MGASA-2020-0434

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2020-0434.html

Import Source

https://advisories.mageia.org/MGASA-2020-0434.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2020-0434

Related

Published

2020-11-23T19:51:37Z

Modified

2020-11-23T19:12:03Z

Summary

Updated python-pillow packages fix security vulnerabilities

Details

Pillow before 6.2.3 and 7.x before 7.0.1 has multiple out-of-bounds reads in libImaging/FliDecode.c (CVE-2020-10177).

In libImaging/PcxDecode.c in Pillow before 6.2.3 and 7.x before 7.0.1, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer (CVE-2020-10378).

An out-of-bounds read flaw was found in python-pillow in the way JP2 images are parsed. An application that uses python-pillow to decode untrusted images may be vulnerable to this issue. This flaw allows an attacker to read data. The highest threat from this vulnerability is to confidentiality (CVE-2020-10994).

An out-of-bounds read/write flaw was found in python-pillow, in the way SGI RLE images are decoded. An application that uses python-pillow to decode untrusted images may be vulnerable. This flaw allows an attacker to crash the application or potentially execute code on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability (CVE-2020-11538).

Also, python-pillow is now built with OpenJPEG2000 image support.

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:7 / python-pillow

Package

Name: python-pillow
Purl: pkg:rpm/mageia/python-pillow?distro=mageia-7

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.4.1-1.3.mga7

Ecosystem specific

{
    "section": "core"
}