[Git][security-tracker-team/security-tracker][master] CVE-2026-42311/pillow: complete TODO introductory commit + bullseye not-affected

Sylvain Beucler (@beuc) gitlab at salsa.debian.org
Thu May 21 08:08:02 BST 2026 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
32596a9f by Sylvain Beucler at 2026-05-21T09:07:55+02:00
CVE-2026-42311/pillow: complete TODO introductory commit + bullseye not-affected

Bisecting through 10.2.0..10.3.0, the segmentation fault in
test_bounds_crash_overflow is introduced with support for negative
layer co-ordinates.

Before that commit, Pillow just doesn't support the payload:
  FAILED Tests/test_file_psd.py::test_bounds_crash_overflow - PIL.UnidentifiedImageError: cannot identify image file 'Tests/images/psd-oob-write-overflow.psd'

After there's a segfault:
  Tests/test_file_psd.py Fatal Python error: Segmentation fault

  Current thread 0x00007f4079105040 (most recent call first):
    File "/root/.virtualenvs/pillow/lib/python3.11/site-packages/PIL/ImageFile.py", line 291 in load
    File "/usr/src/triage/Pillow/Tests/test_file_psd.py", line 181 in test_bounds_crash_overflow
    ...
  Erreur de segmentation

Test command:
  make clean && make install && \cp -a ../test_file_psd.py Tests/ && \cp -a ../psd-oob-write* Tests/images/ && pytest Tests/test_file_psd.py -k test_bounds_crash_overflow

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -6331,10 +6331,11 @@ CVE-2026-42339 (New API is a large language mode (LLM) gateway and artificial in
 	NOT-FOR-US: New API
 CVE-2026-42311 (Pillow is a Python imaging library. From version 10.3.0 to before vers ...)
 	- pillow 12.2.0-1
+	[bullseye] - pillow <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/python-pillow/Pillow/security/advisories/GHSA-pwv6-vv43-88gr
 	NOTE: https://github.com/python-pillow/Pillow/pull/9520
 	NOTE: Fixed by (merge) https://github.com/python-pillow/Pillow/commit/58f9a1d166dcb0c274807d4423522d205b0c35ea (12.2.0)
-	TODO: check, identify commit in 10.3.0 introducing the issue
+	NOTE: Introduced by: https://github.com/python-pillow/Pillow/commit/c2907dc04967109391a77eea00f7d583a0a0395f (10.3.0)
 CVE-2026-42310 (Pillow is a Python imaging library. From version 4.2.0 to before versi ...)
 	- pillow 12.2.0-1
 	NOTE: https://github.com/python-pillow/Pillow/security/advisories/GHSA-r73j-pqj5-w3x7



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32596a9f545ad4ccfb10a0beff3a2bb79105944a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32596a9f545ad4ccfb10a0beff3a2bb79105944a
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260521/9ab39c59/attachment.htm>

More information about the debian-security-tracker-commits mailing list