An update for python-pillow is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1
Security Advisory
openeuler-security@openeuler.org
openEuler security committee
openEuler-SA-2021-1127
Final
1.0
1.0
2021-04-07
Initial
2021-04-07
2021-04-07
openEuler SA Tool V1.0
2021-04-07
python-pillow security update
An update for python-pillow is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1.
Pillow is the friendly PIL fork by Alex Clark and Contributors. PIL is the Python Imaging Library by Fredrik Lundh and Contributors. As of 2019, Pillow development is supported by Tidelift.
Security Fix(es):
In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.(CVE-2020-35655)
Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.(CVE-2021-27921)
Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large.(CVE-2021-27922)
Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.(CVE-2021-27923)
An update for python-pillow is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1.
openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
High
python-pillow
https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1127
https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-35655
https://openeuler.org/en/security/cve/detail.html?id=CVE-2021-27921
https://openeuler.org/en/security/cve/detail.html?id=CVE-2021-27922
https://openeuler.org/en/security/cve/detail.html?id=CVE-2021-27923
https://nvd.nist.gov/vuln/detail/CVE-2020-35655
https://nvd.nist.gov/vuln/detail/CVE-2021-27921
https://nvd.nist.gov/vuln/detail/CVE-2021-27922
https://nvd.nist.gov/vuln/detail/CVE-2021-27923
openEuler-20.03-LTS
openEuler-20.03-LTS-SP1
python-pillow-debugsource-5.3.0-13.oe1.aarch64.rpm
python-pillow-debuginfo-5.3.0-13.oe1.aarch64.rpm
python2-pillow-devel-5.3.0-13.oe1.aarch64.rpm
python3-pillow-devel-5.3.0-13.oe1.aarch64.rpm
python3-pillow-5.3.0-13.oe1.aarch64.rpm
python2-pillow-5.3.0-13.oe1.aarch64.rpm
python-pillow-debuginfo-8.1.1-2.oe1.aarch64.rpm
python-pillow-debugsource-8.1.1-2.oe1.aarch64.rpm
python3-pillow-devel-8.1.1-2.oe1.aarch64.rpm
python3-pillow-qt-8.1.1-2.oe1.aarch64.rpm
python3-pillow-tk-8.1.1-2.oe1.aarch64.rpm
python3-pillow-8.1.1-2.oe1.aarch64.rpm
python3-pillow-help-5.3.0-13.oe1.noarch.rpm
python2-pillow-help-5.3.0-13.oe1.noarch.rpm
python3-pillow-help-8.1.1-2.oe1.noarch.rpm
python-pillow-5.3.0-13.oe1.src.rpm
python-pillow-8.1.1-2.oe1.src.rpm
python3-pillow-devel-5.3.0-13.oe1.x86_64.rpm
python2-pillow-5.3.0-13.oe1.x86_64.rpm
python3-pillow-5.3.0-13.oe1.x86_64.rpm
python-pillow-debuginfo-5.3.0-13.oe1.x86_64.rpm
python2-pillow-devel-5.3.0-13.oe1.x86_64.rpm
python-pillow-debugsource-5.3.0-13.oe1.x86_64.rpm
python3-pillow-qt-8.1.1-2.oe1.x86_64.rpm
python3-pillow-tk-8.1.1-2.oe1.x86_64.rpm
python3-pillow-8.1.1-2.oe1.x86_64.rpm
python-pillow-debuginfo-8.1.1-2.oe1.x86_64.rpm
python3-pillow-devel-8.1.1-2.oe1.x86_64.rpm
python-pillow-debugsource-8.1.1-2.oe1.x86_64.rpm
In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.
2021-04-07
CVE-2020-35655
openEuler-20.03-LTS
Medium
5.4
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
python-pillow security update
2021-04-07
https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1127
Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.
2021-04-07
CVE-2021-27921
openEuler-20.03-LTS
High
7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
python-pillow security update
2021-04-07
https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1127
Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large.
2021-04-07
CVE-2021-27922
openEuler-20.03-LTS
High
7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
python-pillow security update
2021-04-07
https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1127
Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.
2021-04-07
CVE-2021-27923
openEuler-20.03-LTS
High
7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
python-pillow security update
2021-04-07
https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1127