Your message dated Tue, 20 Jul 2021 06:18:33 +0000 with message-id <e1m5j5n-000elu...@fasolo.debian.org> and subject line Bug#991293: fixed in pillow 8.1.2+dfsg-0.3 has caused the Debian Bug report #991293, regarding pillow: CVE-2021-34552 - buffer overflow in Convert.c to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 991293: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991293 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: pillow Version: 8.1.2+dfsg-0.2 Severity: grave Tags: security Justification: user security hole https://security-tracker.debian.org/tracker/CVE-2021-34552 Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c. This has been fixed upstream in version 8.3. The upstream fix can be backported to 8.1 in unstable. This is a tracking bug to ease migration of pillow into bullseye. I have an upload ready for unstable. -- Neil Williams
--- End Message ---
--- Begin Message ---Source: pillow Source-Version: 8.1.2+dfsg-0.3 Done: Neil Williams <codeh...@debian.org> We believe that the bug you reported is fixed in the latest version of pillow, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 991...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Neil Williams <codeh...@debian.org> (supplier of updated pillow package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 20 Jul 2021 06:42:31 +0100 Source: pillow Architecture: source Version: 8.1.2+dfsg-0.3 Distribution: unstable Urgency: high Maintainer: Matthias Klose <d...@debian.org> Changed-By: Neil Williams <codeh...@debian.org> Closes: 991293 Changes: pillow (8.1.2+dfsg-0.3) unstable; urgency=high . * Non-maintainer upload by the Security Team. * Fix "CVE-2021-34552 - buffer overflow in Convert.c. Replace sprintf with snprintf. Backport upstream change from 8.3 to 8.1. (Closes: #991293) Checksums-Sha1: 8376f696bb44666aa893c3c8ac0616bdf977e957 2440 pillow_8.1.2+dfsg-0.3.dsc f52ad94d4cdf4a061e94e40f56614ecccbcc8a57 21972 pillow_8.1.2+dfsg-0.3.debian.tar.xz 10810fb51a53862e4287a821aaeccfa28925e5df 12625 pillow_8.1.2+dfsg-0.3_amd64.buildinfo Checksums-Sha256: eef001db37bb4aa3dfe3ac94cd0b7eeca99adcfd6034ff48da45b42ecebeeeda 2440 pillow_8.1.2+dfsg-0.3.dsc 685245e185a47f3c2bdd77419ae486110fbb8698641437c8e630b25a44c4a1af 21972 pillow_8.1.2+dfsg-0.3.debian.tar.xz 969f94c11d29836b4f1bb4963fc3f61b5fef19dd5903c0551b662b154e8abab9 12625 pillow_8.1.2+dfsg-0.3_amd64.buildinfo Files: 1be8dd9de29fd59a97e9e27722eed238 2440 python optional pillow_8.1.2+dfsg-0.3.dsc 7139b3d948f06ecd4b93a039c3dbc931 21972 python optional pillow_8.1.2+dfsg-0.3.debian.tar.xz 0fe00441ca6af2b5eaef0b9a6fc9774f 12625 python optional pillow_8.1.2+dfsg-0.3_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEf3HB6ceOc10DYMbM8WfkPIFDtoIFAmD2ZlAACgkQ8WfkPIFD toJ/vA/7ByAusc52RDM+AyjrPAy8GdOv8EHBpoMZFayU1ufETYuzCoeKVM9aSIxe qAN/sxDkzDS0oPKAjUfbu7zRqQ/jWrHChR5UzKV/FK2HOXDPBdbluUR9fuA8ha/n lAIvhv25JY4HaV+5a0kFTUR8r1jiiRhRc2sRuqCDUP47Xzq3hHPg89Ouh4M5axwS GxL1XXdECu0KVCKT51Foot1s5ZtznUIRK9SE0JPsaV0VOTGFUNh7XWKxoBgUJQDR RxlOJn2EyIeYXf1uqn/jxt6tbuD8nfV4XahwsRPoLQ8dAyZNzfCLwtgfXqzkt0Gy kCAttJCRBjiFXd7kmNYAnXrMgjjtHW22bAxNvcrzo+YXmFDZPoWzZ0T4zIVfiI8m ps3WGHRZKLRCzPdvPwxbiOmGiAjqZCjjbVOflSTj4ijlm0xW8yiHlN+AW67/HVbw 90wyyDfQumNBBdsPpL+IzygDPfe1i0GEzcy+I4ZGK2R7bC0Zevx50WMW0nR7Jmox 3awdMBFKu627/MmopN8b9IsKW8EkqXYARdzTLpiD5XnwW7Gl/YmZjz9rrQuwSxVD yfsYPmHG2pAse1fvwRv/lOGhUJzhT+A8NP9d2e2tAxGHhc/9unv15zd/BBAEnime 3LE1K5vSk0BxZRKsbpIfVk1PZdeFYpANH4oCec7/vgq0E93RDls= =L53C -----END PGP SIGNATURE-----
--- End Message ---
