Ubuntu
pillow package

PNG loading degraded

Bug #1628351 reported by Florian Wesch
32
This bug affects 4 people
Affects Status Importance Assigned to Milestone
pillow (Ubuntu)
Fix Released
Critical
Emily Ratliff

Bug Description

PNG loading fails for some/all(?) PNG files with the error message 'IOError: cannot identify image file'

The reason for that seems to be that there's a new check like this in a few chunk handlers:

  self.check_text_memory(len(v))

At this point, len is already used an a number value passed in as parameter (see PngImagePlugin.py:311 in chunk_tEXt) so the builtin function len gets shadowed. The call therefore results in a TypeError:

  TypeError: 'int' object is not callable

Package version is
   python-imaging 2.3.0-1ubuntu3.2 on Ubuntu Trusty Tahr.

Tags: patch

CVE References

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in pillow (Ubuntu):
status: New → Confirmed
Revision history for this message
Stephen Early (steve-greenend) wrote :

Confirmed: python-pil 2.3.0-1ubuntu3 works as expected, and python-pil 2.3.0-1ubuntu3.2 fails.

Revision history for this message
Aaron Griffith (agrif) wrote :

This bug appears to have been introduced with `pillow-CVE-2014-9601.patch` as part of `2.3.0-1ubuntu3.2`.

This patch was sourced (at least partially) from this Pillow commit:

    https://github.com/python-pillow/Pillow/commit/0b75526ffe41a4697231beb8b5740617c98f290b

However, this commit occurs after an earlier commit that changes all instances of `len` to `length`, to prevent shadowing:

    https://github.com/python-pillow/Pillow/commit/d594c0241aabeda6725fefc44ccc7f945c0464c9

As such, it crashes whenever you try to read any PNG with a text chunk. Since this is specifically the use-case the CVE patch was designed for, I find it surprising that apparently nobody tested it.

I have created and attached a patch for `2.3.0-1ubuntu3.2` that works on the PNG's I've tried. Instead of renaming all instances of `len`, it just does the minimal changes needed to get this to work. It's up to you guys whether you'd rather follow upstream or not, but please fix this fast, because this is a pretty serious bug.

Emily Ratliff (emilyr)
Changed in pillow (Ubuntu):
assignee: nobody → Emily Ratliff (emilyr)
importance: Undecided → Critical
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "fix for text chunk loading" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Emily Ratliff (emilyr) wrote :

 2.3.0-1ubuntu3.3 was released to address this issue.

Changed in pillow (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.