91b92f0bb2c1c8caf3 20360 python optional pillow_7.0.0-4ubuntu1.debian.tar.xz
2eb6f29ae2a0e5fd77aefca74912554e 11104 python optional pillow_7.0.0-4ubuntu1_source.buildinfo
Original-Maintainer: Matthias Klose <doko at debian.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl8EuFIACgkQZWnYVadE
vpN8mRAAve45+EYwpwPCGNyrxYeQxsnsnAEpgiYGjdPuFN3wZYXDly10WtQFOBYX
VqJscKdwKw3OG7L15wnx0jBl6L9KMXr4GYdGmxv77Y8o2MXiyz+Q+/+Hc00HSQKs
n/+Mpg7F7oTx/rSce0hVKDpGJaPp4qCAaelLh3MLfL5nU/xJHXHM13yNkwMVtmqZ
+ruSzCbacZNA2iF957/lf4VDcHu4+gjYIjKA02bSEiI+zQxB20VUO3X/oLjDOblO
0WxOnLcXY8ImXZMSGzmyOwVhY+lG2kxiPrEQrQ7J7Opi6q5Yfz7Or1qbb6pbhwOY
snu1JGNO1IefVlTwmFZIq6ES0DEJca+Eu7oxf6QvWooPnDRPP7bSEoV25ql75FSc
a2AVwF9gG7isTEvd1e4mx3WbJ/Q+Rlt12krhpQFEDl5INQzVj2vJ/4XtsoEpqu/n
yKR1FLznE6c1hx7rSACd5eJnTPR0SwQ2pen66k2pdfHrgd+dGyvBthf8hgwFczMJ
F4/Nke49f7x+m9g65H9Rv6FAK0KX3zhh8tITo+65+mfc7ybp63+WuLj2qWeVsCoU
ST7csd9LKJvHn6s5BWpBSUNTxqK4KHvQQ1sXz8Nz9e/BbWM6F0jobel+EPX24QPa
Dz9lCFsAa/NCMKgjsLNQ2BF5ogXcikUw3MDOdsYMJQHph9bphWg=
=1v6M
-----END PGP SIGNATURE-----
More information about the Groovy-changes
mailing list