Bug 1173416 - (CVE-2020-10378) VUL-1: CVE-2020-10378: python-Pillow: In libImaging/PcxDecode.c an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer
(CVE-2020-10378)
VUL-1: CVE-2020-10378: python-Pillow: In libImaging/PcxDecode.c an out-of-bou...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/262337/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-06-26 14:05 UTC by Robert Frohl
Modified: 2021-01-27 17:07 UTC (History)
11 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Robert Frohl 2020-06-26 14:06:00 UTC
merge request, including test:
https://github.com/python-pillow/Pillow/pull/4506
Comment 6 Holger Sickenberg 2020-07-21 06:36:36 UTC
Adding Lenz, Nathan and Tim to check for their parts of SES5.
Comment 7 Tim Serong 2020-07-21 07:09:37 UTC
The fix for this for SES5 is now in Devel:Storage:5.0/python-Pillow
Comment 9 Swamp Workflow Management 2020-07-28 01:12:45 UTC
SUSE-SU-2020:2057-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1153191,1160152,1160153,1160192,1173413,1173416,1173418,965582
CVE References: CVE-2016-0775,CVE-2019-16865,CVE-2019-19911,CVE-2020-10177,CVE-2020-10378,CVE-2020-10994,CVE-2020-5312,CVE-2020-5313
JIRA References: 
Sources used:
SUSE Enterprise Storage 5 (src):    python-Pillow-2.8.1-3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2020-08-07 01:16:12 UTC
SUSE-RU-2020:2161-1: An update that solves 24 vulnerabilities and has 10 fixes is now available.

Category: recommended (moderate)
Bug References: 1019111,1107190,1126503,1136928,1153191,1159046,1159447,1160151,1160152,1160153,1160192,1160790,1161088,1161089,1161670,1161919,1163446,1165022,1170657,1171070,1171071,1171072,1171273,1171594,1171909,1172166,1172167,1172409,1172522,1173413,1173416,1173418,1173420,1174006
CVE References: CVE-2019-16785,CVE-2019-16786,CVE-2019-16789,CVE-2019-16792,CVE-2019-16865,CVE-2019-19844,CVE-2019-19911,CVE-2019-3828,CVE-2020-10177,CVE-2020-10378,CVE-2020-10743,CVE-2020-10755,CVE-2020-10994,CVE-2020-11538,CVE-2020-12052,CVE-2020-13254,CVE-2020-13379,CVE-2020-13596,CVE-2020-5311,CVE-2020-5312,CVE-2020-5313,CVE-2020-7471,CVE-2020-8184,CVE-2020-9402
JIRA References: SOC-10029,SOC-10106,SOC-10124,SOC-10317,SOC-10357,SOC-11077,SOC-11082,SOC-11126,SOC-11176,SOC-11203,SOC-11209,SOC-11241,SOC-11243,SOC-11248,SOC-11249,SOC-11274,SOC-11279,SOC-11286,SOC-11289,SOC-11294,SOC-11297,SOC-11298,SOC-11299,SOC-11306,SOC-11314,SOC-11330,SOC-11341,SOC-11342,SOC-6780,SOC-9235,SOC-9775
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    crowbar-core-6.0+git.1594619891.b75a61d0d-3.25.5, crowbar-openstack-6.0+git.1591795073.49cb6400e-3.25.3, grafana-6.2.5-3.12.2, kibana-4.6.3-4.3.2, openstack-barbican-7.0.1~dev24-3.9.5, openstack-ceilometer-11.1.1~dev7-3.16.3, openstack-cinder-13.0.10~dev12-3.22.4, openstack-dashboard-14.1.1~dev6-3.15.5, openstack-designate-7.0.2~dev2-3.19.3, openstack-heat-templates-0.0.0+git.1582270132.8a20477-3.6.2, openstack-ironic-11.1.5~dev6-3.19.3, openstack-keystone-14.2.1~dev4-3.22.3, openstack-magnum-7.2.1~dev1-3.13.3, openstack-manila-7.4.2~dev31-4.24.3, openstack-monasca-agent-2.8.2~dev5-3.9.3, openstack-neutron-13.0.8~dev68-3.25.3, openstack-neutron-vsphere-2.0.1~dev167-3.3.3, openstack-nova-18.3.1~dev38-3.25.4, openstack-octavia-3.2.3~dev7-3.25.3, openstack-octavia-amphora-image-0.1.4-7.12.3, openstack-resource-agents-1.0+git.1569436425.8b9c49f-5.3.2, python-Django1-1.11.29-3.15.2, python-Pillow-5.2.0-3.3.2, python-heatclient-1.16.3-3.3.3, python-neutron-tempest-plugin-0.2.0-3.3.2, python-octavia-tempest-plugin-0.2.0-3.3.2, python-os-brick-2.5.10-3.12.3, python-oslo.messaging-8.1.4-3.6.2, python-pyroute2-0.5.2-4.3.2, python-urllib3-1.23-3.12.2, python-waitress-1.4.3-3.3.1, release-notes-suse-openstack-cloud-9.20200610-3.21.4, rubygem-activeresource-4.0.0-4.3.1, rubygem-json-1_7-1.7.7-4.3.1, rubygem-puma-2.16.0-4.9.1
SUSE OpenStack Cloud 9 (src):    ansible1-1.9.6-9.7.2, ardana-ansible-9.0+git.1591138508.e269bdb-3.22.2, ardana-cobbler-9.0+git.1588181228.bae3b1f-3.13.2, ardana-glance-9.0+git.1593631708.9354a78-3.13.2, ardana-input-model-9.0+git.1589740948.c24fc0b-3.19.2, ardana-logging-9.0+git.1591193994.d93b668-3.13.2, ardana-manila-9.0+git.1594158642.b5905e4-3.12.2, ardana-monasca-9.0+git.1589385256.7fbfaaf-3.19.2, ardana-mq-9.0+git.1593618110.cbd1a37-3.16.2, ardana-neutron-9.0+git.1590756257.e09d54f-3.22.2, ardana-octavia-9.0+git.1590079609.a2ae6ab-3.19.2, ardana-tempest-9.0+git.1593033709.9495bb2-3.16.2, grafana-6.2.5-3.12.2, kibana-4.6.3-4.3.2, openstack-barbican-7.0.1~dev24-3.9.5, openstack-ceilometer-11.1.1~dev7-3.16.3, openstack-cinder-13.0.10~dev12-3.22.4, openstack-dashboard-14.1.1~dev6-3.15.5, openstack-designate-7.0.2~dev2-3.19.3, openstack-heat-templates-0.0.0+git.1582270132.8a20477-3.6.2, openstack-ironic-11.1.5~dev6-3.19.3, openstack-keystone-14.2.1~dev4-3.22.3, openstack-magnum-7.2.1~dev1-3.13.3, openstack-manila-7.4.2~dev31-4.24.3, openstack-monasca-agent-2.8.2~dev5-3.9.3, openstack-neutron-13.0.8~dev68-3.25.3, openstack-neutron-vsphere-2.0.1~dev167-3.3.3, openstack-nova-18.3.1~dev38-3.25.4, openstack-octavia-3.2.3~dev7-3.25.3, openstack-octavia-amphora-image-0.1.4-7.12.3, openstack-resource-agents-1.0+git.1569436425.8b9c49f-5.3.2, python-Django1-1.11.29-3.15.2, python-Pillow-5.2.0-3.3.2, python-ardana-packager-0.0.3-9.3.2, python-heatclient-1.16.3-3.3.3, python-neutron-tempest-plugin-0.2.0-3.3.2, python-octavia-tempest-plugin-0.2.0-3.3.2, python-os-brick-2.5.10-3.12.3, python-oslo.messaging-8.1.4-3.6.2, python-pyroute2-0.5.2-4.3.2, python-urllib3-1.23-3.12.2, python-waitress-1.4.3-3.3.1, release-notes-suse-openstack-cloud-9.20200610-3.21.4, venv-openstack-barbican-7.0.1~dev24-3.19.3, venv-openstack-cinder-13.0.10~dev12-3.19.2, venv-openstack-designate-7.0.2~dev2-3.19.2, venv-openstack-glance-17.0.1~dev30-3.17.2, venv-openstack-heat-11.0.3~dev35-3.19.2, venv-openstack-horizon-14.1.1~dev6-4.18.3, venv-openstack-ironic-11.1.5~dev6-4.15.2, venv-openstack-keystone-14.2.1~dev4-3.19.2, venv-openstack-magnum-7.2.1~dev1-4.19.2, venv-openstack-manila-7.4.2~dev31-3.21.2, venv-openstack-monasca-2.7.1~dev10-3.17.3, venv-openstack-monasca-ceilometer-1.8.2~dev3-3.19.2, venv-openstack-neutron-13.0.8~dev68-6.19.2, venv-openstack-nova-18.3.1~dev38-3.19.3, venv-openstack-octavia-3.2.3~dev7-4.19.2, venv-openstack-sahara-9.0.2~dev15-3.19.2, venv-openstack-swift-2.19.2~dev48-2.14.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2020-10-13 20:03:07 UTC
SUSE-SU-2020:2911-1: An update that fixes 15 vulnerabilities, contains two features is now available.

Category: security (critical)
Bug References: 1117080,1154434,1164140,1171823,1172450,1173413,1173416,1173418,1174583,1175484,965582
CVE References: CVE-2016-0775,CVE-2018-17954,CVE-2018-18623,CVE-2018-18624,CVE-2018-18625,CVE-2019-15043,CVE-2020-10177,CVE-2020-10378,CVE-2020-10744,CVE-2020-10994,CVE-2020-11110,CVE-2020-12052,CVE-2020-13379,CVE-2020-1733,CVE-2020-17376
JIRA References: SOC-11352,SOC-11389
Sources used:
SUSE OpenStack Cloud 7 (src):    ansible-2.2.3.0-17.2, crowbar-core-4.0+git.1600767499.0615a418f-9.69.3, crowbar-openstack-4.0+git.1599037255.25b759234-9.74.4, grafana-6.7.4-1.17.1, grafana-natel-discrete-panel-0.0.9-1.6.5, openstack-aodh-3.0.5~dev2-2.11.2, openstack-aodh-doc-3.0.5~dev2-2.11.1, openstack-barbican-3.0.1~dev9-2.12.4, openstack-barbican-doc-3.0.1~dev9-2.12.2, openstack-cinder-9.1.5~dev6-4.28.1, openstack-cinder-doc-9.1.5~dev6-4.28.1, openstack-gnocchi-3.0.7~dev1-2.8.2, openstack-heat-7.0.7~dev10-5.17.3, openstack-heat-doc-7.0.7~dev10-5.17.2, openstack-ironic-6.2.5~dev3-2.8.2, openstack-ironic-doc-6.2.5~dev3-2.8.2, openstack-magnum-3.3.2~dev7-14.14.4, openstack-magnum-doc-3.3.2~dev7-14.14.2, openstack-manila-3.0.1~dev30-4.17.2, openstack-manila-doc-3.0.1~dev30-4.17.1, openstack-monasca-agent-1.10.1~dev4-13.3, openstack-murano-3.0.1~dev21-7.5.3, openstack-murano-doc-3.0.1~dev21-7.5.1, openstack-neutron-9.4.2~dev21-7.43.2, openstack-neutron-doc-9.4.2~dev21-7.43.1, openstack-neutron-vpnaas-9.0.1~dev8-5.8.2, openstack-neutron-vpnaas-doc-9.0.1~dev8-5.8.2, openstack-nova-14.0.11~dev13-4.45.3, openstack-nova-doc-14.0.11~dev13-4.45.2, openstack-sahara-5.0.2~dev3-14.3, openstack-sahara-doc-5.0.2~dev3-14.1, python-Pillow-2.8.1-4.17.2, rubygem-crowbar-client-3.9.3-7.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2020-11-12 17:24:08 UTC
SUSE-SU-2020:3309-1: An update that solves 53 vulnerabilities, contains 14 features and has 5 fixes is now available.

Category: security (important)
Bug References: 1008037,1008038,1010940,1019021,1038785,1056094,1059235,1080682,1097775,1102126,1109957,1112959,1117080,1118896,1123561,1126503,1137479,1137528,1142121,1142542,1144453,1153452,1154231,1154232,1154830,1157968,1157969,1159447,1161919,1164133,1164134,1164135,1164136,1164137,1164138,1164139,1164140,1165022,1165393,1166389,1167440,1167532,1171162,1171823,1172450,1173413,1173416,1173418,1174006,1174145,1174242,1174302,1174583,1175484,1175986,1175993,1177120,1177948
CVE References: CVE-2016-8614,CVE-2016-8628,CVE-2016-8647,CVE-2016-9587,CVE-2017-7466,CVE-2017-7550,CVE-2018-10875,CVE-2018-11779,CVE-2018-16837,CVE-2018-16859,CVE-2018-16876,CVE-2018-18623,CVE-2018-18624,CVE-2018-18625,CVE-2019-0202,CVE-2019-10156,CVE-2019-10206,CVE-2019-10217,CVE-2019-14846,CVE-2019-14856,CVE-2019-14858,CVE-2019-14864,CVE-2019-14904,CVE-2019-14905,CVE-2019-19844,CVE-2019-3828,CVE-2020-10177,CVE-2020-10378,CVE-2020-10684,CVE-2020-10685,CVE-2020-10691,CVE-2020-10729,CVE-2020-10744,CVE-2020-10994,CVE-2020-11110,CVE-2020-14330,CVE-2020-14332,CVE-2020-14365,CVE-2020-1733,CVE-2020-1734,CVE-2020-1735,CVE-2020-1736,CVE-2020-1737,CVE-2020-17376,CVE-2020-1738,CVE-2020-1739,CVE-2020-1740,CVE-2020-1746,CVE-2020-1753,CVE-2020-25032,CVE-2020-26137,CVE-2020-7471,CVE-2020-9402
JIRA References: SOC-10300,SOC-10522,SOC-10616,SOC-11000,SOC-11223,SOC-11342,SOC-11352,SOC-11364,SOC-11386,SOC-11389,SOC-11391,SOC-6780,SOC-9974,SOC-9998
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    ansible-2.9.14-3.15.1, crowbar-core-5.0+git.1600432272.b3ad722f0-3.44.1, crowbar-openstack-5.0+git.1599037158.5c4d07480-4.43.1, documentation-suse-openstack-cloud-deployment-8.20201007-1.29.1, documentation-suse-openstack-cloud-supplement-8.20201007-1.29.1, documentation-suse-openstack-cloud-upstream-admin-8.20201007-1.29.1, documentation-suse-openstack-cloud-upstream-user-8.20201007-1.29.1, grafana-6.7.4-4.12.1, grafana-natel-discrete-panel-0.0.9-3.3.6, openstack-cinder-11.2.3~dev29-3.28.2, openstack-cinder-doc-11.2.3~dev29-3.28.1, openstack-monasca-installer-20190923_16.32-3.15.1, openstack-neutron-11.0.9~dev69-3.37.2, openstack-neutron-doc-11.0.9~dev69-3.37.1, openstack-nova-16.1.9~dev76-3.39.2, openstack-nova-doc-16.1.9~dev76-3.39.1, python-Django-1.11.29-3.19.2, python-Pillow-4.2.1-3.9.2, python-keystoneclient-3.13.1-3.3.2, python-keystonemiddleware-4.17.1-5.3.1, python-kombu-4.1.0-3.7.1, python-straight-plugin-1.5.0-1.3.1, python-urllib3-1.22-5.12.1, release-notes-suse-openstack-cloud-8.20200922-3.23.1, rubygem-crowbar-client-3.9.3-1.1, storm-1.2.3-3.6.1
SUSE OpenStack Cloud 8 (src):    ansible-2.9.14-3.15.1, ardana-ansible-8.0+git.1596735237.54109b1-3.77.1, ardana-cinder-8.0+git.1596129856.263f430-3.43.1, ardana-glance-8.0+git.1593631779.76fa9b7-3.24.1, ardana-mq-8.0+git.1593618123.678c32b-3.26.1, ardana-nova-8.0+git.1601298847.dd01585-3.42.1, ardana-osconfig-8.0+git.1595885113.93abcbc-3.49.1, documentation-suse-openstack-cloud-installation-8.20201007-1.29.1, documentation-suse-openstack-cloud-operations-8.20201007-1.29.1, documentation-suse-openstack-cloud-opsconsole-8.20201007-1.29.1, documentation-suse-openstack-cloud-planning-8.20201007-1.29.1, documentation-suse-openstack-cloud-security-8.20201007-1.29.1, documentation-suse-openstack-cloud-supplement-8.20201007-1.29.1, documentation-suse-openstack-cloud-upstream-admin-8.20201007-1.29.1, documentation-suse-openstack-cloud-upstream-user-8.20201007-1.29.1, documentation-suse-openstack-cloud-user-8.20201007-1.29.1, grafana-6.7.4-4.12.1, grafana-natel-discrete-panel-0.0.9-3.3.6, openstack-cinder-11.2.3~dev29-3.28.2, openstack-cinder-doc-11.2.3~dev29-3.28.1, openstack-monasca-installer-20190923_16.32-3.15.1, openstack-neutron-11.0.9~dev69-3.37.2, openstack-neutron-doc-11.0.9~dev69-3.37.1, openstack-nova-16.1.9~dev76-3.39.2, openstack-nova-doc-16.1.9~dev76-3.39.1, python-Django-1.11.29-3.19.2, python-Flask-Cors-3.0.3-3.3.1, python-Pillow-4.2.1-3.9.2, python-ardana-packager-0.0.3-7.7.2, python-keystoneclient-3.13.1-3.3.2, python-keystonemiddleware-4.17.1-5.3.1, python-kombu-4.1.0-3.7.1, python-straight-plugin-1.5.0-1.3.1, python-urllib3-1.22-5.12.1, release-notes-suse-openstack-cloud-8.20200922-3.23.1, storm-1.2.3-3.6.1, venv-openstack-aodh-5.1.1~dev7-12.28.1, venv-openstack-barbican-5.0.2~dev3-12.29.1, venv-openstack-ceilometer-9.0.8~dev7-12.26.1, venv-openstack-cinder-11.2.3~dev29-14.30.1, venv-openstack-designate-5.0.3~dev7-12.27.1, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.24.1, venv-openstack-glance-15.0.3~dev3-12.27.1, venv-openstack-heat-9.0.8~dev22-12.29.1, venv-openstack-horizon-12.0.5~dev3-14.32.1, venv-openstack-ironic-9.1.8~dev8-12.29.1, venv-openstack-keystone-12.0.4~dev11-11.30.1, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.28.1, venv-openstack-manila-5.1.1~dev5-12.33.1, venv-openstack-monasca-2.2.2~dev1-11.24.1, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.24.1, venv-openstack-murano-4.0.2~dev2-12.24.1, venv-openstack-neutron-11.0.9~dev69-13.32.1, venv-openstack-nova-16.1.9~dev76-11.30.1, venv-openstack-octavia-1.0.6~dev3-12.29.1, venv-openstack-sahara-7.0.5~dev4-11.28.1, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.21.1, venv-openstack-trove-8.0.2~dev2-11.28.1
HPE Helion Openstack 8 (src):    ansible-2.9.14-3.15.1, ardana-ansible-8.0+git.1596735237.54109b1-3.77.1, ardana-cinder-8.0+git.1596129856.263f430-3.43.1, ardana-glance-8.0+git.1593631779.76fa9b7-3.24.1, ardana-mq-8.0+git.1593618123.678c32b-3.26.1, ardana-nova-8.0+git.1601298847.dd01585-3.42.1, ardana-osconfig-8.0+git.1595885113.93abcbc-3.49.1, documentation-hpe-helion-openstack-installation-8.20201007-1.29.1, documentation-hpe-helion-openstack-operations-8.20201007-1.29.1, documentation-hpe-helion-openstack-opsconsole-8.20201007-1.29.1, documentation-hpe-helion-openstack-planning-8.20201007-1.29.1, documentation-hpe-helion-openstack-security-8.20201007-1.29.1, documentation-hpe-helion-openstack-user-8.20201007-1.29.1, grafana-6.7.4-4.12.1, grafana-natel-discrete-panel-0.0.9-3.3.6, openstack-cinder-11.2.3~dev29-3.28.2, openstack-cinder-doc-11.2.3~dev29-3.28.1, openstack-monasca-installer-20190923_16.32-3.15.1, openstack-neutron-11.0.9~dev69-3.37.2, openstack-neutron-doc-11.0.9~dev69-3.37.1, openstack-nova-16.1.9~dev76-3.39.2, openstack-nova-doc-16.1.9~dev76-3.39.1, python-Django-1.11.29-3.19.2, python-Flask-Cors-3.0.3-3.3.1, python-Pillow-4.2.1-3.9.2, python-ardana-packager-0.0.3-7.7.2, python-keystoneclient-3.13.1-3.3.2, python-keystonemiddleware-4.17.1-5.3.1, python-kombu-4.1.0-3.7.1, python-urllib3-1.22-5.12.1, release-notes-hpe-helion-openstack-8.20200922-3.23.1, storm-1.2.3-3.6.1, venv-openstack-aodh-5.1.1~dev7-12.28.1, venv-openstack-barbican-5.0.2~dev3-12.29.1, venv-openstack-ceilometer-9.0.8~dev7-12.26.1, venv-openstack-cinder-11.2.3~dev29-14.30.1, venv-openstack-designate-5.0.3~dev7-12.27.1, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.24.1, venv-openstack-glance-15.0.3~dev3-12.27.1, venv-openstack-heat-9.0.8~dev22-12.29.1, venv-openstack-horizon-hpe-12.0.5~dev3-14.32.1, venv-openstack-ironic-9.1.8~dev8-12.29.1, venv-openstack-keystone-12.0.4~dev11-11.30.1, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.28.1, venv-openstack-manila-5.1.1~dev5-12.33.1, venv-openstack-monasca-2.2.2~dev1-11.24.1, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.24.1, venv-openstack-murano-4.0.2~dev2-12.24.1, venv-openstack-neutron-11.0.9~dev69-13.32.1, venv-openstack-nova-16.1.9~dev76-11.30.1, venv-openstack-octavia-1.0.6~dev3-12.29.1, venv-openstack-sahara-7.0.5~dev4-11.28.1, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.21.1, venv-openstack-trove-8.0.2~dev2-11.28.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Jeremy Moffitt 2020-11-12 19:15:20 UTC
With the SOC8 MU that shipped today the changes for this in the SOC product are all landed in published updates:
SOC7 - October 13 2020 MU
SOC8 - November 12 2020 MU
SOC9 - August 6 2020 MU

assigning back to the security team
Comment 20 Alexandros Toptsoglou 2021-01-27 17:07:21 UTC
DONE