[ASA-202101-11] python-pillow: multiple issues

Morten Linderud foxboron at archlinux.org
Fri Jan 15 21:08:24 UTC 2021


Arch Linux Security Advisory ASA-202101-11
==========================================

Severity: Medium
Date    : 2021-01-12
CVE-ID  : CVE-2020-35653 CVE-2020-35654 CVE-2020-35655
Package : python-pillow
Type    : multiple issues
Remote  : No
Link    : https://security.archlinux.org/AVG-1438

Summary
=======

The package python-pillow before version 8.1.0-1 is vulnerable to
multiple issues including arbitrary code execution, information
disclosure and denial of service.

Resolution
==========

Upgrade to 8.1.0-1.

# pacman -Syu "python-pillow>=8.1.0-1"

The problems have been fixed upstream in version 8.1.0.

Workaround
==========

None.

Description
===========

- CVE-2020-35653 (information disclosure)

In python-pillow before 8.1.0, PcxDecode has a buffer over-read when
decoding a crafted PCX file because the user-supplied stride value is
trusted for buffer calculations.

- CVE-2020-35654 (arbitrary code execution)

In python-pillow before 8.1.0, TiffDecode has a heap-based buffer
overflow when decoding crafted YCbCr files because of certain
interpretation conflicts with LibTIFF in RGBA mode.

- CVE-2020-35655 (denial of service)

In python-pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-
read when decoding crafted SGI RLE image files because offsets and
length tables are mishandled.

Impact
======

A local malicious user might craft a malformed file to execute
arbitrary code, read from memory or crash the application.

References
==========

https://pillow.readthedocs.io/en/stable/releasenotes/8.1.0.html#security
https://github.com/python-pillow/Pillow/pull/5174
https://github.com/python-pillow/Pillow/commit/2f409261eb1228e166868f8f0b5da5cda52e55bf
https://github.com/python-pillow/Pillow/pull/5175
https://github.com/python-pillow/Pillow/commit/eb8c1206d6b170d4e798a00db7432e023853da5c
https://github.com/python-pillow/Pillow/commit/45a62e91b1f72e79989a7919af97b062dc8dfaf4
https://github.com/python-pillow/Pillow/pull/5173
https://github.com/python-pillow/Pillow/commit/7e95c63fa7f503f185d3d9eb16b9cee1e54d1e46
https://github.com/python-pillow/Pillow/commit/9a2c9f722f78773e608d44710873437baf3f17d1
https://security.archlinux.org/CVE-2020-35653
https://security.archlinux.org/CVE-2020-35654
https://security.archlinux.org/CVE-2020-35655
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20210115/a1d9ffaf/attachment.sig>


More information about the arch-security mailing list