

# Security update for python-Pillow

Announcement ID: SUSE-SU-2024:1673-1  
Rating: critical  
References:

  * bsc#1180833
  * bsc#1183101
  * bsc#1183102
  * bsc#1183103
  * bsc#1183105
  * bsc#1183107
  * bsc#1183108
  * bsc#1183110
  * bsc#1188574
  * bsc#1190229
  * bsc#1194551
  * bsc#1194552

  
Cross-References:

  * CVE-2020-35654
  * CVE-2021-23437
  * CVE-2021-25289
  * CVE-2021-25290
  * CVE-2021-25292
  * CVE-2021-25293
  * CVE-2021-27921
  * CVE-2021-27922
  * CVE-2021-27923
  * CVE-2021-34552
  * CVE-2022-22815
  * CVE-2022-22816

  
CVSS scores:

  * CVE-2020-35654 ( SUSE ):  8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  * CVE-2020-35654 ( NVD ):  8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  * CVE-2021-23437 ( SUSE ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2021-23437 ( NVD ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2021-25289 ( SUSE ):  9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  * CVE-2021-25289 ( NVD ):  8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  * CVE-2021-25290 ( SUSE ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2021-25290 ( NVD ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2021-25292 ( SUSE ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2021-25292 ( NVD ):  6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  * CVE-2021-25293 ( SUSE ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2021-25293 ( NVD ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2021-27921 ( SUSE ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2021-27921 ( NVD ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2021-27922 ( SUSE ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2021-27922 ( NVD ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2021-27923 ( SUSE ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2021-27923 ( NVD ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2021-34552 ( SUSE ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2021-34552 ( NVD ):  9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  * CVE-2022-22815 ( SUSE ):  3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
  * CVE-2022-22815 ( NVD ):  6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
  * CVE-2022-22816 ( SUSE ):  3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
  * CVE-2022-22816 ( NVD ):  6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

  
Affected Products:

  * openSUSE Leap 15.3
  * openSUSE Leap 15.5

  
  
An update that solves 12 vulnerabilities can now be installed.

## Description:

This update for python-Pillow fixes the following issues:

  * Fixed ImagePath.Path array handling (bsc#1194552, CVE-2022-22815,
    bsc#1194551, CVE-2022-22816)
  * Use snprintf instead of sprintf (bsc#1188574, CVE-2021-34552)
  * Fix Memory DOS in Icns, Ico and Blp Image Plugins. (bsc#1183110,
    CVE-2021-27921, bsc#1183108, CVE-2021-27922, bsc#1183107, CVE-2021-27923)
  * Fix OOB read in SgiRleDecode.c (bsc#1183102, CVE-2021-25293)
  * Use more specific regex chars to prevent ReDoS (bsc#1183101, CVE-2021-25292)
  * Fix negative size read in TiffDecode.c (bsc#1183105, CVE-2021-25290)
  * Raise ValueError if color specifier is too long (bsc#1190229,
    CVE-2021-23437)
  * Incorrect error code checking in TiffDecode.c (bsc#1183103, CVE-2021-25289)
  * OOB Write in TiffDecode.c (bsc#1180833, CVE-2020-35654)

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * openSUSE Leap 15.3  
    zypper in -t patch SUSE-2024-1673=1

  * openSUSE Leap 15.5  
    zypper in -t patch openSUSE-SLE-15.5-2024-1673=1

## Package List:

  * openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64 i586)
    * python-Pillow-debugsource-7.2.0-150300.3.15.1
    * python3-Pillow-tk-7.2.0-150300.3.15.1
    * python-Pillow-debuginfo-7.2.0-150300.3.15.1
    * python3-Pillow-7.2.0-150300.3.15.1
    * python3-Pillow-debuginfo-7.2.0-150300.3.15.1
    * python3-Pillow-tk-debuginfo-7.2.0-150300.3.15.1
  * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
    * python-Pillow-debugsource-7.2.0-150300.3.15.1
    * python3-Pillow-tk-7.2.0-150300.3.15.1
    * python-Pillow-debuginfo-7.2.0-150300.3.15.1
    * python3-Pillow-7.2.0-150300.3.15.1
    * python3-Pillow-debuginfo-7.2.0-150300.3.15.1
    * python3-Pillow-tk-debuginfo-7.2.0-150300.3.15.1

## References:

  * https://www.suse.com/security/cve/CVE-2020-35654.html
  * https://www.suse.com/security/cve/CVE-2021-23437.html
  * https://www.suse.com/security/cve/CVE-2021-25289.html
  * https://www.suse.com/security/cve/CVE-2021-25290.html
  * https://www.suse.com/security/cve/CVE-2021-25292.html
  * https://www.suse.com/security/cve/CVE-2021-25293.html
  * https://www.suse.com/security/cve/CVE-2021-27921.html
  * https://www.suse.com/security/cve/CVE-2021-27922.html
  * https://www.suse.com/security/cve/CVE-2021-27923.html
  * https://www.suse.com/security/cve/CVE-2021-34552.html
  * https://www.suse.com/security/cve/CVE-2022-22815.html
  * https://www.suse.com/security/cve/CVE-2022-22816.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1180833
  * https://bugzilla.suse.com/show_bug.cgi?id=1183101
  * https://bugzilla.suse.com/show_bug.cgi?id=1183102
  * https://bugzilla.suse.com/show_bug.cgi?id=1183103
  * https://bugzilla.suse.com/show_bug.cgi?id=1183105
  * https://bugzilla.suse.com/show_bug.cgi?id=1183107
  * https://bugzilla.suse.com/show_bug.cgi?id=1183108
  * https://bugzilla.suse.com/show_bug.cgi?id=1183110
  * https://bugzilla.suse.com/show_bug.cgi?id=1188574
  * https://bugzilla.suse.com/show_bug.cgi?id=1190229
  * https://bugzilla.suse.com/show_bug.cgi?id=1194551
  * https://bugzilla.suse.com/show_bug.cgi?id=1194552

SUSE: 2024:1673-1 critical: python-Pillow Security Advisory Updates

May 17, 2024

* bsc#1180833 * bsc#1183101 * bsc#1183102 * bsc#1183103 * bsc#1183105

Summary

## This update for python-Pillow fixes the following issues: * Fixed ImagePath.Path array handling (bsc#1194552, CVE-2022-22815, bsc#1194551, CVE-2022-22816) * Use snprintf instead of sprintf (bsc#1188574, CVE-2021-34552) * Fix Memory DOS in Icns, Ico and Blp Image Plugins. (bsc#1183110, CVE-2021-27921, bsc#1183108, CVE-2021-27922, bsc#1183107, CVE-2021-27923) * Fix OOB read in SgiRleDecode.c (bsc#1183102, CVE-2021-25293) * Use more specific regex chars to prevent ReDoS (bsc#1183101, CVE-2021-25292) * Fix negative size read in TiffDecode.c (bsc#1183105, CVE-2021-25290) * Raise ValueError if color specifier is too long (bsc#1190229, CVE-2021-23437) * Incorrect error code checking in TiffDecode.c (bsc#1183103, CVE-2021-25289) * OOB Write in TiffDecode.c (bsc#1180833, CVE-2020-35654) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.3 zypper in -t patch SUSE-2024-1673=1 * openSUSE Leap 15.5 zypper in -t patch openSUSE-SLE-15.5-2024-1673=1 ## Package List: * openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64 i586) * python-Pillow-debugsource-7.2.0-150300.3.15.1 * python3-Pillow-tk-7.2.0-150300.3.15.1 * python-Pillow-debuginfo-7.2.0-150300.3.15.1 * python3-Pillow-7.2.0-150300.3.15.1 * python3-Pillow-debuginfo-7.2.0-150300.3.15.1 * python3-Pillow-tk-debuginfo-7.2.0-150300.3.15.1 * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64) * python-Pillow-debugsource-7.2.0-150300.3.15.1 * python3-Pillow-tk-7.2.0-150300.3.15.1 * python-Pillow-debuginfo-7.2.0-150300.3.15.1 * python3-Pillow-7.2.0-150300.3.15.1 * python3-Pillow-debuginfo-7.2.0-150300.3.15.1 * python3-Pillow-tk-debuginfo-7.2.0-150300.3.15.1

References

* bsc#1180833

* bsc#1183101

* bsc#1183102

* bsc#1183103

* bsc#1183105

* bsc#1183107

* bsc#1183108

* bsc#1183110

* bsc#1188574

* bsc#1190229

* bsc#1194551

* bsc#1194552

Cross-

* CVE-2020-35654

* CVE-2021-23437

* CVE-2021-25289

* CVE-2021-25290

* CVE-2021-25292

* CVE-2021-25293

* CVE-2021-27921

* CVE-2021-27922

* CVE-2021-27923

* CVE-2021-34552

* CVE-2022-22815

* CVE-2022-22816

CVSS scores:

* CVE-2020-35654 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

* CVE-2020-35654 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

* CVE-2021-23437 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

* CVE-2021-23437 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

* CVE-2021-25289 ( SUSE ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

* CVE-2021-25289 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

* CVE-2021-25290 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

* CVE-2021-25290 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

* CVE-2021-25292 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

* CVE-2021-25292 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

* CVE-2021-25293 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

* CVE-2021-25293 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

* CVE-2021-27921 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

* CVE-2021-27921 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

* CVE-2021-27922 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

* CVE-2021-27922 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

* CVE-2021-27923 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

* CVE-2021-27923 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

* CVE-2021-34552 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

* CVE-2021-34552 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

* CVE-2022-22815 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

* CVE-2022-22815 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

* CVE-2022-22816 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

* CVE-2022-22816 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Affected Products:

* openSUSE Leap 15.3

* openSUSE Leap 15.5

An update that solves 12 vulnerabilities can now be installed.

* https://www.suse.com/security/cve/CVE-2020-35654.html

* https://www.suse.com/security/cve/CVE-2021-23437.html

* https://www.suse.com/security/cve/CVE-2021-25289.html

* https://www.suse.com/security/cve/CVE-2021-25290.html

* https://www.suse.com/security/cve/CVE-2021-25292.html

* https://www.suse.com/security/cve/CVE-2021-25293.html

* https://www.suse.com/security/cve/CVE-2021-27921.html

* https://www.suse.com/security/cve/CVE-2021-27922.html

* https://www.suse.com/security/cve/CVE-2021-27923.html

* https://www.suse.com/security/cve/CVE-2021-34552.html

* https://www.suse.com/security/cve/CVE-2022-22815.html

* https://www.suse.com/security/cve/CVE-2022-22816.html

* https://bugzilla.suse.com/show_bug.cgi?id=1180833

* https://bugzilla.suse.com/show_bug.cgi?id=1183101

* https://bugzilla.suse.com/show_bug.cgi?id=1183102

* https://bugzilla.suse.com/show_bug.cgi?id=1183103

* https://bugzilla.suse.com/show_bug.cgi?id=1183105

* https://bugzilla.suse.com/show_bug.cgi?id=1183107

* https://bugzilla.suse.com/show_bug.cgi?id=1183108

* https://bugzilla.suse.com/show_bug.cgi?id=1183110

* https://bugzilla.suse.com/show_bug.cgi?id=1188574

* https://bugzilla.suse.com/show_bug.cgi?id=1190229

* https://bugzilla.suse.com/show_bug.cgi?id=1194551

* https://bugzilla.suse.com/show_bug.cgi?id=1194552

Severity

Announcement ID: SUSE-SU-2024:1673-1

Rating: critical

SUSE: 2024:1673-1 critical: python-Pillow Security Advisory Updates

Summary

References

Related News

Get the Latest News & Insights

News

Advisories

HOWTOs

Features

About Us

Powered By