Arch Linux Security Advisory ASA-202101-11

Severity: Medium
Date    : 2021-01-12
CVE-ID  : CVE-2020-35653 CVE-2020-35654 CVE-2020-35655
Package : python-pillow
Type    : multiple issues
Remote  : No
Link    :


The package python-pillow before version 8.1.0-1 is vulnerable to
multiple issues including arbitrary code execution, information
disclosure and denial of service.


Upgrade to 8.1.0-1.

# pacman -Syu "python-pillow>=8.1.0-1"

The problems have been fixed upstream in version 8.1.0.




- CVE-2020-35653 (information disclosure)

In python-pillow before 8.1.0, PcxDecode has a buffer over-read when
decoding a crafted PCX file because the user-supplied stride value is
trusted for buffer calculations.

- CVE-2020-35654 (arbitrary code execution)

In python-pillow before 8.1.0, TiffDecode has a heap-based buffer
overflow when decoding crafted YCbCr files because of certain
interpretation conflicts with LibTIFF in RGBA mode.

- CVE-2020-35655 (denial of service)

In python-pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-
read when decoding crafted SGI RLE image files because offsets and
length tables are mishandled.


A local malicious user might craft a malformed file to execute
arbitrary code, read from memory or crash the application.