[Git][security-tracker-team/security-tracker][master] CVE-2026-42311/pillow: complete TODO introductory commit + bullseye not-affected

Thu, 21 May 2026 00:08:12 -0700 


Sylvain Beucler pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
32596a9f by Sylvain Beucler at 2026-05-21T09:07:55+02:00
CVE-2026-42311/pillow: complete TODO introductory commit + bullseye not-affected

Bisecting through 10.2.0..10.3.0, the segmentation fault in
test_bounds_crash_overflow is introduced with support for negative
layer co-ordinates.

Before that commit, Pillow just doesn't support the payload:
  FAILED Tests/test_file_psd.py::test_bounds_crash_overflow - 
PIL.UnidentifiedImageError: cannot identify image file 
'Tests/images/psd-oob-write-overflow.psd'

After there's a segfault:
  Tests/test_file_psd.py Fatal Python error: Segmentation fault

  Current thread 0x00007f4079105040 (most recent call first):
    File 
"/root/.virtualenvs/pillow/lib/python3.11/site-packages/PIL/ImageFile.py", line 
291 in load
    File "/usr/src/triage/Pillow/Tests/test_file_psd.py", line 181 in 
test_bounds_crash_overflow
    ...
  Erreur de segmentation

Test command:
  make clean && make install && \cp -a ../test_file_psd.py Tests/ && \cp -a 
../psd-oob-write* Tests/images/ && pytest Tests/test_file_psd.py -k 
test_bounds_crash_overflow

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -6331,10 +6331,11 @@ CVE-2026-42339 (New API is a large language mode (LLM) 
gateway and artificial in
        NOT-FOR-US: New API
 CVE-2026-42311 (Pillow is a Python imaging library. From version 10.3.0 to 
before vers ...)
        - pillow 12.2.0-1
+       [bullseye] - pillow <not-affected> (Vulnerable code introduced later)
        NOTE: 
https://github.com/python-pillow/Pillow/security/advisories/GHSA-pwv6-vv43-88gr
        NOTE: https://github.com/python-pillow/Pillow/pull/9520
        NOTE: Fixed by (merge) 
https://github.com/python-pillow/Pillow/commit/58f9a1d166dcb0c274807d4423522d205b0c35ea
 (12.2.0)
-       TODO: check, identify commit in 10.3.0 introducing the issue
+       NOTE: Introduced by: 
https://github.com/python-pillow/Pillow/commit/c2907dc04967109391a77eea00f7d583a0a0395f
 (10.3.0)
 CVE-2026-42310 (Pillow is a Python imaging library. From version 4.2.0 to 
before versi ...)
        - pillow 12.2.0-1
        NOTE: 
https://github.com/python-pillow/Pillow/security/advisories/GHSA-r73j-pqj5-w3x7



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32596a9f545ad4ccfb10a0beff3a2bb79105944a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32596a9f545ad4ccfb10a0beff3a2bb79105944a
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to