ArchLinux: 202107-26: python-pillow: arbitrary code execution | Lin...
Arch Linux Security Advisory ASA-202107-26
==========================================

Severity: Medium
Date    : 2021-07-14
CVE-ID  : CVE-2021-34552
Package : python-pillow
Type    : arbitrary code execution
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2150

Summary
=======

The package python-pillow before version 8.3.0-1 is vulnerable to
arbitrary code execution.

Resolution
==========

Upgrade to 8.3.0-1.

# pacman -Syu "python-pillow>=8.3.0-1"

The problem has been fixed upstream in version 8.3.0.

Workaround
==========

None.

Description
===========

Pillow through 8.2.0 allows an attacker to pass controlled parameters
directly into a convert function to trigger a buffer overflow in
Convert.c.

Impact
======

Converting a crafted image file could lead to arbitrary code execution.

References
==========

https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow
https://github.com/python-pillow/Pillow/pull/5567
https://github.com/python-pillow/Pillow/commit/518ee3722a99d7f7d890db82a20bd81c1c0327fb
https://security.archlinux.org/CVE-2021-34552

ArchLinux: 202107-26: python-pillow: arbitrary code execution

July 16, 2021

Summary

Pillow through 8.2.0 allows an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c.

Resolution

Upgrade to 8.3.0-1.
# pacman -Syu "python-pillow>=8.3.0-1"
The problem has been fixed upstream in version 8.3.0.

References

https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow https://github.com/python-pillow/Pillow/pull/5567 https://github.com/python-pillow/Pillow/commit/518ee3722a99d7f7d890db82a20bd81c1c0327fb https://security.archlinux.org/CVE-2021-34552

Severity
CVE-ID : CVE-2021-34552
Package : python-pillow
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-2150

Impact

Converting a crafted image file could lead to arbitrary code execution.

Workaround

None.

Related News

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.