Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1934680 (CVE-2021-25289) - CVE-2021-25289 python-pillow: insufficent fix for CVE-2020-35654 due to incorrect error checking in TiffDecode.c
Summary: CVE-2021-25289 python-pillow: insufficent fix for CVE-2020-35654 due to incor...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-25289
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1934681 1934682 1934683 1934684 1935584 1939585
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-03-03 16:46 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-05-17 10:46 UTC (History)
11 users (show)

Fixed In Version: python-pillow 8.1.1
Clone Of:
Environment:
Last Closed: 2021-10-19 14:08:46 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3917 0 None None None 2021-10-19 12:10:56 UTC

Description Guilherme de Almeida Suckevicz 2021-03-03 16:46:37 UTC
The previous fix for CVE-2020-35654 was insufficient due to incorrect error checking in TiffDecode.c.

Reference:
https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html

Comment 1 Guilherme de Almeida Suckevicz 2021-03-03 16:47:23 UTC
Created mingw-python-pillow tracking bugs for this issue:

Affects: fedora-all [bug 1934683]


Created python-pillow tracking bugs for this issue:

Affects: fedora-all [bug 1934681]


Created python2-pillow tracking bugs for this issue:

Affects: fedora-all [bug 1934682]


Created python3-pillow tracking bugs for this issue:

Affects: epel-7 [bug 1934684]

Comment 3 Jason Shepherd 2021-03-08 03:01:16 UTC
Mitigation:

Disable the invoice generation feature to mitigate this vulnerability in Red Hat Quay.

Comment 5 Riccardo Schirone 2021-03-16 15:57:19 UTC
Upstream patch seems to be:
https://github.com/python-pillow/Pillow/commit/3fee28eb9479bf7d59e0fa08068f9cc4a6e2f04c

Comment 6 Riccardo Schirone 2021-03-16 16:01:58 UTC
Statement:

python-pillow as shipped with Red Hat Enterprise Linux 7 and 8 are not affected by this flaw as the flaw was introduced in a newer version than shipped.

Comment 8 errata-xmlrpc 2021-10-19 12:10:54 UTC
This issue has been addressed in the following products:

  Red Hat Quay 3

Via RHSA-2021:3917 https://access.redhat.com/errata/RHSA-2021:3917

Comment 9 Product Security DevOps Team 2021-10-19 14:08:46 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-25289


Note You need to log in before you can comment on or make changes to this bug.