Skip to content

upgrade pillow etc. to fix safety issues in 1.4.0 dockerfiles #63

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Apr 2, 2020
Merged

upgrade pillow etc. to fix safety issues in 1.4.0 dockerfiles #63

merged 2 commits into from
Apr 2, 2020

Conversation

YYStreet
Copy link
Contributor

@YYStreet YYStreet commented Apr 1, 2020

Issue #, if available:
Safety issue

-> pillow, installed 6.2.0, affected <6.2.2, id 37782
libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow. See: CVE-2020-5313.
--
-> pillow, installed 6.2.0, affected <6.2.2, id 37781
libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer overflow. See:CVE-2020-5312.
--
-> pillow, installed 6.2.0, affected <6.2.2, id 37780
libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer overflow. See: CVE-2020-5311.
--
-> pillow, installed 6.2.0, affected <6.2.2, id 37779
libImaging/TiffDecode.c in Pillow before 6.2.2 has a TIFF decoding integer overflow, related to realloc. See: CVE-2020-5310.
--
-> pillow, installed 6.2.0, affected >6.0,<6.2.2, id 37772
There is a DoS vulnerability in Pillow before 6.2.2 caused by FpxImagePlugin.py calling the range function on an unvalidated 32-bit integer if the number of bands is large. On Windows running 32-bit Python, this results in an OverflowError or MemoryError due to the 2 GB limit. However, on Linux running 64-bit Python this results in the process being terminated by the OOM killer. See: CVE-2019-19911.

Description of changes:
Upgrade Pillow to latest version for py2 and py3 correspondingly

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@sagemaker-bot
Copy link
Collaborator

AWS CodeBuild CI Report

  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@sagemaker-bot
Copy link
Collaborator

AWS CodeBuild CI Report

  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@YYStreet YYStreet changed the title upgrade Pillow and use pip to install upgrade pillow etc. to fix safety issues in 1.4.0 dockerfiles Apr 2, 2020
@YYStreet
Copy link
Contributor Author

YYStreet commented Apr 2, 2020 

pip check

sagemaker-pytorch-inference 1.3.0 has requirement Pillow==6.2.0, but you have pillow 7.1.0.

sagemaker-pytorch-inference 1.3.0 has requirement sagemaker-containers==2.5.4, but you have sagemaker-containers 2.8.6.

awscli 1.18.23 has requirement botocore==1.15.23, but you have botocore 1.15.33.

@YYStreet YYStreet requested a review from TusharKanekiDey April 2, 2020 02:08
@sagemaker-bot
Copy link
Collaborator

AWS CodeBuild CI Report

  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@sagemaker-bot
Copy link
Collaborator

AWS CodeBuild CI Report

  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@YYStreet YYStreet merged commit 28dafc8 into aws:master Apr 2, 2020
@saimidu saimidu mentioned this pull request Apr 10, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TusharKanekiDey TusharKanekiDey TusharKanekiDey approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@YYStreet @sagemaker-bot @TusharKanekiDey