Bug#948224: pillow: CVE-2020-5310 CVE-2020-5311 CVE-2020-5312 CVE-2020-5313
FWIW I'm fairly convinced that the first vulnerable version for CVE-2020-5310 is 6.0.0, which is the first release that included https://github.com/python-pillow/Pillow/commit/e91b851fdc1c914419543f485bdbaa010790719f which introduced the overflow when switching away from the safer TIFFTileSize & TIFFStripSize in the critical lines. So you can probably mark 5.4.1 as safe for CVE-2020-5310 robert.
Bug#948224: pillow: CVE-2020-5310 CVE-2020-5311 CVE-2020-5312 CVE-2020-5313
Control: found -1 6.2.1-2 Control: retitle pillow: CVE-2019-19911 CVE-2020-5310 CVE-2020-5311 CVE-2020-5312 CVE-2020-5313 Hi, On Sun, Jan 05, 2020 at 04:30:36PM +0100, Markus Koschany wrote: > The following vulnerabilities were published for pillow. It appears they > are fixed in version 6.2.2. Additionally there is CVE-2019-19911, fixed by https://github.com/python-pillow/Pillow/commit/774e53bb132461d8d5ebefec1162e29ec0ebc63d as well adressed in 6.2.2. Thus track it here with same bug. Regards, Salvatore
Bug#948224: pillow: CVE-2020-5310 CVE-2020-5311 CVE-2020-5312 CVE-2020-5313
Package: pillow X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for pillow. It appears they are fixed in version 6.2.2. CVE-2020-5310[0]: | libImaging/TiffDecode.c in Pillow before 6.2.2 has a TIFF decoding | integer overflow, related to realloc. CVE-2020-5311[1]: | libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer | overflow. CVE-2020-5312[2]: | libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer | overflow. CVE-2020-5313[3]: | libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer | overflow. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-5310 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5310 [1] https://security-tracker.debian.org/tracker/CVE-2020-5311 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5311 [2] https://security-tracker.debian.org/tracker/CVE-2020-5312 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5312 [3] https://security-tracker.debian.org/tracker/CVE-2020-5313 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5313 Please adjust the affected versions in the BTS as needed. Regards, Markus signature.asc Description: OpenPGP digital signature
