[Bug 2087609] New: CVE-2022-30595 python-pillow: heap buffer overflow in crafted TGA file - Epel-packagers-sig - Fedora Mailing-Lists

2024

2023

2022

2021

[Bug 2087609] New: CVE-2022-30595 python-pillow: heap buffer overflow in crafted TGA file

[Bug 2102943] CVE-2022-2274...

[Bug 2102943] CVE-2022-2274...

bugzilla＠redhat.com

Wednesday, 18 May 2022 Wed, 18 May '22

12:50 a.m.

https://bugzilla.redhat.com/show_bug.cgi?id=2087609 Bug ID: 2087609 Summary: CVE-2022-30595 python-pillow: heap buffer overflow in crafted TGA file Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team(a)redhat.com Reporter: saroy(a)redhat.com CC: epel-packagers-sig(a)lists.fedoraproject.org, infra-sig(a)lists.fedoraproject.org, manisandro(a)gmail.com, miminar(a)redhat.com, python-sig(a)lists.fedoraproject.org Target Milestone: --- Classification: Other "CVE-2022-30595: When reading a TGA file with RLE packets that cross scan lines, Pillow reads the information past the end of the first line without deducting that from the length of the remaining file data. This vulnerability was introduced in Pillow 9.1.0, and can cause a heap buffer overflow." Introduced in 9.1.0, so only unstable is affected. Please bump to 9.1.1. https://bugs.gentoo.org/845192 -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2087609

Reply

Show replies by date

bugzilla＠redhat.com

Wednesday, 18 May Wed, 18 May

12:53 a.m.

New subject: [Bug 2087609] CVE-2022-30595 python-pillow: heap buffer overflow in crafted TGA file

https://bugzilla.redhat.com/show_bug.cgi?id=2087609 Sandipan Roy <saroy(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2087614 Depends On| |2087613, 2087612, 2087611, | |2087610 Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=2087610 [Bug 2087610] CVE-2022-30595 python-pillow: heap buffer overflow in crafted TGA file [fedora-35] https://bugzilla.redhat.com/show_bug.cgi?id=2087611 [Bug 2087611] CVE-2022-30595 mingw-python-pillow: python-pillow: heap buffer overflow in crafted TGA file [fedora-34] https://bugzilla.redhat.com/show_bug.cgi?id=2087612 [Bug 2087612] CVE-2022-30595 python-pillow: heap buffer overflow in crafted TGA file [fedora-34] https://bugzilla.redhat.com/show_bug.cgi?id=2087613 [Bug 2087613] CVE-2022-30595 mingw-python-pillow: python-pillow: heap buffer overflow in crafted TGA file [fedora-35] -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2087609

Reply

bugzilla＠redhat.com

12:53 a.m.

New subject: [Bug 2087609] CVE-2022-30595 python-pillow: heap buffer overflow in crafted TGA file

https://bugzilla.redhat.com/show_bug.cgi?id=2087609 --- Comment #1 from Sandipan Roy <saroy(a)redhat.com> --- Created mingw-python-pillow tracking bugs for this issue: Affects: fedora-34 [bug 2087611] Affects: fedora-35 [bug 2087613] Created python-pillow tracking bugs for this issue: Affects: fedora-34 [bug 2087612] Affects: fedora-35 [bug 2087610] -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2087609

Reply

bugzilla＠redhat.com

Friday, 20 May Fri, 20 May

5:12 p.m.

New subject: [Bug 2087609] CVE-2022-30595 python-pillow: heap buffer overflow in crafted TGA file

https://bugzilla.redhat.com/show_bug.cgi?id=2087609 Bug 2087609 depends on bug 2087613, which changed state. Bug 2087613 Summary: CVE-2022-30595 mingw-python-pillow: python-pillow: heap buffer overflow in crafted TGA file [fedora-35] https://bugzilla.redhat.com/show_bug.cgi?id=2087613 What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |RAWHIDE -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2087609

Reply

bugzilla＠redhat.com

5:12 p.m.

New subject: [Bug 2087609] CVE-2022-30595 python-pillow: heap buffer overflow in crafted TGA file

https://bugzilla.redhat.com/show_bug.cgi?id=2087609 Bug 2087609 depends on bug 2087612, which changed state. Bug 2087612 Summary: CVE-2022-30595 python-pillow: heap buffer overflow in crafted TGA file [fedora-34] https://bugzilla.redhat.com/show_bug.cgi?id=2087612 What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |RAWHIDE -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2087609

Reply

bugzilla＠redhat.com

5:12 p.m.

New subject: [Bug 2087609] CVE-2022-30595 python-pillow: heap buffer overflow in crafted TGA file

https://bugzilla.redhat.com/show_bug.cgi?id=2087609 Bug 2087609 depends on bug 2087611, which changed state. Bug 2087611 Summary: CVE-2022-30595 mingw-python-pillow: python-pillow: heap buffer overflow in crafted TGA file [fedora-34] https://bugzilla.redhat.com/show_bug.cgi?id=2087611 What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |RAWHIDE -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2087609

Reply

bugzilla＠redhat.com

5:12 p.m.

New subject: [Bug 2087609] CVE-2022-30595 python-pillow: heap buffer overflow in crafted TGA file

https://bugzilla.redhat.com/show_bug.cgi?id=2087609 Bug 2087609 depends on bug 2087610, which changed state. Bug 2087610 Summary: CVE-2022-30595 python-pillow: heap buffer overflow in crafted TGA file [fedora-35] https://bugzilla.redhat.com/show_bug.cgi?id=2087610 What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |RAWHIDE -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2087609

Reply

bugzilla＠redhat.com

Monday, 13 June Mon, 13 Jun

6:50 a.m.

New subject: [Bug 2087609] CVE-2022-30595 python-pillow: heap buffer overflow in crafted TGA file

https://bugzilla.redhat.com/show_bug.cgi?id=2087609 --- Comment #3 from Product Security DevOps Team <prodsec-dev(a)redhat.com> --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-30595 -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2087609

Reply

bugzilla＠redhat.com

6:50 a.m.

New subject: [Bug 2087609] CVE-2022-30595 python-pillow: heap buffer overflow in crafted TGA file

https://bugzilla.redhat.com/show_bug.cgi?id=2087609 Product Security DevOps Team <prodsec-dev(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |NOTABUG Status|NEW |CLOSED Last Closed| |2022-06-13 11:50:04 -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2087609

Reply

bugzilla＠redhat.com

Thursday, 30 June Thu, 30 Jun

10:57 p.m.

New subject: [Bug 2087609] CVE-2022-30595 python-pillow: heap buffer overflow in crafted TGA file

https://bugzilla.redhat.com/show_bug.cgi?id=2087609 --- Doc Text *updated* by Sandipan Roy <saroy(a)redhat.com> --- A heap buffer overflow vulnerability was found in python-pillow. This security vulnerability occurs when reading a TGA file with RLE packets that cross scan lines, Pillow reads the information past the end of the first line without deducting that from the length of the remaining file data. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2087609

Reply

bugzilla＠redhat.com

10:57 p.m.

New subject: [Bug 2087609] CVE-2022-30595 python-pillow: heap buffer overflow in crafted TGA file

https://bugzilla.redhat.com/show_bug.cgi?id=2087609 Sandipan Roy <saroy(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |python-pillow 9.1.1 -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2087609

Reply

bugzilla＠redhat.com

Friday, 1 July Fri, 1 Jul

6:36 a.m.

New subject: [Bug 2087609] CVE-2022-30595 python-pillow: heap buffer overflow in crafted TGA file

https://bugzilla.redhat.com/show_bug.cgi?id=2087609 --- Doc Text *updated* by RaTasha Tillery-Smith <rtillery(a)redhat.com> --- A heap buffer overflow vulnerability was found in python-pillow. This security vulnerability occurs when reading a TGA file with RLE packets that cross scan lines, where pillow reads the information past the end of the first line without deducting that from the length of the remaining file data. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2087609

Reply

696

days inactive

740

days old

epel-packagers-sig@lists.fedoraproject.org

Manage subscription

11 comments

1 participants

tags (0)

participants (1)

bugzilla＠redhat.com