Ubuntu
pillow package

CVE-2016-9190 Remote code execution through crafted file in pillow < 3.3.2

Bug #1655510 reported by Wicher
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pillow (Ubuntu)
New
Undecided
Unassigned

Bug Description

See https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9190 for details.

I could not find signs of any backport of a fix in the changelog, currently at 3.1.2-0ubuntu1:
https://launchpad.net/ubuntu/xenial/+source/pillow/+changelog

This particular vuln is fixed in pillow 3.3.2, however, there is a bunch of other CVEs filed against pillow < 3.4.x, see the bottom of this report.

IIUC there are two strategies available for creating an update through the security releases channel: 1) backporting the specific fixes, or 2) simply bumping the package to a version in which these vulnerabilities are fixed.

For strategy 2 (probably the cheapest one in terms of effort), I had a look at the Pillow changelog to see whether there are any backwards incompatible API changes which would prevent a simple bump. It appears there are:

Backwards incompatible API changes:
https://pillow.readthedocs.io/en/latest/releasenotes/3.3.0.html#image-metadata
https://pillow.readthedocs.io/en/latest/releasenotes/3.4.0.html#image-core-open-ppm-removed

The latter might not be much of an issue, but the first one may break software that's counting on the pre-3.3.0 behaviour. Hope this helps!

CVE list (per the Gentoo Linux security advisory): https://archives.gentoo.org/gentoo-announce/message/23306519cb5f9b1a2e438b0797368308

CVE References

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.