Fedora 33 FEDORA-2021-15845d3abe Critical: python2-pillow DoS Attack
fedora
March 14, 2021
This update fixes CVE-2021-27921, CVE-2021-27922 and CVE-2021-27923
Summary
Python image processing library, fork of the Python Imaging Library (PIL)
This library provides extensive file format support, an efficient
internal representation, and powerful image processing capabilities.
This is a minimal compatibility package for https://pagure.io/fesco/issue/2266
This update fixes CVE-2021-27921, CVE-2021-27922 and CVE-2021-27923. ----Backport fixes for CVE-2021-25289, CVE-2021-25290, CVE-2021-25291,
CVE-2021-25292, CVE-2021-25293
* Sat Mar 6 2021 Sandro Mani
- Backport patch for CVE-2021-2792{1,2,3}
* Fri Mar 5 2021 Sandro Mani
- Backport fixes for CVE-2020-35653, CVE-2020-35654, CVE-2020-35655
- Backport fixes for CVE-2021-25289, CVE-2021-25290, CVE-2021-25291, CVE-2021-25292, CVE-2021-25293
[ 1 ] Bug #1933899 - python-pillow-8.1.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1933899
[ 2 ] Bug #1934681 - CVE-2021-25289 python-pillow: insufficent fix for CVE-2020-35654 due to incorrect error checking in TiffDecode.c [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1934681
[ 3 ] Bug #1934682 - CVE-2021-25289 python2-pillow: python-pillow: insufficent fix for CVE-2020-35654 due to incorrect error checking in TiffDecode.c [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1934682
[ 4 ] Bug #1934683 - CVE-2021-25289 mingw-python-pillow: python-pillow: insufficent fix for CVE-2020-35654 due to incorrect error checking in TiffDecode.c [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1934683
[ 5 ] Bug #1934686 - CVE-2021-25290 python-pillow: negative-offset memcpy with an invalid size in TiffDecode.c [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1934686
[ 6 ] Bug #1934687 - CVE-2021-25290 python2-pillow: python-pillow: negative-offset memcpy with an invalid size in TiffDecode.c [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1934687
[ 7 ] Bug #1934688 - CVE-2021-25290 mingw-python-pillow: python-pillow: negative-offset memcpy with an invalid size in TiffDecode.c [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1934688
[ 8 ] Bug #1934693 - CVE-2021-25291 python-pillow: out-of-bounds read in TiffReadRGBATile in TiffDecode.c [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1934693
[ 9 ] Bug #1934694 - CVE-2021-25291 python2-pillow: python-pillow: out-of-bounds read in TiffReadRGBATile in TiffDecode.c [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1934694
[ 10 ] Bug #1934695 - CVE-2021-25291 mingw-python-pillow: python-pillow: out-of-bounds read in TiffReadRGBATile in TiffDecode.c [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1934695
[ 11 ] Bug #1934700 - CVE-2021-25292 python-pillow: backtracking regex in PDF parser could be used as a DOS attack [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1934700
[ 12 ] Bug #1934701 - CVE-2021-25292 python2-pillow: python-pillow: backtracking regex in PDF parser could be used as a DOS attack [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1934701
[ 13 ] Bug #1934702 - CVE-2021-25292 mingw-python-pillow: python-pillow: backtracking regex in PDF parser could be used as a DOS attack [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1934702
[ 14 ] Bug #1934706 - CVE-2021-25293 python-pillow: out-of-bounds read in SGIRleDecode.c [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1934706
[ 15 ] Bug #1934707 - CVE-2021-25293 python2-pillow: python-pillow: out-of-bounds read in SGIRleDecode.c [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1934707
[ 16 ] Bug #1934708 - CVE-2021-25293 mingw-python-pillow: python-pillow: out-of-bounds read in SGIRleDecode.c [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1934708
[ 17 ] Bug #1935385 - CVE-2021-27921 python-pillow: reported size of a contained image is not properly checked for a BLP container [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1935385
[ 18 ] Bug #1935386 - CVE-2021-27921 python2-pillow: python-pillow: reported size of a contained image is not properly checked for a BLP container [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1935386
[ 19 ] Bug #1935388 - CVE-2021-27921 mingw-python-pillow: python-pillow: reported size of a contained image is not properly checked for a BLP container [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1935388
[ 20 ] Bug #1935397 - CVE-2021-27922 python-pillow: reported size of a contained image is not properly checked for an ICNS container [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1935397
[ 21 ] Bug #1935398 - CVE-2021-27922 python2-pillow: python-pillow: reported size of a contained image is not properly checked for an ICNS container [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1935398
[ 22 ] Bug #1935399 - CVE-2021-27922 mingw-python-pillow: python-pillow: reported size of a contained image is not properly checked for an ICNS container [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1935399
[ 23 ] Bug #1935402 - CVE-2021-27923 python-pillow: reported size of a contained image is not properly checked for an ICO container [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1935402
[ 24 ] Bug #1935403 - CVE-2021-27923 python2-pillow: python-pillow: reported size of a contained image is not properly checked for an ICO container [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1935403
[ 25 ] Bug #1935405 - CVE-2021-27923 mingw-python-pillow: python-pillow: reported size of a contained image is not properly checked for an ICO container [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1935405
[ 26 ] Bug #1936047 - python-pillow-8.1.2 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1936047
su -c 'dnf upgrade --advisory FEDORA-2021-15845d3abe' at the command
line. For more information, refer to the dnf documentation available at
https://dnf.readthedocs.io/en/latest/command_ref.html
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/security/
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Topics Covered
Change Log
References
Update Instructions
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Product: Fedora 33
Version: 6.2.2
Release: 5.fc33
URL: /
Summary: Python image processing library
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!