MGASA-2020-0434

Description

Updated python-pillow packages fix security vulnerabilities Pillow before 6.2.3 and 7.x before 7.0.1 has multiple out-of-bounds reads in libImaging/FliDecode.c (CVE-2020-10177). In libImaging/PcxDecode.c in Pillow before 6.2.3 and 7.x before 7.0.1, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer (CVE-2020-10378). An out-of-bounds read flaw was found in python-pillow in the way JP2 images are parsed. An application that uses python-pillow to decode untrusted images may be vulnerable to this issue. This flaw allows an attacker to read data. The highest threat from this vulnerability is to confidentiality (CVE-2020-10994). An out-of-bounds read/write flaw was found in python-pillow, in the way SGI RLE images are decoded. An application that uses python-pillow to decode untrusted images may be vulnerable. This flaw allows an attacker to crash the application or potentially execute code on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability (CVE-2020-11538). Also, python-pillow is now built with OpenJPEG2000 image support.

Affected Systems

• mageia•python-pillow

  < 5.4.1-1.3.mga7

References (3)

• https://advisories.mageia.org/MGASA-2020-0434.html
• https://bugs.mageia.org/show_bug.cgi?id=26919
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HOKHNWV2VS5GESY7IBD237E7C6T3I427/