MGASA-2020-0434 - Updated python-pillow packages fix security vulnerabilities

Publication date: 23 Nov 2020
URL: https://advisories.mageia.org/MGASA-2020-0434.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2020-10177,
     CVE-2020-10378,
     CVE-2020-10994,
     CVE-2020-11538

Pillow before 6.2.3 and 7.x before 7.0.1 has multiple out-of-bounds reads in
libImaging/FliDecode.c (CVE-2020-10177).

In libImaging/PcxDecode.c in Pillow before 6.2.3 and 7.x before 7.0.1, an
out-of-bounds read can occur when reading PCX files where state->shuffle is
instructed to read beyond state->buffer (CVE-2020-10378).

An out-of-bounds read flaw was found in python-pillow in the way JP2 images are
parsed. An application that uses python-pillow to decode untrusted images may
be vulnerable to this issue. This flaw allows an attacker to read data. The
highest threat from this vulnerability is to confidentiality (CVE-2020-10994).

An out-of-bounds read/write flaw was found in python-pillow, in the way SGI RLE
images are decoded. An application that uses python-pillow to decode untrusted
images may be vulnerable. This flaw allows an attacker to crash the application
or potentially execute code on the system. The highest threat from this
vulnerability is to data confidentiality and integrity as well as system
availability (CVE-2020-11538).

Also, python-pillow is now built with OpenJPEG2000 image support.

References:
- https://bugs.mageia.org/show_bug.cgi?id=26919
- https://lists.fedoraproject.org/archives/list/[email protected]/thread/HOKHNWV2VS5GESY7IBD237E7C6T3I427/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10177
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10378
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10994
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11538

SRPMS:
- 7/core/python-pillow-5.4.1-1.3.mga7