Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 452
Alerts This Week
Warning Icon 1 452

Ubuntu 16.04 LTS, 16.10, 14.04 LTS: USN-3230-1 Critical Pillow Threats

ubuntu
Calendar Grey March 13, 2017
Dist Ubuntu Esm H88
The Ubuntu Security Notice USN-3230-1 outlines significant vulnerabilities found in the Pillow library affecting multiple versions along with the corresponding patches.
Several security issues were fixed in Pillow.

Summary

Several security issues were fixed in Pillow.

Software Description:

- pillow: Python Imaging Library

Details:

It was discovered that Pillow incorrectly handled certain compressed text

chunks in PNG images. A remote attacker could possibly use this issue to

cause Pillow to crash, resulting in a denial of service. This issue only

affected Ubuntu 14.04 LTS. (CVE-2014-9601)

Cris Neckar discovered that Pillow incorrectly handled certain malformed

images. A remote attacker could use this issue to cause Pillow to crash,

resulting in a denial of service, or possibly obtain sensitive information.

(CVE-2016-9189)

Cris Neckar discovered that Pillow incorrectly handled certain malformed

images. A remote attacker could use this issue to cause Pillow to crash,

resulting in a denial of service, or possibly execute arbitrary code.

(CVE-2016-9190)

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.10:
  python-imaging                  3.3.1-1ubuntu0.1
  python-pil                      3.3.1-1ubuntu0.1
  python3-pil                     3.3.1-1ubuntu0.1

Ubuntu 16.04 LTS:
  python-imaging                  3.1.2-0ubuntu1.1
  python-pil                      3.1.2-0ubuntu1.1
  python3-pil                     3.1.2-0ubuntu1.1

Ubuntu 14.04 LTS:
  python-imaging                  2.3.0-1ubuntu3.4
  python-pil                      2.3.0-1ubuntu3.4
  python3-imaging                 2.3.0-1ubuntu3.4
  python3-pil                     2.3.0-1ubuntu3.4

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-3230-1

CVE-2014-9601, CVE-2016-9189, CVE-2016-9190

Severity
critical
Lowest
Low
Medium
High
Critical

March 13, 2017

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.