[Bug 214412] graphics/py-pillow: Multiple vulnerabilities (CVE-2016-9189, CVE-2016-9190)

Thu Nov 10 22:45:45 UTC 2016

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=214412

            Bug ID: 214412
           Summary: graphics/py-pillow: Multiple vulnerabilities
                    (CVE-2016-9189, CVE-2016-9190)
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
               URL: http://pillow.readthedocs.io/en/3.4.x/releasenotes/3.3
                    .2.html
                OS: Any
            Status: New
          Keywords: needs-patch, security
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: koobs at FreeBSD.org
          Reporter: vlad-fbsd at acheronmedia.com
                CC: ports-secteam at FreeBSD.org, python at FreeBSD.org
             Flags: maintainer-feedback?(koobs at FreeBSD.org)
          Assignee: koobs at FreeBSD.org

* http://pillow.readthedocs.io/en/3.4.x/releasenotes/3.3.2.html

Pillow prior to 3.3.2 may experience integer overflow errors in map.c when
reading specially crafted image files. This may lead to memory disclosure or
corruption.

Pillow prior to 3.3.2 and PIL 1.1.7 (at least) do not check for negative image
sizes in ImagingNew in Storage.c. A negative image size can lead to a smaller
allocation than expected, leading to arbitrary writes.

-- 
You are receiving this mail because:
You are on the CC list for the bug.