Debian 9: DLA-2716-1 Critical: Pillow DoS and Buffer Overflow Issues
debian lts
July 22, 2021
Several vulnerabilities have been discovered in pillow (Python Imaging Library - PIL)
Topics Covered
Summary
python-imaging
python-pil-dbg
python-pil-doc
python-pil.imagetk-dbg
python-pil.imagetk
python-pil
python3-pil-dbg
python3-pil.imagetk-dbg
python3-pil.imagetk
python3-pil
CVE-2020-35653
Pillow through 8.2.0 and PIL (aka Python Imaging Library) through
1.1.7 allow an attacker to pass controlled parameters directly into
a convert function to trigger a buffer overflow in Convert.c.
CVE-2021-25290
An issue was discovered in Pillow before 8.1.1. In TiffDecode.c,
there is a negative-offset memcpy with an invalid size.
CVE-2021-28676
An issue was discovered in Pillow before 8.2.0. For FLI data,
FliDecode did not properly check that the block advance was
non-zero, potentially leading to an infinite loop on load.
CVE-2021-28677
An issue was discovered in Pillow before 8.2.0. For EPS data, the
readline implementation used in EPSImageFile has to deal with any
combination of \r and \n as line endings. It used an accidentally
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
-------------------------------------------------------------------------Package: pillow
Version: 4.0.0-4+deb9u3
CVE ID: CVE-2020-35653 CVE-2021-25290 CVE-2021-28676 CVE-2021-28677
Debian Bug: #991293, #989062
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!