CVE-2014-3589

Advisory

pillow-simd affected versions are vulnerable to CVE-2014-3589, a DOS in the IcnsImagePlugin.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

----------------------- Use redistributable image for testing 884 [hugovk]- Use redistributable ICC profiles for testing, skip if not available 923 [wiredfool]- Additional documentation for JPEG info and save options 890 [wiredfool]- Fix JPEG Encoding memory leak when exif or qtables were specified [wiredfool]- Image.tobytes() and Image.tostring() documentation update 916 917 [mgedmin]- On Windows, do not execute convert.exe without specifying path 912 [cgohlke]- Fix msvc build error 911 [cgohlke]- Fix for handling P + transparency -> RGBA conversions 904 [wiredfool]- Retain alpha in ImageEnhance operations 909 [wiredfool]- Jpeg2k Decode/encode memory leak fix 898 [joshware, wiredfool]- EpsFilePlugin Speed improvements 886 [wiredfool, karstenw]- Don't resize if already the right size 892 [radarhere]- Fix for reading multipage TIFFs 885 [kostrom, wiredfool]- Correctly handle saving gray and CMYK JPEGs with quality=keep 857 [etienned]- Correct duplicate Tiff Metadata and Exif tag values [hugovk]- Windows fixes 871 [wiredfool]- Fix TGA files with image ID field 856 [megabuz]- Fixed wrong P-mode of small, unoptimized L-mode GIF 843 [uvNikita]- Fixed CVE-2014-3598, a DOS in the Jpeg2KImagePlugin [Andrew Drake]- Fixed CVE-2014-3589, a DOS in the IcnsImagePlugin [Andrew Drake]- setup.py: Close open file handle before deleting 844 [divergentdave]- Return Profile with Transformed Images 837 [wiredfool]- Changed docstring to refer to the correct function 836 [MatMoore]- Adding coverage support for C code tests 833 [wiredfool]- PyPy performance improvements 821 [wiredfool]- Added support for reading MPO files [Feneric]- Added support for encoding and decoding iTXt chunks 818 [dolda2000]- HSV Support 816 [wiredfool]- Removed unusable ImagePalette.new() [hugovk]- Fix Scrambled XPM 808 [wiredfool]- Doc cleanup [wiredfool]- Fix `ImageStat` docs [akx]- Added docs for ExifTags [Wintermute3]- More tests for CurImagePlugin, DcxImagePlugin, Effects.c, GimpGradientFile, ImageFont, ImageMath, ImagePalette, IptcImagePlugin, SpiderImagePlugin, SgiImagePlugin, XpmImagePlugin and _util [hugovk]- Fix return value of FreeTypeFont.textsize() does not include font offsets [tk0miya]- Fix dispose calculations for animated GIFs 765 [larsjsol]- Added class checking to Image __eq__ function 775 [radarhere, hugovk]- Test PalmImagePlugin and method to skip known bad tests 776 [hugovk, wiredfool]

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3589
• https://pypi.python.org/pypi/Pillow/2.5.2
• https://pypi.python.org/pypi/Pillow/2.3.2
• http://www.debian.org/security/2014/dsa-3009
• https://github.com/python-pillow/Pillow/commit/205e056f8f9b06ed7b925cf8aa0874bc4aaf8a7d
• http://lists.opensuse.org/opensuse-updates/2015-04/msg00056.html
• http://secunia.com/advisories/59825