Updated python-pillow packages fix security vulnerabilities
Publication date: 23 Nov 2020Modification date: 23 Nov 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2020-10177 , CVE-2020-10378 , CVE-2020-10994 , CVE-2020-11538
Description
Pillow before 6.2.3 and 7.x before 7.0.1 has multiple out-of-bounds reads in
libImaging/FliDecode.c (CVE-2020-10177).
In libImaging/PcxDecode.c in Pillow before 6.2.3 and 7.x before 7.0.1, an
out-of-bounds read can occur when reading PCX files where state->shuffle is
instructed to read beyond state->buffer (CVE-2020-10378).
An out-of-bounds read flaw was found in python-pillow in the way JP2 images are
parsed. An application that uses python-pillow to decode untrusted images may
be vulnerable to this issue. This flaw allows an attacker to read data. The
highest threat from this vulnerability is to confidentiality (CVE-2020-10994).
An out-of-bounds read/write flaw was found in python-pillow, in the way SGI RLE
images are decoded. An application that uses python-pillow to decode untrusted
images may be vulnerable. This flaw allows an attacker to crash the application
or potentially execute code on the system. The highest threat from this
vulnerability is to data confidentiality and integrity as well as system
availability (CVE-2020-11538).
Also, python-pillow is now built with OpenJPEG2000 image support.
References
- https://bugs.mageia.org/show_bug.cgi?id=26919
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HOKHNWV2VS5GESY7IBD237E7C6T3I427/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10177
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10378
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10994
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11538
SRPMS
7/core
- python-pillow-5.4.1-1.3.mga7