RedHat: RHSA-2021-4149:03 Moderate: python-pillow security update
Summary
The python-pillow packages contain a Python image processing library that
provides extensive file format support, an efficient internal
representation, and powerful image-processing capabilities.
Security Fix(es):
* python-pillow: Out-of-bounds read in J2K image reader (CVE-2021-25287)
* python-pillow: Out-of-bounds read in J2K image reader (CVE-2021-25288)
* python-pillow: Negative-offset memcpy in TIFF image reader
(CVE-2021-25290)
* python-pillow: Regular expression DoS in PDF format parser
(CVE-2021-25292)
* python-pillow: Out-of-bounds read in SGI RLE image reader
(CVE-2021-25293)
* python-pillow: Excessive memory allocation in BLP image reader
(CVE-2021-27921)
* python-pillow: Excessive memory allocation in ICNS image reader
(CVE-2021-27922)
* python-pillow: Excessive memory allocation in ICO image reader
(CVE-2021-27923)
* python-pillow: Excessive memory allocation in PSD image reader
(CVE-2021-28675)
* python-pillow: Infinite loop in FLI image reader (CVE-2021-28676)
* python-pillow: Excessive CPU use in EPS image reader (CVE-2021-28677)
* python-pillow: Excessive looping in BLP image reader (CVE-2021-28678)
* python-pillow: Buffer overflow in image convert function (CVE-2021-34552)
* python-pillow: Buffer over-read in PCX image reader (CVE-2020-35653)
* python-pillow: Buffer over-read in SGI RLE image reader (CVE-2020-35655)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 8.5 Release Notes linked from the References section.
Summary
Solution
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
References
https://access.redhat.com/security/cve/CVE-2020-35653 https://access.redhat.com/security/cve/CVE-2020-35655 https://access.redhat.com/security/cve/CVE-2021-25287 https://access.redhat.com/security/cve/CVE-2021-25288 https://access.redhat.com/security/cve/CVE-2021-25290 https://access.redhat.com/security/cve/CVE-2021-25292 https://access.redhat.com/security/cve/CVE-2021-25293 https://access.redhat.com/security/cve/CVE-2021-27921 https://access.redhat.com/security/cve/CVE-2021-27922 https://access.redhat.com/security/cve/CVE-2021-27923 https://access.redhat.com/security/cve/CVE-2021-28675 https://access.redhat.com/security/cve/CVE-2021-28676 https://access.redhat.com/security/cve/CVE-2021-28677 https://access.redhat.com/security/cve/CVE-2021-28678 https://access.redhat.com/security/cve/CVE-2021-34552 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.5_release_notes/
Package List
Red Hat Enterprise Linux AppStream (v. 8):
Source:
python-pillow-5.1.1-16.el8.src.rpm
aarch64:
python-pillow-debuginfo-5.1.1-16.el8.aarch64.rpm
python-pillow-debugsource-5.1.1-16.el8.aarch64.rpm
python3-pillow-5.1.1-16.el8.aarch64.rpm
python3-pillow-debuginfo-5.1.1-16.el8.aarch64.rpm
python3-pillow-tk-debuginfo-5.1.1-16.el8.aarch64.rpm
ppc64le:
python-pillow-debuginfo-5.1.1-16.el8.ppc64le.rpm
python-pillow-debugsource-5.1.1-16.el8.ppc64le.rpm
python3-pillow-5.1.1-16.el8.ppc64le.rpm
python3-pillow-debuginfo-5.1.1-16.el8.ppc64le.rpm
python3-pillow-tk-debuginfo-5.1.1-16.el8.ppc64le.rpm
s390x:
python-pillow-debuginfo-5.1.1-16.el8.s390x.rpm
python-pillow-debugsource-5.1.1-16.el8.s390x.rpm
python3-pillow-5.1.1-16.el8.s390x.rpm
python3-pillow-debuginfo-5.1.1-16.el8.s390x.rpm
python3-pillow-tk-debuginfo-5.1.1-16.el8.s390x.rpm
x86_64:
python-pillow-debuginfo-5.1.1-16.el8.x86_64.rpm
python-pillow-debugsource-5.1.1-16.el8.x86_64.rpm
python3-pillow-5.1.1-16.el8.x86_64.rpm
python3-pillow-debuginfo-5.1.1-16.el8.x86_64.rpm
python3-pillow-tk-debuginfo-5.1.1-16.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
Topic
An update for python-pillow is now available for Red Hat Enterprise Linux8.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.
Topic
Relevant Releases Architectures
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64
Bugs Fixed
1915420 - CVE-2020-35653 python-pillow: Buffer over-read in PCX image reader
1915432 - CVE-2020-35655 python-pillow: Buffer over-read in SGI RLE image reader
1934685 - CVE-2021-25290 python-pillow: Negative-offset memcpy in TIFF image reader
1934699 - CVE-2021-25292 python-pillow: Regular expression DoS in PDF format parser
1934705 - CVE-2021-25293 python-pillow: Out-of-bounds read in SGI RLE image reader
1935384 - CVE-2021-27921 python-pillow: Excessive memory allocation in BLP image reader
1935396 - CVE-2021-27922 python-pillow: Excessive memory allocation in ICNS image reader
1935401 - CVE-2021-27923 python-pillow: Excessive memory allocation in ICO image reader
1958226 - CVE-2021-25287 python-pillow: Out-of-bounds read in J2K image reader
1958231 - CVE-2021-25288 python-pillow: Out-of-bounds read in J2K image reader
1958240 - CVE-2021-28675 python-pillow: Excessive memory allocation in PSD image reader
1958252 - CVE-2021-28676 python-pillow: Infinite loop in FLI image reader
1958257 - CVE-2021-28677 python-pillow: Excessive CPU use in EPS image reader
1958263 - CVE-2021-28678 python-pillow: Excessive looping in BLP image reader
1982378 - CVE-2021-34552 python-pillow: Buffer overflow in image convert function