Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2020-35655 (GCVE-0-2020-35655)
Vulnerability from cvelistv5
Published
2021-01-12 08:08
Modified
2024-08-04 17:09
Severity ?
EPSS score ?
Summary
In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T17:09:14.831Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://pillow.readthedocs.io/en/stable/releasenotes/index.html", }, { name: "FEDORA-2021-a8ddc1ce70", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE/", }, { name: "FEDORA-2021-880aa7bd27", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-01-24T02:06:07", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://pillow.readthedocs.io/en/stable/releasenotes/index.html", }, { name: "FEDORA-2021-a8ddc1ce70", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE/", }, { name: "FEDORA-2021-880aa7bd27", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD/", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2020-35655", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://pillow.readthedocs.io/en/stable/releasenotes/index.html", refsource: "MISC", url: "https://pillow.readthedocs.io/en/stable/releasenotes/index.html", }, { name: "FEDORA-2021-a8ddc1ce70", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE/", }, { name: "FEDORA-2021-880aa7bd27", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD/", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2020-35655", datePublished: "2021-01-12T08:08:47", dateReserved: "2020-12-23T00:00:00", dateUpdated: "2024-08-04T17:09:14.831Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", "vulnerability-lookup:meta": { fkie_nvd: { configurations: "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"4.3.0\", \"versionEndExcluding\": \"8.1.0\", \"matchCriteriaId\": \"6A90CD66-3F45-4C16-9B6A-3B5F68A97E0A\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"36D96259-24BD-44E2-96D9-78CE1D41F956\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E460AA51-FCDA-46B9-AE97-E6676AA5E194\"}]}]}]", descriptions: "[{\"lang\": \"en\", \"value\": \"In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.\"}, {\"lang\": \"es\", \"value\": \"En Pillow versiones anteriores a 8.1.0, la funci\\u00f3n SGIRleDecode presenta una lectura excesiva de b\\u00fafer de 4 bytes cuando se decodifican archivos de imagen SGI RLE dise\\u00f1ados porque unas compensaciones y unas tablas de longitud se manejan inapropiadamente\"}]", id: "CVE-2020-35655", lastModified: "2024-11-21T05:27:46.460", metrics: "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.5}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:N/A:P\", \"baseScore\": 5.8, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 4.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}", published: "2021-01-12T09:15:13.967", references: "[{\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE/\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD/\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://pillow.readthedocs.io/en/stable/releasenotes/index.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://pillow.readthedocs.io/en/stable/releasenotes/index.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Third Party Advisory\"]}]", sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-125\"}]}]", }, nvd: "{\"cve\":{\"id\":\"CVE-2020-35655\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2021-01-12T09:15:13.967\",\"lastModified\":\"2024-11-21T05:27:46.460\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.\"},{\"lang\":\"es\",\"value\":\"En Pillow versiones anteriores a 8.1.0, la función SGIRleDecode presenta una lectura excesiva de búfer de 4 bytes cuando se decodifican archivos de imagen SGI RLE diseñados porque unas compensaciones y unas tablas de longitud se manejan inapropiadamente\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":2.5}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:N/A:P\",\"baseScore\":5.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-125\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.3.0\",\"versionEndExcluding\":\"8.1.0\",\"matchCriteriaId\":\"6A90CD66-3F45-4C16-9B6A-3B5F68A97E0A\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"36D96259-24BD-44E2-96D9-78CE1D41F956\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E460AA51-FCDA-46B9-AE97-E6676AA5E194\"}]}]}],\"references\":[{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://pillow.readthedocs.io/en/stable/releasenotes/index.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://pillow.readthedocs.io/en/stable/releasenotes/index.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]}]}}", }, }
opensuse-su-2024:13827-1
Vulnerability from csaf_opensuse
Published
2024-06-15 00:00
Modified
2024-06-15 00:00
Summary
python310-Pillow-10.3.0-1.1 on GA media
Notes
Title of the patch
python310-Pillow-10.3.0-1.1 on GA media
Description of the patch
These are all security issues fixed in the python310-Pillow-10.3.0-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-13827
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "python310-Pillow-10.3.0-1.1 on GA media", title: "Title of the patch", }, { category: "description", text: "These are all security issues fixed in the python310-Pillow-10.3.0-1.1 package on the GA media of openSUSE Tumbleweed.", title: "Description of the patch", }, { category: "details", text: "openSUSE-Tumbleweed-2024-13827", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13827-1.json", }, { category: "self", summary: "SUSE CVE CVE-2014-3589 page", url: "https://www.suse.com/security/cve/CVE-2014-3589/", }, { category: "self", summary: "SUSE CVE CVE-2014-3598 page", url: "https://www.suse.com/security/cve/CVE-2014-3598/", }, { category: "self", summary: "SUSE CVE CVE-2016-0740 page", url: "https://www.suse.com/security/cve/CVE-2016-0740/", }, { category: "self", summary: "SUSE CVE CVE-2016-0775 page", url: "https://www.suse.com/security/cve/CVE-2016-0775/", }, { category: "self", summary: "SUSE CVE CVE-2016-3076 page", url: "https://www.suse.com/security/cve/CVE-2016-3076/", }, { category: "self", summary: "SUSE CVE CVE-2020-15999 page", url: "https://www.suse.com/security/cve/CVE-2020-15999/", }, { category: "self", summary: "SUSE CVE CVE-2020-35653 page", url: "https://www.suse.com/security/cve/CVE-2020-35653/", }, { category: "self", summary: "SUSE CVE CVE-2020-35654 page", url: "https://www.suse.com/security/cve/CVE-2020-35654/", }, { category: "self", summary: "SUSE CVE CVE-2020-35655 page", url: "https://www.suse.com/security/cve/CVE-2020-35655/", }, { category: "self", summary: "SUSE CVE CVE-2021-23437 page", url: "https://www.suse.com/security/cve/CVE-2021-23437/", }, { category: "self", summary: "SUSE CVE CVE-2021-25289 page", url: "https://www.suse.com/security/cve/CVE-2021-25289/", }, { category: "self", summary: "SUSE CVE CVE-2021-25290 page", url: "https://www.suse.com/security/cve/CVE-2021-25290/", }, { category: "self", summary: "SUSE CVE CVE-2021-25291 page", url: "https://www.suse.com/security/cve/CVE-2021-25291/", }, { category: "self", summary: "SUSE CVE CVE-2021-25292 page", url: "https://www.suse.com/security/cve/CVE-2021-25292/", }, { category: "self", summary: "SUSE CVE CVE-2021-25293 page", url: "https://www.suse.com/security/cve/CVE-2021-25293/", }, { category: "self", summary: "SUSE CVE CVE-2021-27921 page", url: "https://www.suse.com/security/cve/CVE-2021-27921/", }, { category: "self", summary: "SUSE CVE CVE-2021-34552 page", url: "https://www.suse.com/security/cve/CVE-2021-34552/", }, { category: "self", summary: "SUSE CVE CVE-2024-28219 page", url: "https://www.suse.com/security/cve/CVE-2024-28219/", }, ], title: "python310-Pillow-10.3.0-1.1 on GA media", tracking: { current_release_date: "2024-06-15T00:00:00Z", generator: { date: "2024-06-15T00:00:00Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "openSUSE-SU-2024:13827-1", initial_release_date: "2024-06-15T00:00:00Z", revision_history: [ { date: "2024-06-15T00:00:00Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "python310-Pillow-10.3.0-1.1.aarch64", product: { name: "python310-Pillow-10.3.0-1.1.aarch64", product_id: "python310-Pillow-10.3.0-1.1.aarch64", }, }, { category: "product_version", name: "python310-Pillow-tk-10.3.0-1.1.aarch64", product: { name: "python310-Pillow-tk-10.3.0-1.1.aarch64", product_id: "python310-Pillow-tk-10.3.0-1.1.aarch64", }, }, { category: "product_version", name: "python311-Pillow-10.3.0-1.1.aarch64", product: { name: "python311-Pillow-10.3.0-1.1.aarch64", product_id: "python311-Pillow-10.3.0-1.1.aarch64", }, }, { category: "product_version", name: "python311-Pillow-tk-10.3.0-1.1.aarch64", product: { name: "python311-Pillow-tk-10.3.0-1.1.aarch64", product_id: "python311-Pillow-tk-10.3.0-1.1.aarch64", }, }, { category: "product_version", name: "python312-Pillow-10.3.0-1.1.aarch64", product: { name: "python312-Pillow-10.3.0-1.1.aarch64", product_id: "python312-Pillow-10.3.0-1.1.aarch64", }, }, { category: "product_version", name: "python312-Pillow-tk-10.3.0-1.1.aarch64", product: { name: "python312-Pillow-tk-10.3.0-1.1.aarch64", product_id: "python312-Pillow-tk-10.3.0-1.1.aarch64", }, }, ], category: "architecture", name: "aarch64", }, { branches: [ { category: "product_version", name: "python310-Pillow-10.3.0-1.1.ppc64le", product: { name: "python310-Pillow-10.3.0-1.1.ppc64le", product_id: "python310-Pillow-10.3.0-1.1.ppc64le", }, }, { category: "product_version", name: "python310-Pillow-tk-10.3.0-1.1.ppc64le", product: { name: "python310-Pillow-tk-10.3.0-1.1.ppc64le", product_id: "python310-Pillow-tk-10.3.0-1.1.ppc64le", }, }, { category: "product_version", name: "python311-Pillow-10.3.0-1.1.ppc64le", product: { name: "python311-Pillow-10.3.0-1.1.ppc64le", product_id: "python311-Pillow-10.3.0-1.1.ppc64le", }, }, { category: "product_version", name: "python311-Pillow-tk-10.3.0-1.1.ppc64le", product: { name: "python311-Pillow-tk-10.3.0-1.1.ppc64le", product_id: "python311-Pillow-tk-10.3.0-1.1.ppc64le", }, }, { category: "product_version", name: "python312-Pillow-10.3.0-1.1.ppc64le", product: { name: "python312-Pillow-10.3.0-1.1.ppc64le", product_id: "python312-Pillow-10.3.0-1.1.ppc64le", }, }, { category: "product_version", name: "python312-Pillow-tk-10.3.0-1.1.ppc64le", product: { name: "python312-Pillow-tk-10.3.0-1.1.ppc64le", product_id: "python312-Pillow-tk-10.3.0-1.1.ppc64le", }, }, ], category: "architecture", name: "ppc64le", }, { branches: [ { category: "product_version", name: "python310-Pillow-10.3.0-1.1.s390x", product: { name: "python310-Pillow-10.3.0-1.1.s390x", product_id: "python310-Pillow-10.3.0-1.1.s390x", }, }, { category: "product_version", name: "python310-Pillow-tk-10.3.0-1.1.s390x", product: { name: "python310-Pillow-tk-10.3.0-1.1.s390x", product_id: "python310-Pillow-tk-10.3.0-1.1.s390x", }, }, { category: "product_version", name: "python311-Pillow-10.3.0-1.1.s390x", product: { name: "python311-Pillow-10.3.0-1.1.s390x", product_id: "python311-Pillow-10.3.0-1.1.s390x", }, }, { category: "product_version", name: "python311-Pillow-tk-10.3.0-1.1.s390x", product: { name: "python311-Pillow-tk-10.3.0-1.1.s390x", product_id: "python311-Pillow-tk-10.3.0-1.1.s390x", }, }, { category: "product_version", name: "python312-Pillow-10.3.0-1.1.s390x", product: { name: "python312-Pillow-10.3.0-1.1.s390x", product_id: "python312-Pillow-10.3.0-1.1.s390x", }, }, { category: "product_version", name: "python312-Pillow-tk-10.3.0-1.1.s390x", product: { name: "python312-Pillow-tk-10.3.0-1.1.s390x", product_id: "python312-Pillow-tk-10.3.0-1.1.s390x", }, }, ], category: "architecture", name: "s390x", }, { branches: [ { category: "product_version", name: "python310-Pillow-10.3.0-1.1.x86_64", product: { name: "python310-Pillow-10.3.0-1.1.x86_64", product_id: "python310-Pillow-10.3.0-1.1.x86_64", }, }, { category: "product_version", name: "python310-Pillow-tk-10.3.0-1.1.x86_64", product: { name: "python310-Pillow-tk-10.3.0-1.1.x86_64", product_id: "python310-Pillow-tk-10.3.0-1.1.x86_64", }, }, { category: "product_version", name: "python311-Pillow-10.3.0-1.1.x86_64", product: { name: "python311-Pillow-10.3.0-1.1.x86_64", product_id: "python311-Pillow-10.3.0-1.1.x86_64", }, }, { category: "product_version", name: "python311-Pillow-tk-10.3.0-1.1.x86_64", product: { name: "python311-Pillow-tk-10.3.0-1.1.x86_64", product_id: "python311-Pillow-tk-10.3.0-1.1.x86_64", }, }, { category: "product_version", name: "python312-Pillow-10.3.0-1.1.x86_64", product: { name: "python312-Pillow-10.3.0-1.1.x86_64", product_id: "python312-Pillow-10.3.0-1.1.x86_64", }, }, { category: "product_version", name: "python312-Pillow-tk-10.3.0-1.1.x86_64", product: { name: "python312-Pillow-tk-10.3.0-1.1.x86_64", product_id: "python312-Pillow-tk-10.3.0-1.1.x86_64", }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_name", name: "openSUSE Tumbleweed", product: { name: "openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed", product_identification_helper: { cpe: "cpe:/o:opensuse:tumbleweed", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "python310-Pillow-10.3.0-1.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", }, product_reference: "python310-Pillow-10.3.0-1.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python310-Pillow-10.3.0-1.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", }, product_reference: "python310-Pillow-10.3.0-1.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python310-Pillow-10.3.0-1.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", }, product_reference: "python310-Pillow-10.3.0-1.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python310-Pillow-10.3.0-1.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", }, product_reference: "python310-Pillow-10.3.0-1.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python310-Pillow-tk-10.3.0-1.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", }, product_reference: "python310-Pillow-tk-10.3.0-1.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python310-Pillow-tk-10.3.0-1.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", }, product_reference: "python310-Pillow-tk-10.3.0-1.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python310-Pillow-tk-10.3.0-1.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", }, product_reference: "python310-Pillow-tk-10.3.0-1.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python310-Pillow-tk-10.3.0-1.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", }, product_reference: "python310-Pillow-tk-10.3.0-1.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python311-Pillow-10.3.0-1.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", }, product_reference: "python311-Pillow-10.3.0-1.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python311-Pillow-10.3.0-1.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", }, product_reference: "python311-Pillow-10.3.0-1.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python311-Pillow-10.3.0-1.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", }, product_reference: "python311-Pillow-10.3.0-1.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python311-Pillow-10.3.0-1.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", }, product_reference: "python311-Pillow-10.3.0-1.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python311-Pillow-tk-10.3.0-1.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", }, product_reference: "python311-Pillow-tk-10.3.0-1.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python311-Pillow-tk-10.3.0-1.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", }, product_reference: "python311-Pillow-tk-10.3.0-1.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python311-Pillow-tk-10.3.0-1.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", }, product_reference: "python311-Pillow-tk-10.3.0-1.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python311-Pillow-tk-10.3.0-1.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", }, product_reference: "python311-Pillow-tk-10.3.0-1.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python312-Pillow-10.3.0-1.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", }, product_reference: "python312-Pillow-10.3.0-1.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python312-Pillow-10.3.0-1.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", }, product_reference: "python312-Pillow-10.3.0-1.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python312-Pillow-10.3.0-1.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", }, product_reference: "python312-Pillow-10.3.0-1.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python312-Pillow-10.3.0-1.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", }, product_reference: "python312-Pillow-10.3.0-1.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python312-Pillow-tk-10.3.0-1.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", }, product_reference: "python312-Pillow-tk-10.3.0-1.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python312-Pillow-tk-10.3.0-1.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", }, product_reference: "python312-Pillow-tk-10.3.0-1.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python312-Pillow-tk-10.3.0-1.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", }, product_reference: "python312-Pillow-tk-10.3.0-1.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python312-Pillow-tk-10.3.0-1.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", }, product_reference: "python312-Pillow-tk-10.3.0-1.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, ], }, vulnerabilities: [ { cve: "CVE-2014-3589", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2014-3589", }, ], notes: [ { category: "general", text: "PIL/IcnsImagePlugin.py in Python Imaging Library (PIL) and Pillow before 2.3.2 and 2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted block size.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2014-3589", url: "https://www.suse.com/security/cve/CVE-2014-3589", }, { category: "external", summary: "SUSE Bug 921566 for CVE-2014-3589", url: "https://bugzilla.suse.com/921566", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2014-3589", }, { cve: "CVE-2014-3598", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2014-3598", }, ], notes: [ { category: "general", text: "The Jpeg2KImagePlugin plugin in Pillow before 2.5.3 allows remote attackers to cause a denial of service via a crafted image.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2014-3598", url: "https://www.suse.com/security/cve/CVE-2014-3598", }, { category: "external", summary: "SUSE Bug 921566 for CVE-2014-3598", url: "https://bugzilla.suse.com/921566", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2014-3598", }, { cve: "CVE-2016-0740", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2016-0740", }, ], notes: [ { category: "general", text: "Buffer overflow in the ImagingLibTiffDecode function in libImaging/TiffDecode.c in Pillow before 3.1.1 allows remote attackers to overwrite memory via a crafted TIFF file.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2016-0740", url: "https://www.suse.com/security/cve/CVE-2016-0740", }, { category: "external", summary: "SUSE Bug 965579 for CVE-2016-0740", url: "https://bugzilla.suse.com/965579", }, { category: "external", summary: "SUSE Bug 965582 for CVE-2016-0740", url: "https://bugzilla.suse.com/965582", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", version: "3.0", }, products: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2016-0740", }, { cve: "CVE-2016-0775", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2016-0775", }, ], notes: [ { category: "general", text: "Buffer overflow in the ImagingFliDecode function in libImaging/FliDecode.c in Pillow before 3.1.1 allows remote attackers to cause a denial of service (crash) via a crafted FLI file.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2016-0775", url: "https://www.suse.com/security/cve/CVE-2016-0775", }, { category: "external", summary: "SUSE Bug 965579 for CVE-2016-0775", url: "https://bugzilla.suse.com/965579", }, { category: "external", summary: "SUSE Bug 965582 for CVE-2016-0775", url: "https://bugzilla.suse.com/965582", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2016-0775", }, { cve: "CVE-2016-3076", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2016-3076", }, ], notes: [ { category: "general", text: "Heap-based buffer overflow in the j2k_encode_entry function in Pillow 2.5.0 through 3.1.1 allows remote attackers to cause a denial of service (memory corruption) via a crafted Jpeg2000 file.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2016-3076", url: "https://www.suse.com/security/cve/CVE-2016-3076", }, { category: "external", summary: "SUSE Bug 973786 for CVE-2016-3076", url: "https://bugzilla.suse.com/973786", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2016-3076", }, { cve: "CVE-2020-15999", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-15999", }, ], notes: [ { category: "general", text: "Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-15999", url: "https://www.suse.com/security/cve/CVE-2020-15999", }, { category: "external", summary: "SUSE Bug 1177914 for CVE-2020-15999", url: "https://bugzilla.suse.com/1177914", }, { category: "external", summary: "SUSE Bug 1177936 for CVE-2020-15999", url: "https://bugzilla.suse.com/1177936", }, { category: "external", summary: "SUSE Bug 1178824 for CVE-2020-15999", url: "https://bugzilla.suse.com/1178824", }, { category: "external", summary: "SUSE Bug 1178894 for CVE-2020-15999", url: "https://bugzilla.suse.com/1178894", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 8.1, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2020-15999", }, { cve: "CVE-2020-35653", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-35653", }, ], notes: [ { category: "general", text: "In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-35653", url: "https://www.suse.com/security/cve/CVE-2020-35653", }, { category: "external", summary: "SUSE Bug 1180834 for CVE-2020-35653", url: "https://bugzilla.suse.com/1180834", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 8.1, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2020-35653", }, { cve: "CVE-2020-35654", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-35654", }, ], notes: [ { category: "general", text: "In Pillow before 8.1.0, TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-35654", url: "https://www.suse.com/security/cve/CVE-2020-35654", }, { category: "external", summary: "SUSE Bug 1180833 for CVE-2020-35654", url: "https://bugzilla.suse.com/1180833", }, { category: "external", summary: "SUSE Bug 1183103 for CVE-2020-35654", url: "https://bugzilla.suse.com/1183103", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 8.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2020-35654", }, { cve: "CVE-2020-35655", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-35655", }, ], notes: [ { category: "general", text: "In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-35655", url: "https://www.suse.com/security/cve/CVE-2020-35655", }, { category: "external", summary: "SUSE Bug 1180832 for CVE-2020-35655", url: "https://bugzilla.suse.com/1180832", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 8.1, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2020-35655", }, { cve: "CVE-2021-23437", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-23437", }, ], notes: [ { category: "general", text: "The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-23437", url: "https://www.suse.com/security/cve/CVE-2021-23437", }, { category: "external", summary: "SUSE Bug 1190229 for CVE-2021-23437", url: "https://bugzilla.suse.com/1190229", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2021-23437", }, { cve: "CVE-2021-25289", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-25289", }, ], notes: [ { category: "general", text: "An issue was discovered in Pillow before 8.1.1. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-25289", url: "https://www.suse.com/security/cve/CVE-2021-25289", }, { category: "external", summary: "SUSE Bug 1183103 for CVE-2021-25289", url: "https://bugzilla.suse.com/1183103", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "critical", }, ], title: "CVE-2021-25289", }, { cve: "CVE-2021-25290", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-25290", }, ], notes: [ { category: "general", text: "An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is a negative-offset memcpy with an invalid size.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-25290", url: "https://www.suse.com/security/cve/CVE-2021-25290", }, { category: "external", summary: "SUSE Bug 1183105 for CVE-2021-25290", url: "https://bugzilla.suse.com/1183105", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2021-25290", }, { cve: "CVE-2021-25291", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-25291", }, ], notes: [ { category: "general", text: "An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is an out-of-bounds read in TiffreadRGBATile via invalid tile boundaries.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-25291", url: "https://www.suse.com/security/cve/CVE-2021-25291", }, { category: "external", summary: "SUSE Bug 1183106 for CVE-2021-25291", url: "https://bugzilla.suse.com/1183106", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2021-25291", }, { cve: "CVE-2021-25292", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-25292", }, ], notes: [ { category: "general", text: "An issue was discovered in Pillow before 8.1.1. The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-25292", url: "https://www.suse.com/security/cve/CVE-2021-25292", }, { category: "external", summary: "SUSE Bug 1183101 for CVE-2021-25292", url: "https://bugzilla.suse.com/1183101", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2021-25292", }, { cve: "CVE-2021-25293", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-25293", }, ], notes: [ { category: "general", text: "An issue was discovered in Pillow before 8.1.1. There is an out-of-bounds read in SGIRleDecode.c.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-25293", url: "https://www.suse.com/security/cve/CVE-2021-25293", }, { category: "external", summary: "SUSE Bug 1183102 for CVE-2021-25293", url: "https://bugzilla.suse.com/1183102", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2021-25293", }, { cve: "CVE-2021-27921", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-27921", }, ], notes: [ { category: "general", text: "Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-27921", url: "https://www.suse.com/security/cve/CVE-2021-27921", }, { category: "external", summary: "SUSE Bug 1183110 for CVE-2021-27921", url: "https://bugzilla.suse.com/1183110", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2021-27921", }, { cve: "CVE-2021-34552", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-34552", }, ], notes: [ { category: "general", text: "Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-34552", url: "https://www.suse.com/security/cve/CVE-2021-34552", }, { category: "external", summary: "SUSE Bug 1188574 for CVE-2021-34552", url: "https://bugzilla.suse.com/1188574", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2021-34552", }, { cve: "CVE-2024-28219", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2024-28219", }, ], notes: [ { category: "general", text: "In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2024-28219", url: "https://www.suse.com/security/cve/CVE-2024-28219", }, { category: "external", summary: "SUSE Bug 1222262 for CVE-2024-28219", url: "https://bugzilla.suse.com/1222262", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.3, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python310-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python311-Pillow-tk-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-10.3.0-1.1.x86_64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.aarch64", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.ppc64le", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.s390x", "openSUSE Tumbleweed:python312-Pillow-tk-10.3.0-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2024-28219", }, ], }
opensuse-su-2024:11209-1
Vulnerability from csaf_opensuse
Published
2024-06-15 00:00
Modified
2024-06-15 00:00
Summary
python36-Pillow-8.3.2-1.2 on GA media
Notes
Title of the patch
python36-Pillow-8.3.2-1.2 on GA media
Description of the patch
These are all security issues fixed in the python36-Pillow-8.3.2-1.2 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-11209
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "python36-Pillow-8.3.2-1.2 on GA media", title: "Title of the patch", }, { category: "description", text: "These are all security issues fixed in the python36-Pillow-8.3.2-1.2 package on the GA media of openSUSE Tumbleweed.", title: "Description of the patch", }, { category: "details", text: "openSUSE-Tumbleweed-2024-11209", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11209-1.json", }, { category: "self", summary: "SUSE CVE CVE-2014-3589 page", url: "https://www.suse.com/security/cve/CVE-2014-3589/", }, { category: "self", summary: "SUSE CVE CVE-2014-3598 page", url: "https://www.suse.com/security/cve/CVE-2014-3598/", }, { category: "self", summary: "SUSE CVE CVE-2016-0740 page", url: "https://www.suse.com/security/cve/CVE-2016-0740/", }, { category: "self", summary: "SUSE CVE CVE-2016-0775 page", url: "https://www.suse.com/security/cve/CVE-2016-0775/", }, { category: "self", summary: "SUSE CVE CVE-2016-3076 page", url: "https://www.suse.com/security/cve/CVE-2016-3076/", }, { category: "self", summary: "SUSE CVE CVE-2020-15999 page", url: "https://www.suse.com/security/cve/CVE-2020-15999/", }, { category: "self", summary: "SUSE CVE CVE-2020-35653 page", url: "https://www.suse.com/security/cve/CVE-2020-35653/", }, { category: "self", summary: "SUSE CVE CVE-2020-35654 page", url: "https://www.suse.com/security/cve/CVE-2020-35654/", }, { category: "self", summary: "SUSE CVE CVE-2020-35655 page", url: "https://www.suse.com/security/cve/CVE-2020-35655/", }, { category: "self", summary: "SUSE CVE CVE-2021-23437 page", url: "https://www.suse.com/security/cve/CVE-2021-23437/", }, { category: "self", summary: "SUSE CVE CVE-2021-25289 page", url: "https://www.suse.com/security/cve/CVE-2021-25289/", }, { category: "self", summary: "SUSE CVE CVE-2021-25290 page", url: "https://www.suse.com/security/cve/CVE-2021-25290/", }, { category: "self", summary: "SUSE CVE CVE-2021-25291 page", url: "https://www.suse.com/security/cve/CVE-2021-25291/", }, { category: "self", summary: "SUSE CVE CVE-2021-25292 page", url: "https://www.suse.com/security/cve/CVE-2021-25292/", }, { category: "self", summary: "SUSE CVE CVE-2021-25293 page", url: "https://www.suse.com/security/cve/CVE-2021-25293/", }, { category: "self", summary: "SUSE CVE CVE-2021-27921 page", url: "https://www.suse.com/security/cve/CVE-2021-27921/", }, { category: "self", summary: "SUSE CVE CVE-2021-34552 page", url: "https://www.suse.com/security/cve/CVE-2021-34552/", }, ], title: "python36-Pillow-8.3.2-1.2 on GA media", tracking: { current_release_date: "2024-06-15T00:00:00Z", generator: { date: "2024-06-15T00:00:00Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "openSUSE-SU-2024:11209-1", initial_release_date: "2024-06-15T00:00:00Z", revision_history: [ { date: "2024-06-15T00:00:00Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "python36-Pillow-8.3.2-1.2.aarch64", product: { name: "python36-Pillow-8.3.2-1.2.aarch64", product_id: "python36-Pillow-8.3.2-1.2.aarch64", }, }, { category: "product_version", name: "python36-Pillow-tk-8.3.2-1.2.aarch64", product: { name: "python36-Pillow-tk-8.3.2-1.2.aarch64", product_id: "python36-Pillow-tk-8.3.2-1.2.aarch64", }, }, { category: "product_version", name: "python38-Pillow-8.3.2-1.2.aarch64", product: { name: "python38-Pillow-8.3.2-1.2.aarch64", product_id: "python38-Pillow-8.3.2-1.2.aarch64", }, }, { category: "product_version", name: "python38-Pillow-tk-8.3.2-1.2.aarch64", product: { name: "python38-Pillow-tk-8.3.2-1.2.aarch64", product_id: "python38-Pillow-tk-8.3.2-1.2.aarch64", }, }, { category: "product_version", name: "python39-Pillow-8.3.2-1.2.aarch64", product: { name: "python39-Pillow-8.3.2-1.2.aarch64", product_id: "python39-Pillow-8.3.2-1.2.aarch64", }, }, { category: "product_version", name: "python39-Pillow-tk-8.3.2-1.2.aarch64", product: { name: "python39-Pillow-tk-8.3.2-1.2.aarch64", product_id: "python39-Pillow-tk-8.3.2-1.2.aarch64", }, }, ], category: "architecture", name: "aarch64", }, { branches: [ { category: "product_version", name: "python36-Pillow-8.3.2-1.2.ppc64le", product: { name: "python36-Pillow-8.3.2-1.2.ppc64le", product_id: "python36-Pillow-8.3.2-1.2.ppc64le", }, }, { category: "product_version", name: "python36-Pillow-tk-8.3.2-1.2.ppc64le", product: { name: "python36-Pillow-tk-8.3.2-1.2.ppc64le", product_id: "python36-Pillow-tk-8.3.2-1.2.ppc64le", }, }, { category: "product_version", name: "python38-Pillow-8.3.2-1.2.ppc64le", product: { name: "python38-Pillow-8.3.2-1.2.ppc64le", product_id: "python38-Pillow-8.3.2-1.2.ppc64le", }, }, { category: "product_version", name: "python38-Pillow-tk-8.3.2-1.2.ppc64le", product: { name: "python38-Pillow-tk-8.3.2-1.2.ppc64le", product_id: "python38-Pillow-tk-8.3.2-1.2.ppc64le", }, }, { category: "product_version", name: "python39-Pillow-8.3.2-1.2.ppc64le", product: { name: "python39-Pillow-8.3.2-1.2.ppc64le", product_id: "python39-Pillow-8.3.2-1.2.ppc64le", }, }, { category: "product_version", name: "python39-Pillow-tk-8.3.2-1.2.ppc64le", product: { name: "python39-Pillow-tk-8.3.2-1.2.ppc64le", product_id: "python39-Pillow-tk-8.3.2-1.2.ppc64le", }, }, ], category: "architecture", name: "ppc64le", }, { branches: [ { category: "product_version", name: "python36-Pillow-8.3.2-1.2.s390x", product: { name: "python36-Pillow-8.3.2-1.2.s390x", product_id: "python36-Pillow-8.3.2-1.2.s390x", }, }, { category: "product_version", name: "python36-Pillow-tk-8.3.2-1.2.s390x", product: { name: "python36-Pillow-tk-8.3.2-1.2.s390x", product_id: "python36-Pillow-tk-8.3.2-1.2.s390x", }, }, { category: "product_version", name: "python38-Pillow-8.3.2-1.2.s390x", product: { name: "python38-Pillow-8.3.2-1.2.s390x", product_id: "python38-Pillow-8.3.2-1.2.s390x", }, }, { category: "product_version", name: "python38-Pillow-tk-8.3.2-1.2.s390x", product: { name: "python38-Pillow-tk-8.3.2-1.2.s390x", product_id: "python38-Pillow-tk-8.3.2-1.2.s390x", }, }, { category: "product_version", name: "python39-Pillow-8.3.2-1.2.s390x", product: { name: "python39-Pillow-8.3.2-1.2.s390x", product_id: "python39-Pillow-8.3.2-1.2.s390x", }, }, { category: "product_version", name: "python39-Pillow-tk-8.3.2-1.2.s390x", product: { name: "python39-Pillow-tk-8.3.2-1.2.s390x", product_id: "python39-Pillow-tk-8.3.2-1.2.s390x", }, }, ], category: "architecture", name: "s390x", }, { branches: [ { category: "product_version", name: "python36-Pillow-8.3.2-1.2.x86_64", product: { name: "python36-Pillow-8.3.2-1.2.x86_64", product_id: "python36-Pillow-8.3.2-1.2.x86_64", }, }, { category: "product_version", name: "python36-Pillow-tk-8.3.2-1.2.x86_64", product: { name: "python36-Pillow-tk-8.3.2-1.2.x86_64", product_id: "python36-Pillow-tk-8.3.2-1.2.x86_64", }, }, { category: "product_version", name: "python38-Pillow-8.3.2-1.2.x86_64", product: { name: "python38-Pillow-8.3.2-1.2.x86_64", product_id: "python38-Pillow-8.3.2-1.2.x86_64", }, }, { category: "product_version", name: "python38-Pillow-tk-8.3.2-1.2.x86_64", product: { name: "python38-Pillow-tk-8.3.2-1.2.x86_64", product_id: "python38-Pillow-tk-8.3.2-1.2.x86_64", }, }, { category: "product_version", name: "python39-Pillow-8.3.2-1.2.x86_64", product: { name: "python39-Pillow-8.3.2-1.2.x86_64", product_id: "python39-Pillow-8.3.2-1.2.x86_64", }, }, { category: "product_version", name: "python39-Pillow-tk-8.3.2-1.2.x86_64", product: { name: "python39-Pillow-tk-8.3.2-1.2.x86_64", product_id: "python39-Pillow-tk-8.3.2-1.2.x86_64", }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_name", name: "openSUSE Tumbleweed", product: { name: "openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed", product_identification_helper: { cpe: "cpe:/o:opensuse:tumbleweed", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "python36-Pillow-8.3.2-1.2.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", }, product_reference: "python36-Pillow-8.3.2-1.2.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python36-Pillow-8.3.2-1.2.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", }, product_reference: "python36-Pillow-8.3.2-1.2.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python36-Pillow-8.3.2-1.2.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", }, product_reference: "python36-Pillow-8.3.2-1.2.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python36-Pillow-8.3.2-1.2.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", }, product_reference: "python36-Pillow-8.3.2-1.2.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python36-Pillow-tk-8.3.2-1.2.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", }, product_reference: "python36-Pillow-tk-8.3.2-1.2.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python36-Pillow-tk-8.3.2-1.2.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", }, product_reference: "python36-Pillow-tk-8.3.2-1.2.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python36-Pillow-tk-8.3.2-1.2.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", }, product_reference: "python36-Pillow-tk-8.3.2-1.2.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python36-Pillow-tk-8.3.2-1.2.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", }, product_reference: "python36-Pillow-tk-8.3.2-1.2.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python38-Pillow-8.3.2-1.2.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", }, product_reference: "python38-Pillow-8.3.2-1.2.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python38-Pillow-8.3.2-1.2.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", }, product_reference: "python38-Pillow-8.3.2-1.2.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python38-Pillow-8.3.2-1.2.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", }, product_reference: "python38-Pillow-8.3.2-1.2.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python38-Pillow-8.3.2-1.2.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", }, product_reference: "python38-Pillow-8.3.2-1.2.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python38-Pillow-tk-8.3.2-1.2.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", }, product_reference: "python38-Pillow-tk-8.3.2-1.2.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python38-Pillow-tk-8.3.2-1.2.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", }, product_reference: "python38-Pillow-tk-8.3.2-1.2.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python38-Pillow-tk-8.3.2-1.2.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", }, product_reference: "python38-Pillow-tk-8.3.2-1.2.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python38-Pillow-tk-8.3.2-1.2.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", }, product_reference: "python38-Pillow-tk-8.3.2-1.2.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python39-Pillow-8.3.2-1.2.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", }, product_reference: "python39-Pillow-8.3.2-1.2.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python39-Pillow-8.3.2-1.2.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", }, product_reference: "python39-Pillow-8.3.2-1.2.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python39-Pillow-8.3.2-1.2.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", }, product_reference: "python39-Pillow-8.3.2-1.2.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python39-Pillow-8.3.2-1.2.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", }, product_reference: "python39-Pillow-8.3.2-1.2.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python39-Pillow-tk-8.3.2-1.2.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", }, product_reference: "python39-Pillow-tk-8.3.2-1.2.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python39-Pillow-tk-8.3.2-1.2.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", }, product_reference: "python39-Pillow-tk-8.3.2-1.2.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python39-Pillow-tk-8.3.2-1.2.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", }, product_reference: "python39-Pillow-tk-8.3.2-1.2.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python39-Pillow-tk-8.3.2-1.2.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", }, product_reference: "python39-Pillow-tk-8.3.2-1.2.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, ], }, vulnerabilities: [ { cve: "CVE-2014-3589", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2014-3589", }, ], notes: [ { category: "general", text: "PIL/IcnsImagePlugin.py in Python Imaging Library (PIL) and Pillow before 2.3.2 and 2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted block size.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2014-3589", url: "https://www.suse.com/security/cve/CVE-2014-3589", }, { category: "external", summary: "SUSE Bug 921566 for CVE-2014-3589", url: "https://bugzilla.suse.com/921566", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2014-3589", }, { cve: "CVE-2014-3598", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2014-3598", }, ], notes: [ { category: "general", text: "The Jpeg2KImagePlugin plugin in Pillow before 2.5.3 allows remote attackers to cause a denial of service via a crafted image.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2014-3598", url: "https://www.suse.com/security/cve/CVE-2014-3598", }, { category: "external", summary: "SUSE Bug 921566 for CVE-2014-3598", url: "https://bugzilla.suse.com/921566", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2014-3598", }, { cve: "CVE-2016-0740", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2016-0740", }, ], notes: [ { category: "general", text: "Buffer overflow in the ImagingLibTiffDecode function in libImaging/TiffDecode.c in Pillow before 3.1.1 allows remote attackers to overwrite memory via a crafted TIFF file.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2016-0740", url: "https://www.suse.com/security/cve/CVE-2016-0740", }, { category: "external", summary: "SUSE Bug 965579 for CVE-2016-0740", url: "https://bugzilla.suse.com/965579", }, { category: "external", summary: "SUSE Bug 965582 for CVE-2016-0740", url: "https://bugzilla.suse.com/965582", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", version: "3.0", }, products: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2016-0740", }, { cve: "CVE-2016-0775", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2016-0775", }, ], notes: [ { category: "general", text: "Buffer overflow in the ImagingFliDecode function in libImaging/FliDecode.c in Pillow before 3.1.1 allows remote attackers to cause a denial of service (crash) via a crafted FLI file.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2016-0775", url: "https://www.suse.com/security/cve/CVE-2016-0775", }, { category: "external", summary: "SUSE Bug 965579 for CVE-2016-0775", url: "https://bugzilla.suse.com/965579", }, { category: "external", summary: "SUSE Bug 965582 for CVE-2016-0775", url: "https://bugzilla.suse.com/965582", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2016-0775", }, { cve: "CVE-2016-3076", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2016-3076", }, ], notes: [ { category: "general", text: "Heap-based buffer overflow in the j2k_encode_entry function in Pillow 2.5.0 through 3.1.1 allows remote attackers to cause a denial of service (memory corruption) via a crafted Jpeg2000 file.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2016-3076", url: "https://www.suse.com/security/cve/CVE-2016-3076", }, { category: "external", summary: "SUSE Bug 973786 for CVE-2016-3076", url: "https://bugzilla.suse.com/973786", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2016-3076", }, { cve: "CVE-2020-15999", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-15999", }, ], notes: [ { category: "general", text: "Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-15999", url: "https://www.suse.com/security/cve/CVE-2020-15999", }, { category: "external", summary: "SUSE Bug 1177914 for CVE-2020-15999", url: "https://bugzilla.suse.com/1177914", }, { category: "external", summary: "SUSE Bug 1177936 for CVE-2020-15999", url: "https://bugzilla.suse.com/1177936", }, { category: "external", summary: "SUSE Bug 1178824 for CVE-2020-15999", url: "https://bugzilla.suse.com/1178824", }, { category: "external", summary: "SUSE Bug 1178894 for CVE-2020-15999", url: "https://bugzilla.suse.com/1178894", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 8.1, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2020-15999", }, { cve: "CVE-2020-35653", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-35653", }, ], notes: [ { category: "general", text: "In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-35653", url: "https://www.suse.com/security/cve/CVE-2020-35653", }, { category: "external", summary: "SUSE Bug 1180834 for CVE-2020-35653", url: "https://bugzilla.suse.com/1180834", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 8.1, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2020-35653", }, { cve: "CVE-2020-35654", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-35654", }, ], notes: [ { category: "general", text: "In Pillow before 8.1.0, TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-35654", url: "https://www.suse.com/security/cve/CVE-2020-35654", }, { category: "external", summary: "SUSE Bug 1180833 for CVE-2020-35654", url: "https://bugzilla.suse.com/1180833", }, { category: "external", summary: "SUSE Bug 1183103 for CVE-2020-35654", url: "https://bugzilla.suse.com/1183103", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 8.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2020-35654", }, { cve: "CVE-2020-35655", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-35655", }, ], notes: [ { category: "general", text: "In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-35655", url: "https://www.suse.com/security/cve/CVE-2020-35655", }, { category: "external", summary: "SUSE Bug 1180832 for CVE-2020-35655", url: "https://bugzilla.suse.com/1180832", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 8.1, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2020-35655", }, { cve: "CVE-2021-23437", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-23437", }, ], notes: [ { category: "general", text: "The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-23437", url: "https://www.suse.com/security/cve/CVE-2021-23437", }, { category: "external", summary: "SUSE Bug 1190229 for CVE-2021-23437", url: "https://bugzilla.suse.com/1190229", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2021-23437", }, { cve: "CVE-2021-25289", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-25289", }, ], notes: [ { category: "general", text: "An issue was discovered in Pillow before 8.1.1. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-25289", url: "https://www.suse.com/security/cve/CVE-2021-25289", }, { category: "external", summary: "SUSE Bug 1183103 for CVE-2021-25289", url: "https://bugzilla.suse.com/1183103", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "critical", }, ], title: "CVE-2021-25289", }, { cve: "CVE-2021-25290", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-25290", }, ], notes: [ { category: "general", text: "An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is a negative-offset memcpy with an invalid size.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-25290", url: "https://www.suse.com/security/cve/CVE-2021-25290", }, { category: "external", summary: "SUSE Bug 1183105 for CVE-2021-25290", url: "https://bugzilla.suse.com/1183105", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2021-25290", }, { cve: "CVE-2021-25291", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-25291", }, ], notes: [ { category: "general", text: "An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is an out-of-bounds read in TiffreadRGBATile via invalid tile boundaries.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-25291", url: "https://www.suse.com/security/cve/CVE-2021-25291", }, { category: "external", summary: "SUSE Bug 1183106 for CVE-2021-25291", url: "https://bugzilla.suse.com/1183106", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2021-25291", }, { cve: "CVE-2021-25292", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-25292", }, ], notes: [ { category: "general", text: "An issue was discovered in Pillow before 8.1.1. The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-25292", url: "https://www.suse.com/security/cve/CVE-2021-25292", }, { category: "external", summary: "SUSE Bug 1183101 for CVE-2021-25292", url: "https://bugzilla.suse.com/1183101", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2021-25292", }, { cve: "CVE-2021-25293", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-25293", }, ], notes: [ { category: "general", text: "An issue was discovered in Pillow before 8.1.1. There is an out-of-bounds read in SGIRleDecode.c.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-25293", url: "https://www.suse.com/security/cve/CVE-2021-25293", }, { category: "external", summary: "SUSE Bug 1183102 for CVE-2021-25293", url: "https://bugzilla.suse.com/1183102", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2021-25293", }, { cve: "CVE-2021-27921", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-27921", }, ], notes: [ { category: "general", text: "Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-27921", url: "https://www.suse.com/security/cve/CVE-2021-27921", }, { category: "external", summary: "SUSE Bug 1183110 for CVE-2021-27921", url: "https://bugzilla.suse.com/1183110", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2021-27921", }, { cve: "CVE-2021-34552", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-34552", }, ], notes: [ { category: "general", text: "Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-34552", url: "https://www.suse.com/security/cve/CVE-2021-34552", }, { category: "external", summary: "SUSE Bug 1188574 for CVE-2021-34552", url: "https://bugzilla.suse.com/1188574", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2.x86_64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.aarch64", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.ppc64le", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.s390x", "openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2021-34552", }, ], }
opensuse-su-2021:1134-1
Vulnerability from csaf_opensuse
Published
2021-08-10 12:06
Modified
2021-08-10 12:06
Summary
Security update for python-CairoSVG, python-Pillow
Notes
Title of the patch
Security update for python-CairoSVG, python-Pillow
Description of the patch
This update for python-CairoSVG, python-Pillow fixes the following issues:
Update to version 2.5.1.
* Security fix: When processing SVG files, CairoSVG was using two
regular expressions which are vulnerable to Regular Expression
Denial of Service (REDoS). If an attacker provided a malicious
SVG, it could make CairoSVG get stuck processing the file for a
very long time.
* Fix marker positions for unclosed paths
* Follow hint when only output_width or output_height is set
* Handle opacity on raster images
* Don’t crash when use tags reference unknown tags
* Take care of the next letter when A/a is replaced by l
* Fix misalignment in node.vertices
Updates for version 2.5.0.
* Drop support of Python 3.5, add support of Python 3.9.
* Add EPS export
* Add background-color, negate-colors, and invert-images options
* Improve support for font weights
* Fix opacity of patterns and gradients
* Support auto-start-reverse value for orient
* Draw images contained in defs
* Add Exif transposition support
* Handle dominant-baseline
* Support transform-origin
python-Pillow update to version 8.3.1:
* Catch OSError when checking if fp is sys.stdout #5585 [radarhere]
* Handle removing orientation from alternate types of EXIF data #5584 [radarhere]
* Make Image.__array__ take optional dtype argument #5572 [t-vi, radarhere]
* Use snprintf instead of sprintf. CVE-2021-34552 #5567 [radarhere]
* Limit TIFF strip size when saving with LibTIFF #5514 [kmilos]
* Allow ICNS save on all operating systems #4526 [baletu, radarhere,
newpanjing, hugovk]
* De-zigzag JPEG's DQT when loading; deprecate convert_dict_qtables
#4989 [gofr, radarhere]
* Replaced xml.etree.ElementTree #5565 [radarhere]
* Moved CVE image to pillow-depends #5561 [radarhere]
* Added tag data for IFD groups #5554 [radarhere]
* Improved ImagePalette #5552 [radarhere]
* Add DDS saving #5402 [radarhere]
* Improved getxmp() #5455 [radarhere]
* Convert to float for comparison with float in IFDRational __eq__
#5412 [radarhere]
* Allow getexif() to access TIFF tag_v2 data #5416 [radarhere]
* Read FITS image mode and size #5405 [radarhere]
* Merge parallel horizontal edges in ImagingDrawPolygon #5347
[radarhere, hrdrq]
* Use transparency behind first GIF frame and when disposing to
background #5557 [radarhere, zewt]
* Avoid unstable nature of qsort in Quant.c #5367 [radarhere]
* Copy palette to new images in ImageOps expand #5551 [radarhere]
* Ensure palette string matches RGB mode #5549 [radarhere]
* Do not modify EXIF of original image instance in exif_transpose()
#5547 [radarhere]
* Fixed default numresolution for small JPEG2000 images #5540
[radarhere]
* Added DDS BC5 reading #5501 [radarhere]
* Raise an error if ImageDraw.textbbox is used without a TrueType
font #5510 [radarhere]
* Added ICO saving in BMP format #5513 [radarhere]
* Ensure PNG seeks to end of previous chunk at start of load_end
#5493 [radarhere]
* Do not allow TIFF to seek to a past frame #5473 [radarhere]
* Avoid race condition when displaying images with eog #5507
[mconst]
* Added specific error messages when ink has incorrect number of
bands #5504 [radarhere]
* Allow converting an image to a numpy array to raise errors #5379
[radarhere]
* Removed DPI rounding from BMP, JPEG, PNG and WMF loading #5476,
#5470 [radarhere]
* Remove spikes when drawing thin pieslices #5460 [xtsm]
* Updated default value for SAMPLESPERPIXEL TIFF tag #5452
[radarhere]
* Removed TIFF DPI rounding #5446 [radarhere, hugovk]
* Include code in WebP error #5471 [radarhere]
* Do not alter pixels outside mask when drawing text on an image
with transparency #5434 [radarhere]
* Reset handle when seeking backwards in TIFF #5443 [radarhere]
* Replace sys.stdout with sys.stdout.buffer when saving #5437
[radarhere]
* Fixed UNDEFINED TIFF tag of length 0 being changed in roundtrip
#5426 [radarhere]
* Fixed bug when checking FreeType2 version if it is not installed
#5445 [radarhere]
* Do not round dimensions when saving PDF #5459 [radarhere]
* Added ImageOps contain() #5417 [radarhere, hugovk]
* Changed WebP default 'method' value to 4 #5450 [radarhere]
* Switched to saving 1-bit PDFs with DCTDecode #5430 [radarhere]
* Use bpp from ICO header #5429 [radarhere]
* Corrected JPEG APP14 transform value #5408 [radarhere]
* Changed TIFF tag 33723 length to 1 #5425 [radarhere]
* Changed ImageMorph incorrect mode errors to ValueError #5414
[radarhere]
* Add EXIF tags specified in EXIF 2.32 #5419 [gladiusglad]
* Treat previous contents of first GIF frame as transparent #5391
[radarhere]
* For special image modes, revert default resize resampling to
NEAREST #5411 [radarhere]
* JPEG2000: Support decoding subsampled RGB and YCbCr images #4996
[nulano, radarhere]
* Stop decoding BC1 punchthrough alpha in BC2&3 #4144 [jansol]
* Use zero if GIF background color index is missing #5390
[radarhere]
* Fixed ensuring that GIF previous frame was loaded #5386
[radarhere]
* Valgrind fixes #5397 [wiredfool]
* Round down the radius in rounded_rectangle #5382 [radarhere]
* Fixed reading uncompressed RGB data from DDS #5383 [radarhere]
update to version 8.2.0:
* Added getxmp() method #5144 [UrielMaD, radarhere]
* Add ImageShow support for GraphicsMagick #5349 [latosha-maltba,
radarhere]
* Do not load transparent pixels from subsequent GIF frames #5333
[zewt, radarhere]
* Use LZW encoding when saving GIF images #5291 [raygard]
* Set all transparent colors to be equal in quantize() #5282
[radarhere]
* Allow PixelAccess to use Python __int__ when parsing x and y #5206
[radarhere]
* Removed Image._MODEINFO #5316 [radarhere]
* Add preserve_tone option to autocontrast #5350 [elejke, radarhere]
* Fixed linear_gradient and radial_gradient I and F modes #5274
[radarhere]
* Add support for reading TIFFs with PlanarConfiguration=2 #5364
[kkopachev, wiredfool, nulano]
* Deprecated categories #5351 [radarhere]
* Do not premultiply alpha when resizing with Image.NEAREST
resampling #5304 [nulano]
* Dynamically link FriBiDi instead of Raqm #5062 [nulano]
* Allow fewer PNG palette entries than the bit depth maximum when
saving #5330 [radarhere]
* Use duration from info dictionary when saving WebP #5338
[radarhere]
* Stop flattening EXIF IFD into getexif() #4947 [radarhere,
kkopachev]
* Replaced tiff_deflate with tiff_adobe_deflate compression when
saving TIFF images #5343 [radarhere]
* Save ICC profile from TIFF encoderinfo #5321 [radarhere]
* Moved RGB fix inside ImageQt class #5268 [radarhere]
* Allow alpha_composite destination to be negative #5313 [radarhere]
* Ensure file is closed if it is opened by ImageQt.ImageQt #5260
[radarhere]
* Added ImageDraw rounded_rectangle method #5208 [radarhere]
* Added IPythonViewer #5289 [radarhere, Kipkurui-mutai]
* Only draw each rectangle outline pixel once #5183 [radarhere]
* Use mmap instead of built-in Win32 mapper #5224 [radarhere,
cgohlke]
* Handle PCX images with an odd stride #5214 [radarhere]
* Only read different sizes for 'Large Thumbnail' MPO frames #5168
[radarhere]
* Added PyQt6 support #5258 [radarhere]
* Changed Image.open formats parameter to be case-insensitive #5250
[Piolie, radarhere]
* Deprecate Tk/Tcl 8.4, to be removed in Pillow 10 (2023-01-02)
#5216 [radarhere]
* Added tk version to pilinfo #5226 [radarhere, nulano]
* Support for ignoring tests when running valgrind #5150 [wiredfool,
radarhere, hugovk]
* OSS-Fuzz support #5189 [wiredfool, radarhere]
update to 8.1.2:
- Fix Memory DOS in BLP (CVE-2021-27921), ICNS (CVE-2021-27922) and ICO (CVE-2021-27923) Image Plugins
Update to 8.1.1
- Security
* CVE-2021-25289: The previous fix for CVE-2020-35654 was insufficent due to incorrect error checking in TiffDecode.c.
* CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size
* CVE-2021-25291: In TiffDecode.c, invalid tile boundaries could lead to an OOB Read in TiffReadRGBATile
* CVE-2021-25292: The PDF parser has a catastrophic backtracking regex that could be used as a DOS attack.
* CVE-2021-25293: There is an Out of Bounds Read in SGIRleDecode.c, since pillow 4.3.0.
There is an Exhaustion of Memory DOS in the ICNS, ICO, and BLP container formats where Pillow
did not properly check the reported size of the contained image. These images could cause
arbitrariliy large memory allocations. This was reported by Jiayi Lin, Luke Shaffer, Xinran Xie,
and Akshay Ajayan of ASU.edu.
Other Changes
- A crash with the feature flags for LibJpeg and Webp on unreleased Python 3.10 has been fixed
- Fix rpmlint warning about duplicate file definition
- Fix package build by relying on %python_subpackages for Obsoletes/Conflicts (boo#1181281)
update to 8.1.0 (boo#1180833, boo#1180834, boo#1180832):
* Fix TIFF OOB Write error. CVE-2020-35654
* Fix for Read Overflow in PCX Decoding. CVE-2020-35653
* Fix for SGI Decode buffer overrun. CVE-2020-35655
* Fix OOB Read when saving GIF of xsize=1
* Makefile updates
* Add support for PySide6
* Use disposal settings from previous frame in APNG
* Added exception explaining that _repr_png_ saves to PNG
* Use previous disposal method in GIF load_end
* Allow putpalette to accept 1024 integers to include alpha values
* Fix OOB Read when writing TIFF with custom Metadata
* Added append_images support for ICO
* Block TIFFTAG_SUBIFD
* Fixed dereferencing potential null pointers
* Deprecate FreeType 2.7
* Moved warning to end of execution
* Removed unused fromstring and tostring C methods
* init() if one of the formats is unrecognised
* Moved string_dimension CVE image to pillow-depends
* Support raw rgba8888 for DDS
update to version 8.0.1:
* Update FreeType used in binary wheels to 2.10.4 to fix
CVE-2020-15999. [radarhere]
* Moved string_dimension image to pillow-depends #4993 [radarhere]
changes from version 8.0.0:
* Drop support for EOL Python 3.5 #4746, #4794 [hugovk, radarhere,
nulano]
* Drop support for PyPy3 < 7.2.0 #4964 [nulano]
* Remove ImageCms.CmsProfile attributes deprecated since 3.2.0 #4768
[hugovk, radarhere]
* Remove long-deprecated Image.py functions #4798 [hugovk, nulano,
radarhere]
* Add support for 16-bit precision JPEG quantization values #4918
[gofr]
* Added reading of IFD tag type #4979 [radarhere]
* Initialize offset memory for PyImagingPhotoPut #4806 [nqbit]
* Fix TiffDecode comparison warnings #4756 [nulano]
* Docs: Add dark mode #4968 [hugovk, nulano]
* Added macOS SDK install path to library and include directories
#4974 [radarhere, fxcoudert]
* Imaging.h: prevent confusion with system #4923 [ax3l, ,radarhere]
* Avoid using pkg_resources in PIL.features.pilinfo #4975 [nulano]
* Add getlength and getbbox functions for TrueType fonts #4959
[nulano, radarhere, hugovk]
* Allow tuples with one item to give single color value in getink
#4927 [radarhere, nulano]
* Add support for CBDT and COLR fonts #4955 [nulano, hugovk]
* Removed OSError in favour of DecompressionBombError for BMP #4966
[radarhere]
* Implemented another ellipse drawing algorithm #4523 [xtsm,
radarhere]
* Removed unused JpegImagePlugin._fixup_dict function #4957
[radarhere]
* Added reading and writing of private PNG chunks #4292 [radarhere]
* Implement anchor for TrueType fonts #4930 [nulano, hugovk]
* Fixed bug in Exif __delitem__ #4942 [radarhere]
* Fix crash in ImageTk.PhotoImage on MinGW 64-bit #4946 [nulano]
* Moved CVE images to pillow-depends #4929 [radarhere]
* Refactor font_getsize and font_render #4910 [nulano]
* Fixed loading profile with non-ASCII path on Windows #4914
[radarhere]
* Fixed effect_spread bug for zero distance #4908 [radarhere,
hugovk]
* Added formats parameter to Image.open #4837 [nulano, radarhere]
* Added regular_polygon draw method #4846 [comhar]
* Raise proper TypeError in putpixel #4882 [nulano, hugovk]
* Added writing of subIFDs #4862 [radarhere]
* Fix IFDRational __eq__ bug #4888 [luphord, radarhere]
* Fixed duplicate variable name #4885 [liZe, radarhere]
* Added homebrew zlib include directory #4842 [radarhere]
* Corrected inverted PDF CMYK colors #4866 [radarhere]
* Do not try to close file pointer if file pointer is empty #4823
[radarhere]
* ImageOps.autocontrast: add mask parameter #4843 [navneeth, hugovk]
* Read EXIF data tEXt chunk into info as bytes instead of string
#4828 [radarhere]
* Replaced distutils with setuptools #4797, #4809, #4814, #4817,
#4829, #4890 [hugovk, radarhere]
* Add MIME type to PsdImagePlugin #4788 [samamorgan]
* Allow ImageOps.autocontrast to specify low and high cutoffs
separately #4749 [millionhz, radarhere]
update to version 7.2.0:
* Do not convert I;16 images when showing PNGs #4744 [radarhere]
* Fixed ICNS file pointer saving #4741 [radarhere]
* Fixed loading non-RGBA mode APNGs with dispose background #4742
[radarhere]
* Deprecated _showxv #4714 [radarhere]
* Deprecate Image.show(command='...') #4646 [nulano, hugovk,
radarhere]
* Updated JPEG magic number #4707 [Cykooz, radarhere]
* Change STRIPBYTECOUNTS to LONG if necessary when saving #4626
[radarhere, hugovk]
* Write JFIF header when saving JPEG #4639 [radarhere]
* Replaced tiff_jpeg with jpeg compression when saving TIFF images
#4627 [radarhere]
* Writing TIFF tags: improved BYTE, added UNDEFINED #4605
[radarhere]
* Consider transparency when pasting text on an RGBA image #4566
[radarhere]
* Added method argument to single frame WebP saving #4547
[radarhere]
* Use ImageFileDirectory_v2 in Image.Exif #4637 [radarhere]
* Corrected reading EXIF metadata without prefix #4677 [radarhere]
* Fixed drawing a jointed line with a sequence of numeric values
#4580 [radarhere]
* Added support for 1-D NumPy arrays #4608 [radarhere]
* Parse orientation from XMP tags #4560 [radarhere]
* Speed up text layout by not rendering glyphs #4652 [nulano]
* Fixed ZeroDivisionError in Image.thumbnail #4625 [radarhere]
* Replaced TiffImagePlugin DEBUG with logging #4550 [radarhere]
* Fix repeatedly loading .gbr #4620 [ElinksFr, radarhere]
* JPEG: Truncate icclist instead of setting to None #4613 [homm]
* Fixes default offset for Exif #4594 [rodrigob, radarhere]
* Fixed bug when unpickling TIFF images #4565 [radarhere]
* Fix pickling WebP #4561 [hugovk, radarhere]
* Replace IOError and WindowsError aliases with OSError #4536
[hugovk, radarhere]
Update to 7.1.2:
* This fixes a regression introduced in 7.1.0 when adding support
for APNG files.
* When calling seek(n) on a regular PNG where n > 0, it failed to
raise an EOFError as it should have done
update to version 7.1.1:
* Fix regression seeking and telling PNGs #4512 #4514 [hugovk,
radarhere]
changes from version 7.1.0:
* Fix multiple OOB reads in FLI decoding #4503 [wiredfool]
* Fix buffer overflow in SGI-RLE decoding #4504 [wiredfool, hugovk]
* Fix bounds overflow in JPEG 2000 decoding #4505 [wiredfool]
* Fix bounds overflow in PCX decoding #4506 [wiredfool]
* Fix 2 buffer overflows in TIFF decoding #4507 [wiredfool]
* Add APNG support #4243 [pmrowla, radarhere, hugovk]
* ImageGrab.grab() for Linux with XCB #4260 [nulano, radarhere]
* Added three new channel operations #4230 [dwastberg, radarhere]
* Prevent masking of Image reduce method in Jpeg2KImagePlugin #4474
[radarhere, homm]
* Added reading of earlier ImageMagick PNG EXIF data #4471
[radarhere]
* Fixed endian handling for I;16 getextrema #4457 [radarhere]
* Release buffer if function returns prematurely #4381 [radarhere]
* Add JPEG comment to info dictionary #4455 [radarhere]
* Fix size calculation of Image.thumbnail() #4404 [orlnub123]
* Fixed stroke on FreeType < 2.9 #4401 [radarhere]
* If present, only use alpha channel for bounding box #4454
[radarhere]
* Warn if an unknown feature is passed to features.check() #4438
[jdufresne]
* Fix Name field length when saving IM images #4424 [hugovk,
radarhere]
* Allow saving of zero quality JPEG images #4440 [radarhere]
* Allow explicit zero width to hide outline #4334 [radarhere]
* Change ContainerIO return type to match file object mode #4297
[jdufresne, radarhere]
* Only draw each polygon pixel once #4333 [radarhere]
* Add support for shooting situation Exif IFD tags #4398 [alexagv]
* Handle multiple and malformed JPEG APP13 markers #4370 [homm]
* Depends: Update libwebp to 1.1.0 #4342, libjpeg to 9d #4352
[radarhere]
update to version 7.0.0:
* Drop support for EOL Python 2.7 #4109 [hugovk, radarhere,
jdufresne]
* Fix rounding error on RGB to L conversion #4320 [homm]
* Exif writing fixes: Rational boundaries and signed/unsigned types
#3980 [kkopachev, radarhere]
* Allow loading of WMF images at a given DPI #4311 [radarhere]
* Added reduce operation #4251 [homm]
* Raise ValueError for io.StringIO in Image.open #4302 [radarhere,
hugovk]
* Fix thumbnail geometry when DCT scaling is used #4231 [homm,
radarhere]
* Use default DPI when exif provides invalid x_resolution #4147
[beipang2, radarhere]
* Change default resize resampling filter from NEAREST to BICUBIC
#4255 [homm]
* Fixed black lines on upscaled images with the BOX filter #4278
[homm]
* Better thumbnail aspect ratio preservation #4256 [homm]
* Add La mode packing and unpacking #4248 [homm]
* Include tests in coverage reports #4173 [hugovk]
* Handle broken Photoshop data #4239 [radarhere]
* Raise a specific exception if no data is found for an MPO frame
#4240 [radarhere]
* Fix Unicode support for PyPy #4145 [nulano]
* Added UnidentifiedImageError #4182 [radarhere, hugovk]
* Remove deprecated __version__ from plugins #4197 [hugovk,
radarhere]
* Fixed freeing unallocated pointer when resizing with height too
large #4116 [radarhere]
* Copy info in Image.transform #4128 [radarhere]
* Corrected DdsImagePlugin setting info gamma #4171 [radarhere]
* Depends: Update libtiff to 4.1.0 #4195, Tk Tcl to 8.6.10 #4229,
libimagequant to 2.12.6 #4318 [radarhere]
* Improve handling of file resources #3577 [jdufresne]
* Removed CI testing of Fedora 29 #4165 [hugovk]
* Added pypy3 to tox envlist #4137 [jdufresne]
* Drop support for EOL PyQt4 and PySide #4108 [hugovk, radarhere]
* Removed deprecated setting of TIFF image sizes #4114 [radarhere]
* Removed deprecated PILLOW_VERSION #4107 [hugovk]
* Changed default frombuffer raw decoder args #1730 [radarhere]
Update to 6.2.1:
* Pillow 6.2.1 supports Python 3.8.
Update to 6.2.0:
* text stroking
* image grab on multi-monitor windows
* Full notes: https://pillow.readthedocs.io/en/stable/releasenotes/6.2.0.html
update to version 6.1.0:
* Deprecate Image.__del__ #3929 [jdufresne]
* Tiff: Add support for JPEG quality #3886 [olt]
* Respect the PKG_CONFIG environment variable when building #3928
[chewi]
* Use explicit memcpy() to avoid unaligned memory accesses #3225
[DerDakon]
* Improve encoding of TIFF tags #3861 [olt]
* Update Py_UNICODE to Py_UCS4 #3780 [nulano]
* Consider I;16 pixel size when drawing #3899 [radarhere]
* Add TIFFTAG_SAMPLEFORMAT to blocklist #3926 [cgohlke, radarhere]
* Create GIF deltas from background colour of GIF frames if disposal
mode is 2 #3708 [sircinnamon, radarhere]
* Added ImageSequence all_frames #3778 [radarhere]
* Use unsigned int to store TIFF IFD offsets #3923 [cgohlke]
* Include CPPFLAGS when searching for libraries #3819 [jefferyto]
* Updated TIFF tile descriptors to match current decoding
functionality #3795 [dmnisson]
* Added an image.entropy() method (second revision) #3608 [fish2000]
* Pass the correct types to PyArg_ParseTuple #3880 [QuLogic]
* Fixed crash when loading non-font bytes #3912 [radarhere]
* Fix SPARC memory alignment issues in Pack/Unpack functions #3858
[kulikjak]
* Added CMYK;16B and CMYK;16N unpackers #3913 [radarhere]
* Fixed bugs in calculating text size #3864 [radarhere]
* Add __main__.py to output basic format and support information
#3870 [jdufresne]
* Added variation font support #3802 [radarhere]
* Do not down-convert if image is LA when showing with PNG format
#3869 [radarhere]
* Improve handling of PSD frames #3759 [radarhere]
* Improved ICO and ICNS loading #3897 [radarhere]
* Changed Preview application path so that it is no longer static
#3896 [radarhere]
* Corrected ttb text positioning #3856 [radarhere]
* Handle unexpected ICO image sizes #3836 [radarhere]
* Fixed bits value for RGB;16N unpackers #3837 [kkopachev]
* Travis CI: Add Fedora 30, remove Fedora 28 #3821 [hugovk]
* Added reading of CMYK;16L TIFF images #3817 [radarhere]
* Fixed dimensions of 1-bit PDFs #3827 [radarhere]
* Fixed opening mmap image through Path on Windows #3825 [radarhere]
* Fixed ImageDraw arc gaps #3824 [radarhere]
* Expand GIF to include frames with extents outside the image size
#3822 [radarhere]
* Fixed ImageTk getimage #3814 [radarhere]
* Fixed bug in decoding large images #3791 [radarhere]
* Fixed reading APP13 marker without Photoshop data #3771
[radarhere]
* Added option to include layered windows in ImageGrab.grab on
Windows #3808 [radarhere]
* Detect libimagequant when installed by pacman on MingW #3812
[radarhere]
* Fixed raqm layout bug #3787 [radarhere]
* Fixed loading font with non-Unicode path on Windows #3785
[radarhere]
* Travis CI: Upgrade PyPy from 6.0.0 to 7.1.1 #3783 [hugovk,
johnthagen]
* Depends: Updated openjpeg to 2.3.1 #3794, raqm to 0.7.0 #3877,
libimagequant to 2.12.3 #3889 [radarhere]
* Fix numpy bool bug #3790 [radarhere]
Update to 6.0.0:
* Python 2.7 support will be removed in Pillow 7.0.0 #3682 [hugovk]
* Add EXIF class #3625 [radarhere]
* Add ImageOps exif_transpose method #3687 [radarhere]
* Added warnings to deprecated CMSProfile attributes #3615 [hugovk]
* Documented reading TIFF multiframe images #3720 [akuchling]
* Improved speed of opening an MPO file #3658 [Glandos]
* Update palette in quantize #3721 [radarhere]
* Improvements to TIFF is_animated and n_frames #3714 [radarhere]
* Fixed incompatible pointer type warnings #3754 [radarhere]
* Improvements to PA and LA conversion and palette operations #3728 [radarhere]
* Consistent DPI rounding #3709 [radarhere]
* Change size of MPO image to match frame #3588 [radarhere]
* Read Photoshop resolution data #3701 [radarhere]
* Ensure image is mutable before saving #3724 [radarhere]
* Correct remap_palette documentation #3740 [radarhere]
* Promote P images to PA in putalpha #3726 [radarhere]
* Allow RGB and RGBA values for new P images #3719 [radarhere]
* Fixed TIFF bug when seeking backwards and then forwards #3713 [radarhere]
* Cache EXIF information #3498 [Glandos]
* Added transparency for all PNG greyscale modes #3744 [radarhere]
* Fix deprecation warnings in Python 3.8 #3749 [radarhere]
* Fixed GIF bug when rewinding to a non-zero frame #3716 [radarhere]
* Only close original fp in __del__ and __exit__ if original fp is exclusive #3683 [radarhere]
* Fix BytesWarning in Tests/test_numpy.py #3725 [jdufresne]
* Add missing MIME types and extensions #3520 [pirate486743186]
* Add I;16 PNG save #3566 [radarhere]
* Add support for BMP RGBA bitfield compression #3705 [radarhere]
* Added ability to set language for text rendering #3693 [iwsfutcmd]
* Only close exclusive fp on Image __exit__ #3698 [radarhere]
* Changed EPS subprocess stdout from devnull to None #3635 [radarhere]
* Add reading old-JPEG compressed TIFFs #3489 [kkopachev]
* Add EXIF support for PNG #3674 [radarhere]
* Add option to set dither param on quantize #3699 [glasnt]
* Add reading of DDS uncompressed RGB data #3673 [radarhere]
* Correct length of Tiff BYTE tags #3672 [radarhere]
* Add DIB saving and loading through Image open #3691 [radarhere]
* Removed deprecated VERSION #3624 [hugovk]
* Fix 'BytesWarning: Comparison between bytes and string' in PdfDict #3580 [jdufresne]
* Do not resize in Image.thumbnail if already the destination size #3632 [radarhere]
* Replace .seek() magic numbers with io.SEEK_* constants #3572 [jdufresne]
* Make ContainerIO.isatty() return a bool, not int #3568 [jdufresne]
* Add support to all transpose operations for I;16 modes #3563, #3741 [radarhere]
* Deprecate support for PyQt4 and PySide #3655 [hugovk, radarhere]
* Add TIFF compression codecs: LZMA, Zstd, WebP #3555 [cgohlke]
* Fixed pickling of iTXt class with protocol > 1 #3537 [radarhere]
* _util.isPath returns True for pathlib.Path objects #3616 [wbadart]
* Remove unnecessary unittest.main() boilerplate from test files #3631 [jdufresne]
* Exif: Seek to IFD offset #3584 [radarhere]
* Deprecate PIL.*ImagePlugin.__version__ attributes #3628 [jdufresne]
* Docs: Add note about ImageDraw operations that exceed image bounds #3620 [radarhere]
* Allow for unknown PNG chunks after image data #3558 [radarhere]
* Changed EPS subprocess stdin from devnull to None #3611 [radarhere]
* Fix possible integer overflow #3609 [cgohlke]
* Catch BaseException for resource cleanup handlers #3574 [jdufresne]
* Improve pytest configuration to allow specific tests as CLI args #3579 [jdufresne]
* Drop support for Python 3.4 #3596 [hugovk]
* Remove deprecated PIL.OleFileIO #3598 [hugovk]
* Remove deprecated ImageOps undocumented functions #3599 [hugovk]
* Depends: Update libwebp to 1.0.2 #3602 [radarhere]
* Detect MIME types #3525 [radarhere]
update to version 5.4.1:
* File closing: Only close __fp if not fp #3540 [radarhere]
* Fix build for Termux #3529 [pslacerda]
* PNG: Detect MIME types #3525 [radarhere]
* PNG: Handle IDAT chunks after image end #3532 [radarhere]
changes from version 5.4.0:
* Docs: Improved ImageChops documentation #3522 [radarhere]
* Allow RGB and RGBA values for P image putpixel #3519 [radarhere]
* Add APNG extension to PNG plugin #3501 [pirate486743186,
radarhere]
* Lookup ld.so.cache instead of hardcoding search paths #3245
[pslacerda]
* Added custom string TIFF tags #3513 [radarhere]
* Improve setup.py configuration #3395 [diorcety]
* Read textual chunks located after IDAT chunks for PNG #3506
[radarhere]
* Performance: Don't try to hash value if enum is empty #3503
[Glandos]
* Added custom int and float TIFF tags #3350 [radarhere]
* Fixes for issues reported by static code analysis #3393
[frenzymadness]
* GIF: Wait until mode is normalized to copy im.info into
encoderinfo #3187 [radarhere]
* Docs: Add page of deprecations and removals #3486 [hugovk]
* Travis CI: Upgrade PyPy from 5.8.0 to 6.0 #3488 [hugovk]
* Travis CI: Allow lint job to fail #3467 [hugovk]
* Resolve __fp when closing and deleting #3261 [radarhere]
* Close exclusive fp before discarding #3461 [radarhere]
* Updated open files documentation #3490 [radarhere]
* Added libjpeg_turbo to check_feature #3493 [radarhere]
* Change color table index background to tuple when saving as WebP
#3471 [radarhere]
* Allow arbitrary number of comment extension subblocks #3479
[radarhere]
* Ensure previous FLI frame is loaded before seeking to the next
#3478 [radarhere]
* ImageShow improvements #3450 [radarhere]
* Depends: Update libimagequant to 2.12.2 #3442, libtiff to 4.0.10
#3458, libwebp to 1.0.1 #3468, Tk Tcl to 8.6.9 #3465 [radarhere]
* Check quality_layers type #3464 [radarhere]
* Add context manager, __del__ and close methods to TarIO #3455
[radarhere]
* Test: Do not play sound when running screencapture command #3454
[radarhere]
* Close exclusive fp on open exception #3456 [radarhere]
* Only close existing fp in WebP if fp is exclusive #3418
[radarhere]
* Docs: Re-add the downloads badge #3443 [hugovk]
* Added negative index to PixelAccess #3406 [Nazime]
* Change tuple background to global color table index when saving as
GIF #3385 [radarhere]
* Test: Improved ImageGrab tests #3424 [radarhere]
* Flake8 fixes #3422, #3440 [radarhere, hugovk]
* Only ask for YCbCr->RGB libtiff conversion for jpeg-compressed
tiffs #3417 [kkopachev]
* Optimise ImageOps.fit by combining resize and crop #3409 [homm]
update to version 5.3.0:
* Changed Image size property to be read-only by default #3203
[radarhere]
* Add warnings if image file identification fails due to lack of
WebP support #3169 [radarhere, hugovk]
* Hide the Ghostscript progress dialog popup on Windows #3378
[hugovk]
* Adding support to reading tiled and YcbCr jpeg tiffs through
libtiff #3227 [kkopachev]
* Fixed None as TIFF compression argument #3310 [radarhere]
* Changed GIF seek to remove previous info items #3324 [radarhere]
* Improved PDF document info #3274 [radarhere]
* Add line width parameter to rectangle and ellipse-based shapes
#3094 [hugovk, radarhere]
* Fixed decompression bomb check in _crop #3313 [dinkolubina,
hugovk]
* Added support to ImageDraw.floodfill for non-RGB colors #3377
[radarhere]
* Tests: Avoid catching unexpected exceptions in tests #2203
[jdufresne]
* Use TextIOWrapper.detach() instead of NoCloseStream #2214
[jdufresne]
* Added transparency to matrix conversion #3205 [radarhere]
* Added ImageOps pad method #3364 [radarhere]
* Give correct extrema for I;16 format images #3359 [bz2]
* Added PySide2 #3279 [radarhere]
* Corrected TIFF tags #3369 [radarhere]
* CI: Install CFFI and pycparser without any PYTHONOPTIMIZE #3374
[hugovk]
* Read/Save RGB webp as RGB (instead of RGBX) #3298 [kkopachev]
* ImageDraw: Add line joints #3250 [radarhere]
* Improved performance of ImageDraw floodfill method #3294 [yo1995]
* Fix builds with --parallel #3272 [hsoft]
* Add more raw Tiff modes (RGBaX, RGBaXX, RGBAX, RGBAXX) #3335
[homm]
* Close existing WebP fp before setting new fp #3341 [radarhere]
* Add orientation, compression and id_section as TGA save keyword
arguments #3327 [radarhere]
* Convert int values of RATIONAL TIFF tags to floats #3338
[radarhere, wiredfool]
* Fix code for PYTHONOPTIMIZE #3233 [hugovk]
* Changed ImageFilter.Kernel to subclass ImageFilter.BuiltinFilter,
instead of the other way around #3273 [radarhere]
* Remove unused draw.draw_line, draw.draw_point and font.getabc
methods #3232 [hugovk]
* Tests: Added ImageFilter tests #3295 [radarhere]
* Tests: Added ImageChops tests #3230 [hugovk, radarhere]
* AppVeyor: Download lib if not present in pillow-depends #3316
[radarhere]
* Travis CI: Add Python 3.7 and Xenial #3234 [hugovk]
* Docs: Added documentation for NumPy conversion #3301 [radarhere]
* Depends: Update libimagequant to 2.12.1 #3281 [radarhere]
* Add three-color support to ImageOps.colorize #3242 [tsennott]
* Tests: Add LA to TGA test modes #3222 [danpla]
* Skip outline if the draw operation fills with the same colour
#2922 [radarhere]
* Flake8 fixes #3173, #3380 [radarhere]
* Avoid deprecated 'U' mode when opening files #2187 [jdufresne]
update to version 5.2.0:
* Fixed saving a multiframe image as a single frame PDF #3137
[radarhere]
* If a Qt version is already imported, attempt to use it first #3143
[radarhere]
* Fix transform fill color for alpha images #3147 [fozcode]
* TGA: Add support for writing RLE data #3186 [danpla]
* TGA: Read and write LA data #3178 [danpla]
* QuantOctree.c: Remove erroneous attempt to average over an empty
range #3196 [tkoeppe]
* Changed ICNS format tests to pass on OS X 10.11 #3202 [radarhere]
* Fixed bug in ImageDraw.multiline_textsize() #3114 [tianyu139]
* Added getsize_multiline support for PIL.ImageFont #3113
[tianyu139]
* Added ImageFile get_format_mimetype method #3190 [radarhere]
* Changed mmap file pointer to use context manager #3216 [radarhere]
* Changed ellipse point calculations to be more evenly distributed
#3142 [radarhere]
* Only extract first Exif segment #2946 [hugovk]
* Tests: Test ImageDraw2, WalImageFile #3135, #2989 [hugovk]
* Remove unnecessary '#if 0' code #3075 [hugovk]
* Tests: Added GD tests #1817 [radarhere]
* Fix collections ABCs DeprecationWarning in Python 3.7 #3123
[hugovk]
* unpack_from is faster than unpack of slice #3201 [landfillbaby]
* Docs: Add coordinate system links and file handling links in
documentation #3204, #3214 [radarhere]
* Tests: TestFilePng: Fix test_save_l_transparency() #3182 [danpla]
* Docs: Correct argument name #3171 [radarhere]
* Docs: Update CMake download URL #3166 [radarhere]
* Docs: Improve Image.transform documentation #3164 [radarhere]
* Fix transform fillcolor argument when image mode is RGBA or LA
#3163 [radarhere]
* Tests: More specific Exception testing #3158 [radarhere]
* Add getrgb HSB/HSV color strings #3148 [radarhere]
* Allow float values in getrgb HSL color string #3146 [radarhere]
* AppVeyor: Upgrade to Python 2.7.15 and 3.4.4 #3140 [radarhere]
* AppVeyor: Upgrade to PyPy 6.0.0 #3133 [hugovk]
* Deprecate PILLOW_VERSION and VERSION #3090 [hugovk]
* Support Python 3.7 #3076 [hugovk]
* Depends: Update freetype to 2.9.1, libjpeg to 9c, libwebp to 1.0.0
#3121, #3136, #3108 [radarhere]
* Build macOS wheels with Xcode 6.4, supporting older macOS versions
#3068 [wiredfool]
* Fix _i2f compilation on some GCC versions #3067 [homm]
* Changed encoderinfo to have priority over info when saving GIF
images #3086 [radarhere]
* Rename PIL.version to PIL._version and remove it from module #3083
[homm]
* Enable background colour parameter on rotate #3057 [storesource]
* Remove unnecessary #if 1 directive #3072 [jdufresne]
* Remove unused Python class, Path #3070 [jdufresne]
* Fix dereferencing type-punned pointer will break strict-aliasing
#3069 [jdufresne]
update to version 5.1.0:
* Close fp before return in ImagingSavePPM #3061 [kathryndavies]
* Added documentation for ICNS append_images #3051 [radarhere]
* Docs: Move intro text below its header #3021 [hugovk]
* CI: Rename appveyor.yml as .appveyor.yml #2978 [hugovk]
* Fix TypeError for JPEG2000 parser feed #3042 [hugovk]
* Certain corrupted jpegs can result in no data read #3023
[kkopachev]
* Add support for BLP file format #3007 [jleclanche]
* Simplify version checks #2998 [hugovk]
* Fix 'invalid escape sequence' warning on Python 3.6+ #2996
[timgraham]
* Allow append_images to set .icns scaled images #3005 [radarhere]
* Support appending to existing PDFs #2965 [vashek]
* Fix and improve efficient saving of ICNS on macOS #3004
[radarhere]
* Build: Enable pip cache in AppVeyor build #3009 [thijstriemstra]
* Trim trailing whitespace #2985 [Metallicow]
* Docs: Correct reference to Image.new method #3000 [radarhere]
* Rearrange ImageFilter classes into alphabetical order #2990
[radarhere]
* Test: Remove duplicate line #2983 [radarhere]
* Build: Update AppVeyor PyPy version #3003 [radarhere]
* Tiff: Open 8 bit Tiffs with 5 or 6 channels, discarding extra
channels #2938 [homm]
* Readme: Added Twitter badge #2930 [hugovk]
* Removed __main__ code from ImageCms #2942 [radarhere]
* Test: Changed assert statements to unittest calls #2961
[radarhere]
* Depends: Update libimagequant to 2.11.10, raqm to 0.5.0, freetype
to 2.9 #3036, #3017, #2957 [radarhere]
* Remove _imaging.crc32 in favor of builtin Python crc32
implementation #2935 [wiredfool]
* Move Tk directory to src directory #2928 [hugovk]
* Enable pip cache in Travis CI #2933 [jdufresne]
* Remove unused and duplicate imports #2927 [radarhere]
* Docs: Changed documentation references to 2.x to 2.7 #2921
[radarhere]
* Fix memory leak when opening webp files #2974 [wiredfool]
* Setup: Fix 'TypeError: 'NoneType' object is not iterable' for PPC
and CRUX #2951 [hugovk]
* Setup: Add libdirs for ppc64le and armv7l #2968 [nehaljwani]
Patchnames
openSUSE-2021-1134
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Security update for python-CairoSVG, python-Pillow", title: "Title of the patch", }, { category: "description", text: "This update for python-CairoSVG, python-Pillow fixes the following issues:\n\nUpdate to version 2.5.1.\n\n* Security fix: When processing SVG files, CairoSVG was using two\n regular expressions which are vulnerable to Regular Expression \n Denial of Service (REDoS). If an attacker provided a malicious \n SVG, it could make CairoSVG get stuck processing the file for a \n very long time.\n* Fix marker positions for unclosed paths\n* Follow hint when only output_width or output_height is set\n* Handle opacity on raster images\n* Don’t crash when use tags reference unknown tags\n* Take care of the next letter when A/a is replaced by l\n* Fix misalignment in node.vertices\n\nUpdates for version 2.5.0.\n\n* Drop support of Python 3.5, add support of Python 3.9.\n* Add EPS export\n* Add background-color, negate-colors, and invert-images options\n* Improve support for font weights\n* Fix opacity of patterns and gradients\n* Support auto-start-reverse value for orient\n* Draw images contained in defs\n* Add Exif transposition support\n* Handle dominant-baseline\n* Support transform-origin\n\npython-Pillow update to version 8.3.1:\n\n* Catch OSError when checking if fp is sys.stdout #5585 [radarhere]\n* Handle removing orientation from alternate types of EXIF data #5584 [radarhere]\n* Make Image.__array__ take optional dtype argument #5572 [t-vi, radarhere]\n\n* Use snprintf instead of sprintf. CVE-2021-34552 #5567 [radarhere]\n* Limit TIFF strip size when saving with LibTIFF #5514 [kmilos]\n* Allow ICNS save on all operating systems #4526 [baletu, radarhere,\n newpanjing, hugovk]\n* De-zigzag JPEG's DQT when loading; deprecate convert_dict_qtables\n #4989 [gofr, radarhere]\n* Replaced xml.etree.ElementTree #5565 [radarhere]\n* Moved CVE image to pillow-depends #5561 [radarhere]\n* Added tag data for IFD groups #5554 [radarhere]\n* Improved ImagePalette #5552 [radarhere]\n* Add DDS saving #5402 [radarhere]\n* Improved getxmp() #5455 [radarhere]\n* Convert to float for comparison with float in IFDRational __eq__\n #5412 [radarhere]\n* Allow getexif() to access TIFF tag_v2 data #5416 [radarhere]\n* Read FITS image mode and size #5405 [radarhere]\n* Merge parallel horizontal edges in ImagingDrawPolygon #5347\n [radarhere, hrdrq]\n* Use transparency behind first GIF frame and when disposing to\n background #5557 [radarhere, zewt]\n* Avoid unstable nature of qsort in Quant.c #5367 [radarhere]\n* Copy palette to new images in ImageOps expand #5551 [radarhere]\n* Ensure palette string matches RGB mode #5549 [radarhere]\n* Do not modify EXIF of original image instance in exif_transpose()\n #5547 [radarhere]\n* Fixed default numresolution for small JPEG2000 images #5540\n [radarhere]\n* Added DDS BC5 reading #5501 [radarhere]\n* Raise an error if ImageDraw.textbbox is used without a TrueType\n font #5510 [radarhere]\n* Added ICO saving in BMP format #5513 [radarhere]\n* Ensure PNG seeks to end of previous chunk at start of load_end\n #5493 [radarhere]\n* Do not allow TIFF to seek to a past frame #5473 [radarhere]\n* Avoid race condition when displaying images with eog #5507\n [mconst]\n* Added specific error messages when ink has incorrect number of\n bands #5504 [radarhere]\n* Allow converting an image to a numpy array to raise errors #5379\n [radarhere]\n* Removed DPI rounding from BMP, JPEG, PNG and WMF loading #5476,\n #5470 [radarhere]\n* Remove spikes when drawing thin pieslices #5460 [xtsm]\n* Updated default value for SAMPLESPERPIXEL TIFF tag #5452\n [radarhere]\n* Removed TIFF DPI rounding #5446 [radarhere, hugovk]\n* Include code in WebP error #5471 [radarhere]\n* Do not alter pixels outside mask when drawing text on an image\n with transparency #5434 [radarhere]\n* Reset handle when seeking backwards in TIFF #5443 [radarhere]\n* Replace sys.stdout with sys.stdout.buffer when saving #5437\n [radarhere]\n* Fixed UNDEFINED TIFF tag of length 0 being changed in roundtrip\n #5426 [radarhere]\n* Fixed bug when checking FreeType2 version if it is not installed\n #5445 [radarhere]\n* Do not round dimensions when saving PDF #5459 [radarhere]\n* Added ImageOps contain() #5417 [radarhere, hugovk]\n* Changed WebP default 'method' value to 4 #5450 [radarhere]\n* Switched to saving 1-bit PDFs with DCTDecode #5430 [radarhere]\n* Use bpp from ICO header #5429 [radarhere]\n* Corrected JPEG APP14 transform value #5408 [radarhere]\n* Changed TIFF tag 33723 length to 1 #5425 [radarhere]\n* Changed ImageMorph incorrect mode errors to ValueError #5414\n [radarhere]\n* Add EXIF tags specified in EXIF 2.32 #5419 [gladiusglad]\n* Treat previous contents of first GIF frame as transparent #5391\n [radarhere]\n* For special image modes, revert default resize resampling to\n NEAREST #5411 [radarhere]\n* JPEG2000: Support decoding subsampled RGB and YCbCr images #4996\n [nulano, radarhere]\n* Stop decoding BC1 punchthrough alpha in BC2&3 #4144 [jansol]\n* Use zero if GIF background color index is missing #5390\n [radarhere]\n* Fixed ensuring that GIF previous frame was loaded #5386\n [radarhere]\n* Valgrind fixes #5397 [wiredfool]\n* Round down the radius in rounded_rectangle #5382 [radarhere]\n* Fixed reading uncompressed RGB data from DDS #5383 [radarhere]\n\nupdate to version 8.2.0:\n\n* Added getxmp() method #5144 [UrielMaD, radarhere]\n* Add ImageShow support for GraphicsMagick #5349 [latosha-maltba,\n radarhere]\n* Do not load transparent pixels from subsequent GIF frames #5333\n [zewt, radarhere]\n* Use LZW encoding when saving GIF images #5291 [raygard]\n* Set all transparent colors to be equal in quantize() #5282\n [radarhere]\n* Allow PixelAccess to use Python __int__ when parsing x and y #5206\n [radarhere]\n* Removed Image._MODEINFO #5316 [radarhere]\n* Add preserve_tone option to autocontrast #5350 [elejke, radarhere]\n* Fixed linear_gradient and radial_gradient I and F modes #5274\n [radarhere]\n* Add support for reading TIFFs with PlanarConfiguration=2 #5364\n [kkopachev, wiredfool, nulano]\n* Deprecated categories #5351 [radarhere]\n* Do not premultiply alpha when resizing with Image.NEAREST\n resampling #5304 [nulano]\n* Dynamically link FriBiDi instead of Raqm #5062 [nulano]\n* Allow fewer PNG palette entries than the bit depth maximum when\n saving #5330 [radarhere]\n* Use duration from info dictionary when saving WebP #5338\n [radarhere]\n* Stop flattening EXIF IFD into getexif() #4947 [radarhere,\n kkopachev]\n* Replaced tiff_deflate with tiff_adobe_deflate compression when\n saving TIFF images #5343 [radarhere]\n* Save ICC profile from TIFF encoderinfo #5321 [radarhere]\n* Moved RGB fix inside ImageQt class #5268 [radarhere]\n* Allow alpha_composite destination to be negative #5313 [radarhere]\n* Ensure file is closed if it is opened by ImageQt.ImageQt #5260\n [radarhere]\n* Added ImageDraw rounded_rectangle method #5208 [radarhere]\n* Added IPythonViewer #5289 [radarhere, Kipkurui-mutai]\n* Only draw each rectangle outline pixel once #5183 [radarhere]\n* Use mmap instead of built-in Win32 mapper #5224 [radarhere,\n cgohlke]\n* Handle PCX images with an odd stride #5214 [radarhere]\n* Only read different sizes for 'Large Thumbnail' MPO frames #5168\n [radarhere]\n* Added PyQt6 support #5258 [radarhere]\n* Changed Image.open formats parameter to be case-insensitive #5250\n [Piolie, radarhere]\n* Deprecate Tk/Tcl 8.4, to be removed in Pillow 10 (2023-01-02)\n #5216 [radarhere]\n* Added tk version to pilinfo #5226 [radarhere, nulano]\n* Support for ignoring tests when running valgrind #5150 [wiredfool,\n radarhere, hugovk]\n* OSS-Fuzz support #5189 [wiredfool, radarhere]\n\nupdate to 8.1.2:\n\n- Fix Memory DOS in BLP (CVE-2021-27921), ICNS (CVE-2021-27922) and ICO (CVE-2021-27923) Image Plugins\n\nUpdate to 8.1.1\n\n- Security\n\n* CVE-2021-25289: The previous fix for CVE-2020-35654 was insufficent due to incorrect error checking in TiffDecode.c.\n* CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size\n* CVE-2021-25291: In TiffDecode.c, invalid tile boundaries could lead to an OOB Read in TiffReadRGBATile\n* CVE-2021-25292: The PDF parser has a catastrophic backtracking regex that could be used as a DOS attack.\n* CVE-2021-25293: There is an Out of Bounds Read in SGIRleDecode.c, since pillow 4.3.0.\n\nThere is an Exhaustion of Memory DOS in the ICNS, ICO, and BLP container formats where Pillow\ndid not properly check the reported size of the contained image. These images could cause\narbitrariliy large memory allocations. This was reported by Jiayi Lin, Luke Shaffer, Xinran Xie,\nand Akshay Ajayan of ASU.edu.\n\nOther Changes\n\n- A crash with the feature flags for LibJpeg and Webp on unreleased Python 3.10 has been fixed\n\n- Fix rpmlint warning about duplicate file definition\n- Fix package build by relying on %python_subpackages for Obsoletes/Conflicts (boo#1181281)\n\nupdate to 8.1.0 (boo#1180833, boo#1180834, boo#1180832):\n\n* Fix TIFF OOB Write error. CVE-2020-35654 \n* Fix for Read Overflow in PCX Decoding. CVE-2020-35653 \n* Fix for SGI Decode buffer overrun. CVE-2020-35655 \n* Fix OOB Read when saving GIF of xsize=1 \n* Makefile updates \n* Add support for PySide6 \n* Use disposal settings from previous frame in APNG \n* Added exception explaining that _repr_png_ saves to PNG \n* Use previous disposal method in GIF load_end \n* Allow putpalette to accept 1024 integers to include alpha values \n* Fix OOB Read when writing TIFF with custom Metadata \n* Added append_images support for ICO \n* Block TIFFTAG_SUBIFD \n* Fixed dereferencing potential null pointers \n* Deprecate FreeType 2.7 \n* Moved warning to end of execution \n* Removed unused fromstring and tostring C methods \n* init() if one of the formats is unrecognised \n* Moved string_dimension CVE image to pillow-depends \n* Support raw rgba8888 for DDS \n\nupdate to version 8.0.1:\n\n* Update FreeType used in binary wheels to 2.10.4 to fix\n CVE-2020-15999. [radarhere]\n* Moved string_dimension image to pillow-depends #4993 [radarhere]\n\nchanges from version 8.0.0:\n\n* Drop support for EOL Python 3.5 #4746, #4794 [hugovk, radarhere,\n nulano]\n* Drop support for PyPy3 < 7.2.0 #4964 [nulano]\n* Remove ImageCms.CmsProfile attributes deprecated since 3.2.0 #4768\n [hugovk, radarhere]\n* Remove long-deprecated Image.py functions #4798 [hugovk, nulano,\n radarhere]\n* Add support for 16-bit precision JPEG quantization values #4918\n [gofr]\n* Added reading of IFD tag type #4979 [radarhere]\n* Initialize offset memory for PyImagingPhotoPut #4806 [nqbit]\n* Fix TiffDecode comparison warnings #4756 [nulano]\n* Docs: Add dark mode #4968 [hugovk, nulano]\n* Added macOS SDK install path to library and include directories\n #4974 [radarhere, fxcoudert]\n* Imaging.h: prevent confusion with system #4923 [ax3l, ,radarhere]\n* Avoid using pkg_resources in PIL.features.pilinfo #4975 [nulano]\n* Add getlength and getbbox functions for TrueType fonts #4959\n [nulano, radarhere, hugovk]\n* Allow tuples with one item to give single color value in getink\n #4927 [radarhere, nulano]\n* Add support for CBDT and COLR fonts #4955 [nulano, hugovk]\n* Removed OSError in favour of DecompressionBombError for BMP #4966\n [radarhere]\n* Implemented another ellipse drawing algorithm #4523 [xtsm,\n radarhere]\n* Removed unused JpegImagePlugin._fixup_dict function #4957\n [radarhere]\n* Added reading and writing of private PNG chunks #4292 [radarhere]\n* Implement anchor for TrueType fonts #4930 [nulano, hugovk]\n* Fixed bug in Exif __delitem__ #4942 [radarhere]\n* Fix crash in ImageTk.PhotoImage on MinGW 64-bit #4946 [nulano]\n* Moved CVE images to pillow-depends #4929 [radarhere]\n* Refactor font_getsize and font_render #4910 [nulano]\n* Fixed loading profile with non-ASCII path on Windows #4914\n [radarhere]\n* Fixed effect_spread bug for zero distance #4908 [radarhere,\n hugovk]\n* Added formats parameter to Image.open #4837 [nulano, radarhere]\n* Added regular_polygon draw method #4846 [comhar]\n* Raise proper TypeError in putpixel #4882 [nulano, hugovk]\n* Added writing of subIFDs #4862 [radarhere]\n* Fix IFDRational __eq__ bug #4888 [luphord, radarhere]\n* Fixed duplicate variable name #4885 [liZe, radarhere]\n* Added homebrew zlib include directory #4842 [radarhere]\n* Corrected inverted PDF CMYK colors #4866 [radarhere]\n* Do not try to close file pointer if file pointer is empty #4823\n [radarhere]\n* ImageOps.autocontrast: add mask parameter #4843 [navneeth, hugovk]\n* Read EXIF data tEXt chunk into info as bytes instead of string\n #4828 [radarhere]\n* Replaced distutils with setuptools #4797, #4809, #4814, #4817,\n #4829, #4890 [hugovk, radarhere]\n* Add MIME type to PsdImagePlugin #4788 [samamorgan]\n* Allow ImageOps.autocontrast to specify low and high cutoffs\n separately #4749 [millionhz, radarhere]\n\nupdate to version 7.2.0:\n\n* Do not convert I;16 images when showing PNGs #4744 [radarhere]\n* Fixed ICNS file pointer saving #4741 [radarhere]\n* Fixed loading non-RGBA mode APNGs with dispose background #4742\n [radarhere]\n* Deprecated _showxv #4714 [radarhere]\n* Deprecate Image.show(command='...') #4646 [nulano, hugovk,\n radarhere]\n* Updated JPEG magic number #4707 [Cykooz, radarhere]\n* Change STRIPBYTECOUNTS to LONG if necessary when saving #4626\n [radarhere, hugovk]\n* Write JFIF header when saving JPEG #4639 [radarhere]\n* Replaced tiff_jpeg with jpeg compression when saving TIFF images\n #4627 [radarhere]\n* Writing TIFF tags: improved BYTE, added UNDEFINED #4605\n [radarhere]\n* Consider transparency when pasting text on an RGBA image #4566\n [radarhere]\n* Added method argument to single frame WebP saving #4547\n [radarhere]\n* Use ImageFileDirectory_v2 in Image.Exif #4637 [radarhere]\n* Corrected reading EXIF metadata without prefix #4677 [radarhere]\n* Fixed drawing a jointed line with a sequence of numeric values\n #4580 [radarhere]\n* Added support for 1-D NumPy arrays #4608 [radarhere]\n* Parse orientation from XMP tags #4560 [radarhere]\n* Speed up text layout by not rendering glyphs #4652 [nulano]\n* Fixed ZeroDivisionError in Image.thumbnail #4625 [radarhere]\n* Replaced TiffImagePlugin DEBUG with logging #4550 [radarhere]\n* Fix repeatedly loading .gbr #4620 [ElinksFr, radarhere]\n* JPEG: Truncate icclist instead of setting to None #4613 [homm]\n* Fixes default offset for Exif #4594 [rodrigob, radarhere]\n* Fixed bug when unpickling TIFF images #4565 [radarhere]\n* Fix pickling WebP #4561 [hugovk, radarhere]\n* Replace IOError and WindowsError aliases with OSError #4536\n [hugovk, radarhere]\n\nUpdate to 7.1.2:\n\n* This fixes a regression introduced in 7.1.0 when adding support\n for APNG files.\n* When calling seek(n) on a regular PNG where n > 0, it failed to\n raise an EOFError as it should have done\n\nupdate to version 7.1.1:\n\n* Fix regression seeking and telling PNGs #4512 #4514 [hugovk,\n radarhere]\n\nchanges from version 7.1.0:\n\n* Fix multiple OOB reads in FLI decoding #4503 [wiredfool]\n* Fix buffer overflow in SGI-RLE decoding #4504 [wiredfool, hugovk]\n* Fix bounds overflow in JPEG 2000 decoding #4505 [wiredfool]\n* Fix bounds overflow in PCX decoding #4506 [wiredfool]\n* Fix 2 buffer overflows in TIFF decoding #4507 [wiredfool]\n* Add APNG support #4243 [pmrowla, radarhere, hugovk]\n* ImageGrab.grab() for Linux with XCB #4260 [nulano, radarhere]\n* Added three new channel operations #4230 [dwastberg, radarhere]\n* Prevent masking of Image reduce method in Jpeg2KImagePlugin #4474\n [radarhere, homm]\n* Added reading of earlier ImageMagick PNG EXIF data #4471\n [radarhere]\n* Fixed endian handling for I;16 getextrema #4457 [radarhere]\n* Release buffer if function returns prematurely #4381 [radarhere]\n* Add JPEG comment to info dictionary #4455 [radarhere]\n* Fix size calculation of Image.thumbnail() #4404 [orlnub123]\n* Fixed stroke on FreeType < 2.9 #4401 [radarhere]\n* If present, only use alpha channel for bounding box #4454\n [radarhere]\n* Warn if an unknown feature is passed to features.check() #4438\n [jdufresne]\n* Fix Name field length when saving IM images #4424 [hugovk,\n radarhere]\n* Allow saving of zero quality JPEG images #4440 [radarhere]\n* Allow explicit zero width to hide outline #4334 [radarhere]\n* Change ContainerIO return type to match file object mode #4297\n [jdufresne, radarhere]\n* Only draw each polygon pixel once #4333 [radarhere]\n* Add support for shooting situation Exif IFD tags #4398 [alexagv]\n* Handle multiple and malformed JPEG APP13 markers #4370 [homm]\n* Depends: Update libwebp to 1.1.0 #4342, libjpeg to 9d #4352\n [radarhere]\n\nupdate to version 7.0.0:\n\n* Drop support for EOL Python 2.7 #4109 [hugovk, radarhere,\n jdufresne]\n* Fix rounding error on RGB to L conversion #4320 [homm]\n* Exif writing fixes: Rational boundaries and signed/unsigned types\n #3980 [kkopachev, radarhere]\n* Allow loading of WMF images at a given DPI #4311 [radarhere]\n* Added reduce operation #4251 [homm]\n* Raise ValueError for io.StringIO in Image.open #4302 [radarhere,\n hugovk]\n* Fix thumbnail geometry when DCT scaling is used #4231 [homm,\n radarhere]\n* Use default DPI when exif provides invalid x_resolution #4147\n [beipang2, radarhere]\n* Change default resize resampling filter from NEAREST to BICUBIC\n #4255 [homm]\n* Fixed black lines on upscaled images with the BOX filter #4278\n [homm]\n* Better thumbnail aspect ratio preservation #4256 [homm]\n* Add La mode packing and unpacking #4248 [homm]\n* Include tests in coverage reports #4173 [hugovk]\n* Handle broken Photoshop data #4239 [radarhere]\n* Raise a specific exception if no data is found for an MPO frame\n #4240 [radarhere]\n* Fix Unicode support for PyPy #4145 [nulano]\n* Added UnidentifiedImageError #4182 [radarhere, hugovk]\n* Remove deprecated __version__ from plugins #4197 [hugovk,\n radarhere]\n* Fixed freeing unallocated pointer when resizing with height too\n large #4116 [radarhere]\n* Copy info in Image.transform #4128 [radarhere]\n* Corrected DdsImagePlugin setting info gamma #4171 [radarhere]\n* Depends: Update libtiff to 4.1.0 #4195, Tk Tcl to 8.6.10 #4229,\n libimagequant to 2.12.6 #4318 [radarhere]\n* Improve handling of file resources #3577 [jdufresne]\n* Removed CI testing of Fedora 29 #4165 [hugovk]\n* Added pypy3 to tox envlist #4137 [jdufresne]\n* Drop support for EOL PyQt4 and PySide #4108 [hugovk, radarhere]\n* Removed deprecated setting of TIFF image sizes #4114 [radarhere]\n* Removed deprecated PILLOW_VERSION #4107 [hugovk]\n* Changed default frombuffer raw decoder args #1730 [radarhere]\n\nUpdate to 6.2.1:\n\n* Pillow 6.2.1 supports Python 3.8.\n\n\nUpdate to 6.2.0:\n\n* text stroking\n* image grab on multi-monitor windows\n* Full notes: https://pillow.readthedocs.io/en/stable/releasenotes/6.2.0.html\n\nupdate to version 6.1.0:\n\n* Deprecate Image.__del__ #3929 [jdufresne]\n* Tiff: Add support for JPEG quality #3886 [olt]\n* Respect the PKG_CONFIG environment variable when building #3928\n [chewi]\n* Use explicit memcpy() to avoid unaligned memory accesses #3225\n [DerDakon]\n* Improve encoding of TIFF tags #3861 [olt]\n* Update Py_UNICODE to Py_UCS4 #3780 [nulano]\n* Consider I;16 pixel size when drawing #3899 [radarhere]\n* Add TIFFTAG_SAMPLEFORMAT to blocklist #3926 [cgohlke, radarhere]\n* Create GIF deltas from background colour of GIF frames if disposal\n mode is 2 #3708 [sircinnamon, radarhere]\n* Added ImageSequence all_frames #3778 [radarhere]\n* Use unsigned int to store TIFF IFD offsets #3923 [cgohlke]\n* Include CPPFLAGS when searching for libraries #3819 [jefferyto]\n* Updated TIFF tile descriptors to match current decoding\n functionality #3795 [dmnisson]\n* Added an image.entropy() method (second revision) #3608 [fish2000]\n* Pass the correct types to PyArg_ParseTuple #3880 [QuLogic]\n* Fixed crash when loading non-font bytes #3912 [radarhere]\n* Fix SPARC memory alignment issues in Pack/Unpack functions #3858\n [kulikjak]\n* Added CMYK;16B and CMYK;16N unpackers #3913 [radarhere]\n* Fixed bugs in calculating text size #3864 [radarhere]\n* Add __main__.py to output basic format and support information\n #3870 [jdufresne]\n* Added variation font support #3802 [radarhere]\n* Do not down-convert if image is LA when showing with PNG format\n #3869 [radarhere]\n* Improve handling of PSD frames #3759 [radarhere]\n* Improved ICO and ICNS loading #3897 [radarhere]\n* Changed Preview application path so that it is no longer static\n #3896 [radarhere]\n* Corrected ttb text positioning #3856 [radarhere]\n* Handle unexpected ICO image sizes #3836 [radarhere]\n* Fixed bits value for RGB;16N unpackers #3837 [kkopachev]\n* Travis CI: Add Fedora 30, remove Fedora 28 #3821 [hugovk]\n* Added reading of CMYK;16L TIFF images #3817 [radarhere]\n* Fixed dimensions of 1-bit PDFs #3827 [radarhere]\n* Fixed opening mmap image through Path on Windows #3825 [radarhere]\n* Fixed ImageDraw arc gaps #3824 [radarhere]\n* Expand GIF to include frames with extents outside the image size\n #3822 [radarhere]\n* Fixed ImageTk getimage #3814 [radarhere]\n* Fixed bug in decoding large images #3791 [radarhere]\n* Fixed reading APP13 marker without Photoshop data #3771\n [radarhere]\n* Added option to include layered windows in ImageGrab.grab on\n Windows #3808 [radarhere]\n* Detect libimagequant when installed by pacman on MingW #3812\n [radarhere]\n* Fixed raqm layout bug #3787 [radarhere]\n* Fixed loading font with non-Unicode path on Windows #3785\n [radarhere]\n* Travis CI: Upgrade PyPy from 6.0.0 to 7.1.1 #3783 [hugovk,\n johnthagen]\n* Depends: Updated openjpeg to 2.3.1 #3794, raqm to 0.7.0 #3877,\n libimagequant to 2.12.3 #3889 [radarhere]\n* Fix numpy bool bug #3790 [radarhere]\n\nUpdate to 6.0.0:\n\n* Python 2.7 support will be removed in Pillow 7.0.0 #3682 [hugovk]\n* Add EXIF class #3625 [radarhere]\n* Add ImageOps exif_transpose method #3687 [radarhere]\n* Added warnings to deprecated CMSProfile attributes #3615 [hugovk]\n* Documented reading TIFF multiframe images #3720 [akuchling]\n* Improved speed of opening an MPO file #3658 [Glandos]\n* Update palette in quantize #3721 [radarhere]\n* Improvements to TIFF is_animated and n_frames #3714 [radarhere]\n* Fixed incompatible pointer type warnings #3754 [radarhere]\n* Improvements to PA and LA conversion and palette operations #3728 [radarhere]\n* Consistent DPI rounding #3709 [radarhere]\n* Change size of MPO image to match frame #3588 [radarhere]\n* Read Photoshop resolution data #3701 [radarhere]\n* Ensure image is mutable before saving #3724 [radarhere]\n* Correct remap_palette documentation #3740 [radarhere]\n* Promote P images to PA in putalpha #3726 [radarhere]\n* Allow RGB and RGBA values for new P images #3719 [radarhere]\n* Fixed TIFF bug when seeking backwards and then forwards #3713 [radarhere]\n* Cache EXIF information #3498 [Glandos]\n* Added transparency for all PNG greyscale modes #3744 [radarhere]\n* Fix deprecation warnings in Python 3.8 #3749 [radarhere]\n* Fixed GIF bug when rewinding to a non-zero frame #3716 [radarhere]\n* Only close original fp in __del__ and __exit__ if original fp is exclusive #3683 [radarhere]\n* Fix BytesWarning in Tests/test_numpy.py #3725 [jdufresne]\n* Add missing MIME types and extensions #3520 [pirate486743186]\n* Add I;16 PNG save #3566 [radarhere]\n* Add support for BMP RGBA bitfield compression #3705 [radarhere]\n* Added ability to set language for text rendering #3693 [iwsfutcmd]\n* Only close exclusive fp on Image __exit__ #3698 [radarhere]\n* Changed EPS subprocess stdout from devnull to None #3635 [radarhere]\n* Add reading old-JPEG compressed TIFFs #3489 [kkopachev]\n* Add EXIF support for PNG #3674 [radarhere]\n* Add option to set dither param on quantize #3699 [glasnt]\n* Add reading of DDS uncompressed RGB data #3673 [radarhere]\n* Correct length of Tiff BYTE tags #3672 [radarhere]\n* Add DIB saving and loading through Image open #3691 [radarhere]\n* Removed deprecated VERSION #3624 [hugovk]\n* Fix 'BytesWarning: Comparison between bytes and string' in PdfDict #3580 [jdufresne]\n* Do not resize in Image.thumbnail if already the destination size #3632 [radarhere]\n* Replace .seek() magic numbers with io.SEEK_* constants #3572 [jdufresne]\n* Make ContainerIO.isatty() return a bool, not int #3568 [jdufresne]\n* Add support to all transpose operations for I;16 modes #3563, #3741 [radarhere]\n* Deprecate support for PyQt4 and PySide #3655 [hugovk, radarhere]\n* Add TIFF compression codecs: LZMA, Zstd, WebP #3555 [cgohlke]\n* Fixed pickling of iTXt class with protocol > 1 #3537 [radarhere]\n* _util.isPath returns True for pathlib.Path objects #3616 [wbadart]\n* Remove unnecessary unittest.main() boilerplate from test files #3631 [jdufresne]\n* Exif: Seek to IFD offset #3584 [radarhere]\n* Deprecate PIL.*ImagePlugin.__version__ attributes #3628 [jdufresne]\n* Docs: Add note about ImageDraw operations that exceed image bounds #3620 [radarhere]\n* Allow for unknown PNG chunks after image data #3558 [radarhere]\n* Changed EPS subprocess stdin from devnull to None #3611 [radarhere]\n* Fix possible integer overflow #3609 [cgohlke]\n* Catch BaseException for resource cleanup handlers #3574 [jdufresne]\n* Improve pytest configuration to allow specific tests as CLI args #3579 [jdufresne]\n* Drop support for Python 3.4 #3596 [hugovk]\n* Remove deprecated PIL.OleFileIO #3598 [hugovk]\n* Remove deprecated ImageOps undocumented functions #3599 [hugovk]\n* Depends: Update libwebp to 1.0.2 #3602 [radarhere]\n* Detect MIME types #3525 [radarhere]\n\nupdate to version 5.4.1:\n\n* File closing: Only close __fp if not fp #3540 [radarhere]\n* Fix build for Termux #3529 [pslacerda]\n* PNG: Detect MIME types #3525 [radarhere]\n* PNG: Handle IDAT chunks after image end #3532 [radarhere]\n\nchanges from version 5.4.0:\n\n* Docs: Improved ImageChops documentation #3522 [radarhere]\n* Allow RGB and RGBA values for P image putpixel #3519 [radarhere]\n* Add APNG extension to PNG plugin #3501 [pirate486743186,\n radarhere]\n* Lookup ld.so.cache instead of hardcoding search paths #3245\n [pslacerda]\n* Added custom string TIFF tags #3513 [radarhere]\n* Improve setup.py configuration #3395 [diorcety]\n* Read textual chunks located after IDAT chunks for PNG #3506\n [radarhere]\n* Performance: Don't try to hash value if enum is empty #3503\n [Glandos]\n* Added custom int and float TIFF tags #3350 [radarhere]\n* Fixes for issues reported by static code analysis #3393\n [frenzymadness]\n* GIF: Wait until mode is normalized to copy im.info into\n encoderinfo #3187 [radarhere]\n* Docs: Add page of deprecations and removals #3486 [hugovk]\n* Travis CI: Upgrade PyPy from 5.8.0 to 6.0 #3488 [hugovk]\n* Travis CI: Allow lint job to fail #3467 [hugovk]\n* Resolve __fp when closing and deleting #3261 [radarhere]\n* Close exclusive fp before discarding #3461 [radarhere]\n* Updated open files documentation #3490 [radarhere]\n* Added libjpeg_turbo to check_feature #3493 [radarhere]\n* Change color table index background to tuple when saving as WebP\n #3471 [radarhere]\n* Allow arbitrary number of comment extension subblocks #3479\n [radarhere]\n* Ensure previous FLI frame is loaded before seeking to the next\n #3478 [radarhere]\n* ImageShow improvements #3450 [radarhere]\n* Depends: Update libimagequant to 2.12.2 #3442, libtiff to 4.0.10\n #3458, libwebp to 1.0.1 #3468, Tk Tcl to 8.6.9 #3465 [radarhere]\n* Check quality_layers type #3464 [radarhere]\n* Add context manager, __del__ and close methods to TarIO #3455\n [radarhere]\n* Test: Do not play sound when running screencapture command #3454\n [radarhere]\n* Close exclusive fp on open exception #3456 [radarhere]\n* Only close existing fp in WebP if fp is exclusive #3418\n [radarhere]\n* Docs: Re-add the downloads badge #3443 [hugovk]\n* Added negative index to PixelAccess #3406 [Nazime]\n* Change tuple background to global color table index when saving as\n GIF #3385 [radarhere]\n* Test: Improved ImageGrab tests #3424 [radarhere]\n* Flake8 fixes #3422, #3440 [radarhere, hugovk]\n* Only ask for YCbCr->RGB libtiff conversion for jpeg-compressed\n tiffs #3417 [kkopachev]\n* Optimise ImageOps.fit by combining resize and crop #3409 [homm]\n\nupdate to version 5.3.0:\n\n* Changed Image size property to be read-only by default #3203\n [radarhere]\n* Add warnings if image file identification fails due to lack of\n WebP support #3169 [radarhere, hugovk]\n* Hide the Ghostscript progress dialog popup on Windows #3378\n [hugovk]\n* Adding support to reading tiled and YcbCr jpeg tiffs through\n libtiff #3227 [kkopachev]\n* Fixed None as TIFF compression argument #3310 [radarhere]\n* Changed GIF seek to remove previous info items #3324 [radarhere]\n* Improved PDF document info #3274 [radarhere]\n* Add line width parameter to rectangle and ellipse-based shapes\n #3094 [hugovk, radarhere]\n* Fixed decompression bomb check in _crop #3313 [dinkolubina,\n hugovk]\n* Added support to ImageDraw.floodfill for non-RGB colors #3377\n [radarhere]\n* Tests: Avoid catching unexpected exceptions in tests #2203\n [jdufresne]\n* Use TextIOWrapper.detach() instead of NoCloseStream #2214\n [jdufresne]\n* Added transparency to matrix conversion #3205 [radarhere]\n* Added ImageOps pad method #3364 [radarhere]\n* Give correct extrema for I;16 format images #3359 [bz2]\n* Added PySide2 #3279 [radarhere]\n* Corrected TIFF tags #3369 [radarhere]\n* CI: Install CFFI and pycparser without any PYTHONOPTIMIZE #3374\n [hugovk]\n* Read/Save RGB webp as RGB (instead of RGBX) #3298 [kkopachev]\n* ImageDraw: Add line joints #3250 [radarhere]\n* Improved performance of ImageDraw floodfill method #3294 [yo1995]\n* Fix builds with --parallel #3272 [hsoft]\n* Add more raw Tiff modes (RGBaX, RGBaXX, RGBAX, RGBAXX) #3335\n [homm]\n* Close existing WebP fp before setting new fp #3341 [radarhere]\n* Add orientation, compression and id_section as TGA save keyword\n arguments #3327 [radarhere]\n* Convert int values of RATIONAL TIFF tags to floats #3338\n [radarhere, wiredfool]\n* Fix code for PYTHONOPTIMIZE #3233 [hugovk]\n* Changed ImageFilter.Kernel to subclass ImageFilter.BuiltinFilter,\n instead of the other way around #3273 [radarhere]\n* Remove unused draw.draw_line, draw.draw_point and font.getabc\n methods #3232 [hugovk]\n* Tests: Added ImageFilter tests #3295 [radarhere]\n* Tests: Added ImageChops tests #3230 [hugovk, radarhere]\n* AppVeyor: Download lib if not present in pillow-depends #3316\n [radarhere]\n* Travis CI: Add Python 3.7 and Xenial #3234 [hugovk]\n* Docs: Added documentation for NumPy conversion #3301 [radarhere]\n* Depends: Update libimagequant to 2.12.1 #3281 [radarhere]\n* Add three-color support to ImageOps.colorize #3242 [tsennott]\n* Tests: Add LA to TGA test modes #3222 [danpla]\n* Skip outline if the draw operation fills with the same colour\n #2922 [radarhere]\n* Flake8 fixes #3173, #3380 [radarhere]\n* Avoid deprecated 'U' mode when opening files #2187 [jdufresne]\n\nupdate to version 5.2.0:\n\n* Fixed saving a multiframe image as a single frame PDF #3137\n [radarhere]\n* If a Qt version is already imported, attempt to use it first #3143\n [radarhere]\n* Fix transform fill color for alpha images #3147 [fozcode]\n* TGA: Add support for writing RLE data #3186 [danpla]\n* TGA: Read and write LA data #3178 [danpla]\n* QuantOctree.c: Remove erroneous attempt to average over an empty\n range #3196 [tkoeppe]\n* Changed ICNS format tests to pass on OS X 10.11 #3202 [radarhere]\n* Fixed bug in ImageDraw.multiline_textsize() #3114 [tianyu139]\n* Added getsize_multiline support for PIL.ImageFont #3113\n [tianyu139]\n* Added ImageFile get_format_mimetype method #3190 [radarhere]\n* Changed mmap file pointer to use context manager #3216 [radarhere]\n* Changed ellipse point calculations to be more evenly distributed\n #3142 [radarhere]\n* Only extract first Exif segment #2946 [hugovk]\n* Tests: Test ImageDraw2, WalImageFile #3135, #2989 [hugovk]\n* Remove unnecessary '#if 0' code #3075 [hugovk]\n* Tests: Added GD tests #1817 [radarhere]\n* Fix collections ABCs DeprecationWarning in Python 3.7 #3123\n [hugovk]\n* unpack_from is faster than unpack of slice #3201 [landfillbaby]\n* Docs: Add coordinate system links and file handling links in\n documentation #3204, #3214 [radarhere]\n* Tests: TestFilePng: Fix test_save_l_transparency() #3182 [danpla]\n* Docs: Correct argument name #3171 [radarhere]\n* Docs: Update CMake download URL #3166 [radarhere]\n* Docs: Improve Image.transform documentation #3164 [radarhere]\n* Fix transform fillcolor argument when image mode is RGBA or LA\n #3163 [radarhere]\n* Tests: More specific Exception testing #3158 [radarhere]\n* Add getrgb HSB/HSV color strings #3148 [radarhere]\n* Allow float values in getrgb HSL color string #3146 [radarhere]\n* AppVeyor: Upgrade to Python 2.7.15 and 3.4.4 #3140 [radarhere]\n* AppVeyor: Upgrade to PyPy 6.0.0 #3133 [hugovk]\n* Deprecate PILLOW_VERSION and VERSION #3090 [hugovk]\n* Support Python 3.7 #3076 [hugovk]\n* Depends: Update freetype to 2.9.1, libjpeg to 9c, libwebp to 1.0.0\n #3121, #3136, #3108 [radarhere]\n* Build macOS wheels with Xcode 6.4, supporting older macOS versions\n #3068 [wiredfool]\n* Fix _i2f compilation on some GCC versions #3067 [homm]\n* Changed encoderinfo to have priority over info when saving GIF\n images #3086 [radarhere]\n* Rename PIL.version to PIL._version and remove it from module #3083\n [homm]\n* Enable background colour parameter on rotate #3057 [storesource]\n* Remove unnecessary #if 1 directive #3072 [jdufresne]\n* Remove unused Python class, Path #3070 [jdufresne]\n* Fix dereferencing type-punned pointer will break strict-aliasing\n #3069 [jdufresne]\n\nupdate to version 5.1.0:\n\n* Close fp before return in ImagingSavePPM #3061 [kathryndavies]\n* Added documentation for ICNS append_images #3051 [radarhere]\n* Docs: Move intro text below its header #3021 [hugovk]\n* CI: Rename appveyor.yml as .appveyor.yml #2978 [hugovk]\n* Fix TypeError for JPEG2000 parser feed #3042 [hugovk]\n* Certain corrupted jpegs can result in no data read #3023\n [kkopachev]\n* Add support for BLP file format #3007 [jleclanche]\n* Simplify version checks #2998 [hugovk]\n* Fix 'invalid escape sequence' warning on Python 3.6+ #2996\n [timgraham]\n* Allow append_images to set .icns scaled images #3005 [radarhere]\n* Support appending to existing PDFs #2965 [vashek]\n* Fix and improve efficient saving of ICNS on macOS #3004\n [radarhere]\n* Build: Enable pip cache in AppVeyor build #3009 [thijstriemstra]\n* Trim trailing whitespace #2985 [Metallicow]\n* Docs: Correct reference to Image.new method #3000 [radarhere]\n* Rearrange ImageFilter classes into alphabetical order #2990\n [radarhere]\n* Test: Remove duplicate line #2983 [radarhere]\n* Build: Update AppVeyor PyPy version #3003 [radarhere]\n* Tiff: Open 8 bit Tiffs with 5 or 6 channels, discarding extra\n channels #2938 [homm]\n* Readme: Added Twitter badge #2930 [hugovk]\n* Removed __main__ code from ImageCms #2942 [radarhere]\n* Test: Changed assert statements to unittest calls #2961\n [radarhere]\n* Depends: Update libimagequant to 2.11.10, raqm to 0.5.0, freetype\n to 2.9 #3036, #3017, #2957 [radarhere]\n* Remove _imaging.crc32 in favor of builtin Python crc32\n implementation #2935 [wiredfool]\n* Move Tk directory to src directory #2928 [hugovk]\n* Enable pip cache in Travis CI #2933 [jdufresne]\n* Remove unused and duplicate imports #2927 [radarhere]\n* Docs: Changed documentation references to 2.x to 2.7 #2921\n [radarhere]\n* Fix memory leak when opening webp files #2974 [wiredfool]\n* Setup: Fix 'TypeError: 'NoneType' object is not iterable' for PPC\n and CRUX #2951 [hugovk]\n* Setup: Add libdirs for ppc64le and armv7l #2968 [nehaljwani]", title: "Description of the patch", }, { category: "details", text: "openSUSE-2021-1134", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2021_1134-1.json", }, { category: "self", summary: "URL for openSUSE-SU-2021:1134-1", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/N6MMS3NOFXF2TZBZ5M3EC6VOB65FRP4I/", }, { category: "self", summary: "E-Mail link for openSUSE-SU-2021:1134-1", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/N6MMS3NOFXF2TZBZ5M3EC6VOB65FRP4I/", }, { category: "self", summary: "SUSE Bug 1180832", url: "https://bugzilla.suse.com/1180832", }, { category: "self", summary: "SUSE Bug 1180833", url: "https://bugzilla.suse.com/1180833", }, { category: "self", summary: "SUSE Bug 1180834", url: "https://bugzilla.suse.com/1180834", }, { category: "self", summary: "SUSE Bug 1181281", url: "https://bugzilla.suse.com/1181281", }, { category: "self", summary: "SUSE CVE CVE-2020-15999 page", url: "https://www.suse.com/security/cve/CVE-2020-15999/", }, { category: "self", summary: "SUSE CVE CVE-2020-35653 page", url: "https://www.suse.com/security/cve/CVE-2020-35653/", }, { category: "self", summary: "SUSE CVE CVE-2020-35654 page", url: "https://www.suse.com/security/cve/CVE-2020-35654/", }, { category: "self", summary: "SUSE CVE CVE-2020-35655 page", url: "https://www.suse.com/security/cve/CVE-2020-35655/", }, { category: "self", summary: "SUSE CVE CVE-2021-25289 page", url: "https://www.suse.com/security/cve/CVE-2021-25289/", }, { category: "self", summary: "SUSE CVE CVE-2021-25290 page", url: "https://www.suse.com/security/cve/CVE-2021-25290/", }, { category: "self", summary: "SUSE CVE CVE-2021-25291 page", url: "https://www.suse.com/security/cve/CVE-2021-25291/", }, { category: "self", summary: "SUSE CVE CVE-2021-25292 page", url: "https://www.suse.com/security/cve/CVE-2021-25292/", }, { category: "self", summary: "SUSE CVE CVE-2021-25293 page", url: "https://www.suse.com/security/cve/CVE-2021-25293/", }, { category: "self", summary: "SUSE CVE CVE-2021-27921 page", url: "https://www.suse.com/security/cve/CVE-2021-27921/", }, { category: "self", summary: "SUSE CVE CVE-2021-27922 page", url: "https://www.suse.com/security/cve/CVE-2021-27922/", }, { category: "self", summary: "SUSE CVE CVE-2021-27923 page", url: "https://www.suse.com/security/cve/CVE-2021-27923/", }, { category: "self", summary: "SUSE CVE CVE-2021-34552 page", url: "https://www.suse.com/security/cve/CVE-2021-34552/", }, ], title: "Security update for python-CairoSVG, python-Pillow", tracking: { current_release_date: "2021-08-10T12:06:55Z", generator: { date: "2021-08-10T12:06:55Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "openSUSE-SU-2021:1134-1", initial_release_date: "2021-08-10T12:06:55Z", revision_history: [ { date: "2021-08-10T12:06:55Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", product: { name: "python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", product_id: "python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_version", name: "python3-Pillow-8.3.1-lp152.5.3.1.x86_64", product: { name: "python3-Pillow-8.3.1-lp152.5.3.1.x86_64", product_id: "python3-Pillow-8.3.1-lp152.5.3.1.x86_64", }, }, { category: "product_version", name: "python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", product: { name: "python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", product_id: "python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_name", name: "openSUSE Leap 15.2", product: { name: "openSUSE Leap 15.2", product_id: "openSUSE Leap 15.2", product_identification_helper: { cpe: "cpe:/o:opensuse:leap:15.2", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "python3-CairoSVG-2.5.1-lp152.2.3.1.noarch as component of openSUSE Leap 15.2", product_id: "openSUSE Leap 15.2:python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", }, product_reference: "python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", relates_to_product_reference: "openSUSE Leap 15.2", }, { category: "default_component_of", full_product_name: { name: "python3-Pillow-8.3.1-lp152.5.3.1.x86_64 as component of openSUSE Leap 15.2", product_id: "openSUSE Leap 15.2:python3-Pillow-8.3.1-lp152.5.3.1.x86_64", }, product_reference: "python3-Pillow-8.3.1-lp152.5.3.1.x86_64", relates_to_product_reference: "openSUSE Leap 15.2", }, { category: "default_component_of", full_product_name: { name: "python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64 as component of openSUSE Leap 15.2", product_id: "openSUSE Leap 15.2:python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", }, product_reference: "python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", relates_to_product_reference: "openSUSE Leap 15.2", }, ], }, vulnerabilities: [ { cve: "CVE-2020-15999", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-15999", }, ], notes: [ { category: "general", text: "Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", "openSUSE Leap 15.2:python3-Pillow-8.3.1-lp152.5.3.1.x86_64", "openSUSE Leap 15.2:python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-15999", url: "https://www.suse.com/security/cve/CVE-2020-15999", }, { category: "external", summary: "SUSE Bug 1177914 for CVE-2020-15999", url: "https://bugzilla.suse.com/1177914", }, { category: "external", summary: "SUSE Bug 1177936 for CVE-2020-15999", url: "https://bugzilla.suse.com/1177936", }, { category: "external", summary: "SUSE Bug 1178824 for CVE-2020-15999", url: "https://bugzilla.suse.com/1178824", }, { category: "external", summary: "SUSE Bug 1178894 for CVE-2020-15999", url: "https://bugzilla.suse.com/1178894", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", "openSUSE Leap 15.2:python3-Pillow-8.3.1-lp152.5.3.1.x86_64", "openSUSE Leap 15.2:python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 8.1, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Leap 15.2:python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", "openSUSE Leap 15.2:python3-Pillow-8.3.1-lp152.5.3.1.x86_64", "openSUSE Leap 15.2:python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-08-10T12:06:55Z", details: "important", }, ], title: "CVE-2020-15999", }, { cve: "CVE-2020-35653", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-35653", }, ], notes: [ { category: "general", text: "In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", "openSUSE Leap 15.2:python3-Pillow-8.3.1-lp152.5.3.1.x86_64", "openSUSE Leap 15.2:python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-35653", url: "https://www.suse.com/security/cve/CVE-2020-35653", }, { category: "external", summary: "SUSE Bug 1180834 for CVE-2020-35653", url: "https://bugzilla.suse.com/1180834", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", "openSUSE Leap 15.2:python3-Pillow-8.3.1-lp152.5.3.1.x86_64", "openSUSE Leap 15.2:python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 8.1, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", version: "3.1", }, products: [ "openSUSE Leap 15.2:python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", "openSUSE Leap 15.2:python3-Pillow-8.3.1-lp152.5.3.1.x86_64", "openSUSE Leap 15.2:python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-08-10T12:06:55Z", details: "important", }, ], title: "CVE-2020-35653", }, { cve: "CVE-2020-35654", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-35654", }, ], notes: [ { category: "general", text: "In Pillow before 8.1.0, TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", "openSUSE Leap 15.2:python3-Pillow-8.3.1-lp152.5.3.1.x86_64", "openSUSE Leap 15.2:python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-35654", url: "https://www.suse.com/security/cve/CVE-2020-35654", }, { category: "external", summary: "SUSE Bug 1180833 for CVE-2020-35654", url: "https://bugzilla.suse.com/1180833", }, { category: "external", summary: "SUSE Bug 1183103 for CVE-2020-35654", url: "https://bugzilla.suse.com/1183103", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", "openSUSE Leap 15.2:python3-Pillow-8.3.1-lp152.5.3.1.x86_64", "openSUSE Leap 15.2:python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 8.8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Leap 15.2:python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", "openSUSE Leap 15.2:python3-Pillow-8.3.1-lp152.5.3.1.x86_64", "openSUSE Leap 15.2:python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-08-10T12:06:55Z", details: "important", }, ], title: "CVE-2020-35654", }, { cve: "CVE-2020-35655", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-35655", }, ], notes: [ { category: "general", text: "In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", "openSUSE Leap 15.2:python3-Pillow-8.3.1-lp152.5.3.1.x86_64", "openSUSE Leap 15.2:python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-35655", url: "https://www.suse.com/security/cve/CVE-2020-35655", }, { category: "external", summary: "SUSE Bug 1180832 for CVE-2020-35655", url: "https://bugzilla.suse.com/1180832", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", "openSUSE Leap 15.2:python3-Pillow-8.3.1-lp152.5.3.1.x86_64", "openSUSE Leap 15.2:python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 8.1, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", version: "3.1", }, products: [ "openSUSE Leap 15.2:python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", "openSUSE Leap 15.2:python3-Pillow-8.3.1-lp152.5.3.1.x86_64", "openSUSE Leap 15.2:python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-08-10T12:06:55Z", details: "important", }, ], title: "CVE-2020-35655", }, { cve: "CVE-2021-25289", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-25289", }, ], notes: [ { category: "general", text: "An issue was discovered in Pillow before 8.1.1. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", "openSUSE Leap 15.2:python3-Pillow-8.3.1-lp152.5.3.1.x86_64", "openSUSE Leap 15.2:python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-25289", url: "https://www.suse.com/security/cve/CVE-2021-25289", }, { category: "external", summary: "SUSE Bug 1183103 for CVE-2021-25289", url: "https://bugzilla.suse.com/1183103", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", "openSUSE Leap 15.2:python3-Pillow-8.3.1-lp152.5.3.1.x86_64", "openSUSE Leap 15.2:python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Leap 15.2:python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", "openSUSE Leap 15.2:python3-Pillow-8.3.1-lp152.5.3.1.x86_64", "openSUSE Leap 15.2:python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-08-10T12:06:55Z", details: "critical", }, ], title: "CVE-2021-25289", }, { cve: "CVE-2021-25290", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-25290", }, ], notes: [ { category: "general", text: "An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is a negative-offset memcpy with an invalid size.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", "openSUSE Leap 15.2:python3-Pillow-8.3.1-lp152.5.3.1.x86_64", "openSUSE Leap 15.2:python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-25290", url: "https://www.suse.com/security/cve/CVE-2021-25290", }, { category: "external", summary: "SUSE Bug 1183105 for CVE-2021-25290", url: "https://bugzilla.suse.com/1183105", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", "openSUSE Leap 15.2:python3-Pillow-8.3.1-lp152.5.3.1.x86_64", "openSUSE Leap 15.2:python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Leap 15.2:python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", "openSUSE Leap 15.2:python3-Pillow-8.3.1-lp152.5.3.1.x86_64", "openSUSE Leap 15.2:python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-08-10T12:06:55Z", details: "important", }, ], title: "CVE-2021-25290", }, { cve: "CVE-2021-25291", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-25291", }, ], notes: [ { category: "general", text: "An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is an out-of-bounds read in TiffreadRGBATile via invalid tile boundaries.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", "openSUSE Leap 15.2:python3-Pillow-8.3.1-lp152.5.3.1.x86_64", "openSUSE Leap 15.2:python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-25291", url: "https://www.suse.com/security/cve/CVE-2021-25291", }, { category: "external", summary: "SUSE Bug 1183106 for CVE-2021-25291", url: "https://bugzilla.suse.com/1183106", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", "openSUSE Leap 15.2:python3-Pillow-8.3.1-lp152.5.3.1.x86_64", "openSUSE Leap 15.2:python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Leap 15.2:python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", "openSUSE Leap 15.2:python3-Pillow-8.3.1-lp152.5.3.1.x86_64", "openSUSE Leap 15.2:python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-08-10T12:06:55Z", details: "important", }, ], title: "CVE-2021-25291", }, { cve: "CVE-2021-25292", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-25292", }, ], notes: [ { category: "general", text: "An issue was discovered in Pillow before 8.1.1. The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", "openSUSE Leap 15.2:python3-Pillow-8.3.1-lp152.5.3.1.x86_64", "openSUSE Leap 15.2:python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-25292", url: "https://www.suse.com/security/cve/CVE-2021-25292", }, { category: "external", summary: "SUSE Bug 1183101 for CVE-2021-25292", url: "https://bugzilla.suse.com/1183101", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", "openSUSE Leap 15.2:python3-Pillow-8.3.1-lp152.5.3.1.x86_64", "openSUSE Leap 15.2:python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Leap 15.2:python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", "openSUSE Leap 15.2:python3-Pillow-8.3.1-lp152.5.3.1.x86_64", "openSUSE Leap 15.2:python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-08-10T12:06:55Z", details: "important", }, ], title: "CVE-2021-25292", }, { cve: "CVE-2021-25293", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-25293", }, ], notes: [ { category: "general", text: "An issue was discovered in Pillow before 8.1.1. There is an out-of-bounds read in SGIRleDecode.c.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", "openSUSE Leap 15.2:python3-Pillow-8.3.1-lp152.5.3.1.x86_64", "openSUSE Leap 15.2:python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-25293", url: "https://www.suse.com/security/cve/CVE-2021-25293", }, { category: "external", summary: "SUSE Bug 1183102 for CVE-2021-25293", url: "https://bugzilla.suse.com/1183102", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", "openSUSE Leap 15.2:python3-Pillow-8.3.1-lp152.5.3.1.x86_64", "openSUSE Leap 15.2:python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Leap 15.2:python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", "openSUSE Leap 15.2:python3-Pillow-8.3.1-lp152.5.3.1.x86_64", "openSUSE Leap 15.2:python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-08-10T12:06:55Z", details: "important", }, ], title: "CVE-2021-25293", }, { cve: "CVE-2021-27921", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-27921", }, ], notes: [ { category: "general", text: "Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", "openSUSE Leap 15.2:python3-Pillow-8.3.1-lp152.5.3.1.x86_64", "openSUSE Leap 15.2:python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-27921", url: "https://www.suse.com/security/cve/CVE-2021-27921", }, { category: "external", summary: "SUSE Bug 1183110 for CVE-2021-27921", url: "https://bugzilla.suse.com/1183110", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", "openSUSE Leap 15.2:python3-Pillow-8.3.1-lp152.5.3.1.x86_64", "openSUSE Leap 15.2:python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Leap 15.2:python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", "openSUSE Leap 15.2:python3-Pillow-8.3.1-lp152.5.3.1.x86_64", "openSUSE Leap 15.2:python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-08-10T12:06:55Z", details: "important", }, ], title: "CVE-2021-27921", }, { cve: "CVE-2021-27922", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-27922", }, ], notes: [ { category: "general", text: "Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", "openSUSE Leap 15.2:python3-Pillow-8.3.1-lp152.5.3.1.x86_64", "openSUSE Leap 15.2:python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-27922", url: "https://www.suse.com/security/cve/CVE-2021-27922", }, { category: "external", summary: "SUSE Bug 1183108 for CVE-2021-27922", url: "https://bugzilla.suse.com/1183108", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", "openSUSE Leap 15.2:python3-Pillow-8.3.1-lp152.5.3.1.x86_64", "openSUSE Leap 15.2:python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Leap 15.2:python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", "openSUSE Leap 15.2:python3-Pillow-8.3.1-lp152.5.3.1.x86_64", "openSUSE Leap 15.2:python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-08-10T12:06:55Z", details: "important", }, ], title: "CVE-2021-27922", }, { cve: "CVE-2021-27923", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-27923", }, ], notes: [ { category: "general", text: "Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", "openSUSE Leap 15.2:python3-Pillow-8.3.1-lp152.5.3.1.x86_64", "openSUSE Leap 15.2:python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-27923", url: "https://www.suse.com/security/cve/CVE-2021-27923", }, { category: "external", summary: "SUSE Bug 1183107 for CVE-2021-27923", url: "https://bugzilla.suse.com/1183107", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", "openSUSE Leap 15.2:python3-Pillow-8.3.1-lp152.5.3.1.x86_64", "openSUSE Leap 15.2:python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Leap 15.2:python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", "openSUSE Leap 15.2:python3-Pillow-8.3.1-lp152.5.3.1.x86_64", "openSUSE Leap 15.2:python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-08-10T12:06:55Z", details: "important", }, ], title: "CVE-2021-27923", }, { cve: "CVE-2021-34552", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-34552", }, ], notes: [ { category: "general", text: "Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", "openSUSE Leap 15.2:python3-Pillow-8.3.1-lp152.5.3.1.x86_64", "openSUSE Leap 15.2:python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-34552", url: "https://www.suse.com/security/cve/CVE-2021-34552", }, { category: "external", summary: "SUSE Bug 1188574 for CVE-2021-34552", url: "https://bugzilla.suse.com/1188574", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", "openSUSE Leap 15.2:python3-Pillow-8.3.1-lp152.5.3.1.x86_64", "openSUSE Leap 15.2:python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Leap 15.2:python3-CairoSVG-2.5.1-lp152.2.3.1.noarch", "openSUSE Leap 15.2:python3-Pillow-8.3.1-lp152.5.3.1.x86_64", "openSUSE Leap 15.2:python3-Pillow-tk-8.3.1-lp152.5.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-08-10T12:06:55Z", details: "important", }, ], title: "CVE-2021-34552", }, ], }
rhsa-2021:4149
Vulnerability from csaf_redhat
Published
2021-11-09 17:42
Modified
2024-11-13 23:33
Summary
Red Hat Security Advisory: python-pillow security update
Notes
Topic
An update for python-pillow is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The python-pillow packages contain a Python image processing library that provides extensive file format support, an efficient internal representation, and powerful image-processing capabilities.
Security Fix(es):
* python-pillow: Out-of-bounds read in J2K image reader (CVE-2021-25287)
* python-pillow: Out-of-bounds read in J2K image reader (CVE-2021-25288)
* python-pillow: Negative-offset memcpy in TIFF image reader (CVE-2021-25290)
* python-pillow: Regular expression DoS in PDF format parser (CVE-2021-25292)
* python-pillow: Out-of-bounds read in SGI RLE image reader (CVE-2021-25293)
* python-pillow: Excessive memory allocation in BLP image reader (CVE-2021-27921)
* python-pillow: Excessive memory allocation in ICNS image reader (CVE-2021-27922)
* python-pillow: Excessive memory allocation in ICO image reader (CVE-2021-27923)
* python-pillow: Excessive memory allocation in PSD image reader (CVE-2021-28675)
* python-pillow: Infinite loop in FLI image reader (CVE-2021-28676)
* python-pillow: Excessive CPU use in EPS image reader (CVE-2021-28677)
* python-pillow: Excessive looping in BLP image reader (CVE-2021-28678)
* python-pillow: Buffer overflow in image convert function (CVE-2021-34552)
* python-pillow: Buffer over-read in PCX image reader (CVE-2020-35653)
* python-pillow: Buffer over-read in SGI RLE image reader (CVE-2020-35655)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for python-pillow is now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "The python-pillow packages contain a Python image processing library that provides extensive file format support, an efficient internal representation, and powerful image-processing capabilities.\n\nSecurity Fix(es):\n\n* python-pillow: Out-of-bounds read in J2K image reader (CVE-2021-25287)\n\n* python-pillow: Out-of-bounds read in J2K image reader (CVE-2021-25288)\n\n* python-pillow: Negative-offset memcpy in TIFF image reader (CVE-2021-25290)\n\n* python-pillow: Regular expression DoS in PDF format parser (CVE-2021-25292)\n\n* python-pillow: Out-of-bounds read in SGI RLE image reader (CVE-2021-25293)\n\n* python-pillow: Excessive memory allocation in BLP image reader (CVE-2021-27921)\n\n* python-pillow: Excessive memory allocation in ICNS image reader (CVE-2021-27922)\n\n* python-pillow: Excessive memory allocation in ICO image reader (CVE-2021-27923)\n\n* python-pillow: Excessive memory allocation in PSD image reader (CVE-2021-28675)\n\n* python-pillow: Infinite loop in FLI image reader (CVE-2021-28676)\n\n* python-pillow: Excessive CPU use in EPS image reader (CVE-2021-28677)\n\n* python-pillow: Excessive looping in BLP image reader (CVE-2021-28678)\n\n* python-pillow: Buffer overflow in image convert function (CVE-2021-34552)\n\n* python-pillow: Buffer over-read in PCX image reader (CVE-2020-35653)\n\n* python-pillow: Buffer over-read in SGI RLE image reader (CVE-2020-35655)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2021:4149", url: "https://access.redhat.com/errata/RHSA-2021:4149", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.5_release_notes/", url: "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.5_release_notes/", }, { category: "external", summary: "1915420", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1915420", }, { category: "external", summary: "1915432", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1915432", }, { category: "external", summary: "1934685", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1934685", }, { category: "external", summary: "1934699", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1934699", }, { category: "external", summary: "1934705", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1934705", }, { category: "external", summary: "1935384", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1935384", }, { category: "external", summary: "1935396", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1935396", }, { category: "external", summary: "1935401", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1935401", }, { category: "external", summary: "1958226", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1958226", }, { category: "external", summary: "1958231", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1958231", }, { category: "external", summary: "1958240", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1958240", }, { category: "external", summary: "1958252", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1958252", }, { category: "external", summary: "1958257", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1958257", }, { category: "external", summary: "1958263", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1958263", }, { category: "external", summary: "1982378", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1982378", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_4149.json", }, ], title: "Red Hat Security Advisory: python-pillow security update", tracking: { current_release_date: "2024-11-13T23:33:33+00:00", generator: { date: "2024-11-13T23:33:33+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.0", }, }, id: "RHSA-2021:4149", initial_release_date: "2021-11-09T17:42:23+00:00", revision_history: [ { date: "2021-11-09T17:42:23+00:00", number: "1", summary: "Initial version", }, { date: "2021-11-09T17:42:23+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-13T23:33:33+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux AppStream (v. 8)", product: { name: "Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA", product_identification_helper: { cpe: "cpe:/a:redhat:enterprise_linux:8::appstream", }, }, }, ], category: "product_family", name: "Red Hat Enterprise Linux", }, { branches: [ { category: "product_version", name: "python-pillow-0:5.1.1-16.el8.src", product: { name: "python-pillow-0:5.1.1-16.el8.src", product_id: "python-pillow-0:5.1.1-16.el8.src", product_identification_helper: { purl: "pkg:rpm/redhat/python-pillow@5.1.1-16.el8?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "python3-pillow-0:5.1.1-16.el8.aarch64", product: { name: "python3-pillow-0:5.1.1-16.el8.aarch64", product_id: "python3-pillow-0:5.1.1-16.el8.aarch64", product_identification_helper: { purl: "pkg:rpm/redhat/python3-pillow@5.1.1-16.el8?arch=aarch64", }, }, }, { category: "product_version", name: "python-pillow-debugsource-0:5.1.1-16.el8.aarch64", product: { name: "python-pillow-debugsource-0:5.1.1-16.el8.aarch64", product_id: "python-pillow-debugsource-0:5.1.1-16.el8.aarch64", product_identification_helper: { purl: "pkg:rpm/redhat/python-pillow-debugsource@5.1.1-16.el8?arch=aarch64", }, }, }, { category: "product_version", name: "python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", product: { name: "python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", product_id: "python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", product_identification_helper: { purl: "pkg:rpm/redhat/python-pillow-debuginfo@5.1.1-16.el8?arch=aarch64", }, }, }, { category: "product_version", name: "python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", product: { name: "python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", product_id: "python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", product_identification_helper: { purl: "pkg:rpm/redhat/python3-pillow-debuginfo@5.1.1-16.el8?arch=aarch64", }, }, }, { category: "product_version", name: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", product: { name: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", product_id: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", product_identification_helper: { purl: "pkg:rpm/redhat/python3-pillow-tk-debuginfo@5.1.1-16.el8?arch=aarch64", }, }, }, ], category: "architecture", name: "aarch64", }, { branches: [ { category: "product_version", name: "python3-pillow-0:5.1.1-16.el8.ppc64le", product: { name: "python3-pillow-0:5.1.1-16.el8.ppc64le", product_id: "python3-pillow-0:5.1.1-16.el8.ppc64le", product_identification_helper: { purl: "pkg:rpm/redhat/python3-pillow@5.1.1-16.el8?arch=ppc64le", }, }, }, { category: "product_version", name: "python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", product: { name: "python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", product_id: "python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", product_identification_helper: { purl: "pkg:rpm/redhat/python-pillow-debugsource@5.1.1-16.el8?arch=ppc64le", }, }, }, { category: "product_version", name: "python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", product: { name: "python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", product_id: "python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", product_identification_helper: { purl: "pkg:rpm/redhat/python-pillow-debuginfo@5.1.1-16.el8?arch=ppc64le", }, }, }, { category: "product_version", name: "python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", product: { name: "python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", product_id: "python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", product_identification_helper: { purl: "pkg:rpm/redhat/python3-pillow-debuginfo@5.1.1-16.el8?arch=ppc64le", }, }, }, { category: "product_version", name: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", product: { name: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", product_id: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", product_identification_helper: { purl: "pkg:rpm/redhat/python3-pillow-tk-debuginfo@5.1.1-16.el8?arch=ppc64le", }, }, }, ], category: "architecture", name: "ppc64le", }, { branches: [ { category: "product_version", name: "python3-pillow-0:5.1.1-16.el8.x86_64", product: { name: "python3-pillow-0:5.1.1-16.el8.x86_64", product_id: "python3-pillow-0:5.1.1-16.el8.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/python3-pillow@5.1.1-16.el8?arch=x86_64", }, }, }, { category: "product_version", name: "python-pillow-debugsource-0:5.1.1-16.el8.x86_64", product: { name: "python-pillow-debugsource-0:5.1.1-16.el8.x86_64", product_id: "python-pillow-debugsource-0:5.1.1-16.el8.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/python-pillow-debugsource@5.1.1-16.el8?arch=x86_64", }, }, }, { category: "product_version", name: "python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", product: { name: "python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", product_id: "python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/python-pillow-debuginfo@5.1.1-16.el8?arch=x86_64", }, }, }, { category: "product_version", name: "python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", product: { name: "python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", product_id: "python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/python3-pillow-debuginfo@5.1.1-16.el8?arch=x86_64", }, }, }, { category: "product_version", name: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", product: { name: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", product_id: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/python3-pillow-tk-debuginfo@5.1.1-16.el8?arch=x86_64", }, }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_version", name: "python3-pillow-0:5.1.1-16.el8.s390x", product: { name: "python3-pillow-0:5.1.1-16.el8.s390x", product_id: "python3-pillow-0:5.1.1-16.el8.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/python3-pillow@5.1.1-16.el8?arch=s390x", }, }, }, { category: "product_version", name: "python-pillow-debugsource-0:5.1.1-16.el8.s390x", product: { name: "python-pillow-debugsource-0:5.1.1-16.el8.s390x", product_id: "python-pillow-debugsource-0:5.1.1-16.el8.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/python-pillow-debugsource@5.1.1-16.el8?arch=s390x", }, }, }, { category: "product_version", name: "python-pillow-debuginfo-0:5.1.1-16.el8.s390x", product: { name: "python-pillow-debuginfo-0:5.1.1-16.el8.s390x", product_id: "python-pillow-debuginfo-0:5.1.1-16.el8.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/python-pillow-debuginfo@5.1.1-16.el8?arch=s390x", }, }, }, { category: "product_version", name: "python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", product: { name: "python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", product_id: "python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/python3-pillow-debuginfo@5.1.1-16.el8?arch=s390x", }, }, }, { category: "product_version", name: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", product: { name: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", product_id: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/python3-pillow-tk-debuginfo@5.1.1-16.el8?arch=s390x", }, }, }, ], category: "architecture", name: "s390x", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "python-pillow-0:5.1.1-16.el8.src as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", }, product_reference: "python-pillow-0:5.1.1-16.el8.src", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python-pillow-debuginfo-0:5.1.1-16.el8.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", }, product_reference: "python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", }, product_reference: "python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python-pillow-debuginfo-0:5.1.1-16.el8.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", }, product_reference: "python-pillow-debuginfo-0:5.1.1-16.el8.s390x", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python-pillow-debuginfo-0:5.1.1-16.el8.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", }, product_reference: "python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python-pillow-debugsource-0:5.1.1-16.el8.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", }, product_reference: "python-pillow-debugsource-0:5.1.1-16.el8.aarch64", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python-pillow-debugsource-0:5.1.1-16.el8.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", }, product_reference: "python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python-pillow-debugsource-0:5.1.1-16.el8.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", }, product_reference: "python-pillow-debugsource-0:5.1.1-16.el8.s390x", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python-pillow-debugsource-0:5.1.1-16.el8.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", }, product_reference: "python-pillow-debugsource-0:5.1.1-16.el8.x86_64", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python3-pillow-0:5.1.1-16.el8.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", }, product_reference: "python3-pillow-0:5.1.1-16.el8.aarch64", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python3-pillow-0:5.1.1-16.el8.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", }, product_reference: "python3-pillow-0:5.1.1-16.el8.ppc64le", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python3-pillow-0:5.1.1-16.el8.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", }, product_reference: "python3-pillow-0:5.1.1-16.el8.s390x", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python3-pillow-0:5.1.1-16.el8.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", }, product_reference: "python3-pillow-0:5.1.1-16.el8.x86_64", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", }, product_reference: "python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", }, product_reference: "python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python3-pillow-debuginfo-0:5.1.1-16.el8.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", }, product_reference: "python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", }, product_reference: "python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", }, product_reference: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", }, product_reference: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", }, product_reference: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", }, product_reference: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", relates_to_product_reference: "AppStream-8.5.0.GA", }, ], }, vulnerabilities: [ { cve: "CVE-2020-35653", cwe: { id: "CWE-125", name: "Out-of-bounds Read", }, discovery_date: "2021-01-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1915420", }, ], notes: [ { category: "description", text: "A flaw was found in python-pillow. The PcxDecode in Pillow has a buffer over-read when decoding a crafted PCX file due to the user-supplied stride value trusted for buffer calculations. The highest threat from this vulnerability is to system availability.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Buffer over-read in PCX image reader", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-35653", }, { category: "external", summary: "RHBZ#1915420", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1915420", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-35653", url: "https://www.cve.org/CVERecord?id=CVE-2020-35653", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-35653", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-35653", }, { category: "external", summary: "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.0.html#security", url: "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.0.html#security", }, ], release_date: "2021-01-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.1, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "python-pillow: Buffer over-read in PCX image reader", }, { cve: "CVE-2020-35655", cwe: { id: "CWE-125", name: "Out-of-bounds Read", }, discovery_date: "2021-01-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1915432", }, ], notes: [ { category: "description", text: "A flaw was found in python-pillow. SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Buffer over-read in SGI RLE image reader", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-35655", }, { category: "external", summary: "RHBZ#1915432", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1915432", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-35655", url: "https://www.cve.org/CVERecord?id=CVE-2020-35655", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-35655", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-35655", }, { category: "external", summary: "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.0.html#security", url: "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.0.html#security", }, ], release_date: "2021-01-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "python-pillow: Buffer over-read in SGI RLE image reader", }, { cve: "CVE-2021-25287", cwe: { id: "CWE-125", name: "Out-of-bounds Read", }, discovery_date: "2021-04-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1958226", }, ], notes: [ { category: "description", text: "There is an out-of-bounds read in J2kDecode in j2ku_graya_la. For J2k images with multiple bands, it’s legal to have different widths for each band, e.g. 1 byte for L, 4 bytes for A.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Out-of-bounds read in J2K image reader", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-25287", }, { category: "external", summary: "RHBZ#1958226", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1958226", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-25287", url: "https://www.cve.org/CVERecord?id=CVE-2021-25287", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-25287", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-25287", }, ], release_date: "2021-04-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, { category: "workaround", details: "To mitigate this feature on Red Hat Quay keep the invoice generation feature disabled as it is by default.", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.1, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-pillow: Out-of-bounds read in J2K image reader", }, { cve: "CVE-2021-25288", cwe: { id: "CWE-125", name: "Out-of-bounds Read", }, discovery_date: "2021-04-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1958231", }, ], notes: [ { category: "description", text: "There is an out-of-bounds read in J2kDecode in j2ku_gray_i. For J2k images with multiple bands, it’s legal to have different widths for each band, e.g. 1 byte for L, 4 bytes for A.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Out-of-bounds read in J2K image reader", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-25288", }, { category: "external", summary: "RHBZ#1958231", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1958231", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-25288", url: "https://www.cve.org/CVERecord?id=CVE-2021-25288", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-25288", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-25288", }, ], release_date: "2021-04-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, { category: "workaround", details: "To mitigate this feature on Red Hat Quay keep the invoice generation feature disabled, as it is by default.", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.1, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-pillow: Out-of-bounds read in J2K image reader", }, { cve: "CVE-2021-25290", cwe: { id: "CWE-120", name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", }, discovery_date: "2021-03-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1934685", }, ], notes: [ { category: "description", text: "A flaw was found in python-pillow. In TiffDecode.c, there is a negative-offset memcpy with an invalid size which could lead to a system crash.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Negative-offset memcpy in TIFF image reader", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-25290", }, { category: "external", summary: "RHBZ#1934685", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1934685", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-25290", url: "https://www.cve.org/CVERecord?id=CVE-2021-25290", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-25290", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-25290", }, ], release_date: "2021-02-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, { category: "workaround", details: "Disable the invoice generation feature to mitigate this vulnerability in Red Hat Quay.", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-pillow: Negative-offset memcpy in TIFF image reader", }, { cve: "CVE-2021-25292", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2021-03-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1934699", }, ], notes: [ { category: "description", text: "A flaw was found in python-pillow. The PDF parser has a catastrophic backtracking regex that could be used as a DOS attack.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Regular expression DoS in PDF format parser", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-25292", }, { category: "external", summary: "RHBZ#1934699", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1934699", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-25292", url: "https://www.cve.org/CVERecord?id=CVE-2021-25292", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-25292", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-25292", }, ], release_date: "2021-02-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, { category: "workaround", details: "Disable the invoice generation feature to mitigate this vulnerability in Red Hat Quay.", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-pillow: Regular expression DoS in PDF format parser", }, { cve: "CVE-2021-25293", cwe: { id: "CWE-125", name: "Out-of-bounds Read", }, discovery_date: "2021-03-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1934705", }, ], notes: [ { category: "description", text: "A flaw was found in python-pillow. There is an Out of Bounds Read in SGIRleDecode.c.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Out-of-bounds read in SGI RLE image reader", title: "Vulnerability summary", }, { category: "other", text: "Disable the invoice generation feature to mitigate this vulnerability in Red Hat Quay.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-25293", }, { category: "external", summary: "RHBZ#1934705", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1934705", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-25293", url: "https://www.cve.org/CVERecord?id=CVE-2021-25293", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-25293", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-25293", }, ], release_date: "2021-02-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-pillow: Out-of-bounds read in SGI RLE image reader", }, { cve: "CVE-2021-27921", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2021-03-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1935384", }, ], notes: [ { category: "description", text: "A flaw was found in python-pillow. Attackers can cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Excessive memory allocation in BLP image reader", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-27921", }, { category: "external", summary: "RHBZ#1935384", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1935384", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-27921", url: "https://www.cve.org/CVERecord?id=CVE-2021-27921", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-27921", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-27921", }, ], release_date: "2021-03-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, { category: "workaround", details: "Disable the invoice generation feature to mitigate this vulnerability in Red Hat Quay.", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-pillow: Excessive memory allocation in BLP image reader", }, { cve: "CVE-2021-27922", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2021-03-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1935396", }, ], notes: [ { category: "description", text: "A flaw was found in python-pillow. Attackers can cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Excessive memory allocation in ICNS image reader", title: "Vulnerability summary", }, { category: "other", text: "Disable the invoice generation feature to mitigate this vulnerability in Red Hat Quay.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-27922", }, { category: "external", summary: "RHBZ#1935396", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1935396", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-27922", url: "https://www.cve.org/CVERecord?id=CVE-2021-27922", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-27922", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-27922", }, ], release_date: "2021-03-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-pillow: Excessive memory allocation in ICNS image reader", }, { cve: "CVE-2021-27923", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2021-03-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1935401", }, ], notes: [ { category: "description", text: "A flaw was found in python-pillow. Attackers can cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Excessive memory allocation in ICO image reader", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-27923", }, { category: "external", summary: "RHBZ#1935401", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1935401", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-27923", url: "https://www.cve.org/CVERecord?id=CVE-2021-27923", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-27923", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-27923", }, ], release_date: "2021-03-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, { category: "workaround", details: "Disable the invoice generation feature to mitigate this vulnerability in Red Hat Quay.", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-pillow: Excessive memory allocation in ICO image reader", }, { cve: "CVE-2021-28675", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2021-04-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1958240", }, ], notes: [ { category: "description", text: "A flaw was found in python-pillow. PsdImagePlugin.PsdImageFile does not sanity check the number of input layers with regard to the size of the data block which could lead to a denial-of-service.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Excessive memory allocation in PSD image reader", title: "Vulnerability summary", }, { category: "other", text: "To mitigate this feature on Red Hat Quay keep the invoice generation feature disabled, as it is by default.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-28675", }, { category: "external", summary: "RHBZ#1958240", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1958240", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-28675", url: "https://www.cve.org/CVERecord?id=CVE-2021-28675", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-28675", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-28675", }, ], release_date: "2021-04-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-pillow: Excessive memory allocation in PSD image reader", }, { cve: "CVE-2021-28676", cwe: { id: "CWE-835", name: "Loop with Unreachable Exit Condition ('Infinite Loop')", }, discovery_date: "2021-04-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1958252", }, ], notes: [ { category: "description", text: "A flaw was found in python-pillow. FliDecode.c did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load. This issue dates to the PIL fork. The highest threat from this vulnerability is to system availability.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Infinite loop in FLI image reader", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-28676", }, { category: "external", summary: "RHBZ#1958252", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1958252", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-28676", url: "https://www.cve.org/CVERecord?id=CVE-2021-28676", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-28676", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-28676", }, { category: "external", summary: "https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#security", url: "https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#security", }, ], release_date: "2021-04-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, { category: "workaround", details: "To mitigate this feature on Red Hat Quay, keep the invoice generation feature disabled, as it is by default.", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-pillow: Infinite loop in FLI image reader", }, { cve: "CVE-2021-28677", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2021-04-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1958257", }, ], notes: [ { category: "description", text: "A flaw was found in python-pillow. The readline used in EPS has to deal with any combination of \\r and \\n as line endings. It accidentally used a quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a denial-of-service of Pillow in the open phase, before an image was accepted for opening.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Excessive CPU use in EPS image reader", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-28677", }, { category: "external", summary: "RHBZ#1958257", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1958257", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-28677", url: "https://www.cve.org/CVERecord?id=CVE-2021-28677", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-28677", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-28677", }, ], release_date: "2021-04-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, { category: "workaround", details: "To mitigate this feature on Red Hat Quay keep the invoice generation feature disabled, as it is by default.", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-pillow: Excessive CPU use in EPS image reader", }, { cve: "CVE-2021-28678", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2021-04-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1958263", }, ], notes: [ { category: "description", text: "A flaw was found in python-pillow. BlpImagePlugin did not properly check that reads after jumping to file offsets returned data. This could lead to a denial-of-service where the decoder could be run a large number of times on empty data.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Excessive looping in BLP image reader", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-28678", }, { category: "external", summary: "RHBZ#1958263", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1958263", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-28678", url: "https://www.cve.org/CVERecord?id=CVE-2021-28678", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-28678", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-28678", }, ], release_date: "2021-04-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, { category: "workaround", details: "To mitigate this feature on Red Hat Quay keep the invoice generation feature disabled, as it is by default.", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-pillow: Excessive looping in BLP image reader", }, { cve: "CVE-2021-34552", cwe: { id: "CWE-119", name: "Improper Restriction of Operations within the Bounds of a Memory Buffer", }, discovery_date: "2021-07-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1982378", }, ], notes: [ { category: "description", text: "A flaw was found in python-pillow. This flaw allows an attacker to pass controlled parameters directly into a convert function, triggering a buffer overflow in the \"convert()\" or \"ImagingConvertTransparent()\" functions in Convert.c. The highest threat to this vulnerability is to system availability.\r\n\r\nIn Red Hat Quay, a vulnerable version of python-pillow is shipped with quay-registry-container, however the invoice generation feature which uses python-pillow is disabled by default. Therefore impact has been rated Moderate.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Buffer overflow in image convert function", title: "Vulnerability summary", }, { category: "other", text: "Due to the compiler options used, the buffer overflow is detected and the impact is lowered to a crash only. Additionally, the \"mode\" parameter has to be attacker controlled, which is considered a rare case.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-34552", }, { category: "external", summary: "RHBZ#1982378", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1982378", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-34552", url: "https://www.cve.org/CVERecord?id=CVE-2021-34552", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-34552", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-34552", }, { category: "external", summary: "https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow", url: "https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow", }, ], release_date: "2021-07-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, { category: "workaround", details: "To mitigate this flaw on Red Hat Quay, keep the invoice generation feature disabled, as it is by default.\n\nRed Hat Satellite 6.9 customers can apply following hotfix to eliminate the vulnerability warnings.\n* Download python2-daemon-2.1.2-7.1.HFRHBZ1998199.el7sat.noarch.rpm from https://bugzilla.redhat.com/attachment.cgi?id=1819471\n* Stop services:\n# satellite-maintain service stop\n* Upgrade python2-daemon and remove affected package\n# rpm -Uvh python2-daemon-2.1.2-7.1.HFRHBZ1998199.el7sat.noarch.rpm\n# yum remove python-pillow\n* Restart services:\n# satellite-maintain service start\n\nSatellite 6.10 future release is also fixing this.", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-pillow: Buffer overflow in image convert function", }, ], }
rhsa-2021_4149
Vulnerability from csaf_redhat
Published
2021-11-09 17:42
Modified
2024-11-13 23:33
Summary
Red Hat Security Advisory: python-pillow security update
Notes
Topic
An update for python-pillow is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The python-pillow packages contain a Python image processing library that provides extensive file format support, an efficient internal representation, and powerful image-processing capabilities.
Security Fix(es):
* python-pillow: Out-of-bounds read in J2K image reader (CVE-2021-25287)
* python-pillow: Out-of-bounds read in J2K image reader (CVE-2021-25288)
* python-pillow: Negative-offset memcpy in TIFF image reader (CVE-2021-25290)
* python-pillow: Regular expression DoS in PDF format parser (CVE-2021-25292)
* python-pillow: Out-of-bounds read in SGI RLE image reader (CVE-2021-25293)
* python-pillow: Excessive memory allocation in BLP image reader (CVE-2021-27921)
* python-pillow: Excessive memory allocation in ICNS image reader (CVE-2021-27922)
* python-pillow: Excessive memory allocation in ICO image reader (CVE-2021-27923)
* python-pillow: Excessive memory allocation in PSD image reader (CVE-2021-28675)
* python-pillow: Infinite loop in FLI image reader (CVE-2021-28676)
* python-pillow: Excessive CPU use in EPS image reader (CVE-2021-28677)
* python-pillow: Excessive looping in BLP image reader (CVE-2021-28678)
* python-pillow: Buffer overflow in image convert function (CVE-2021-34552)
* python-pillow: Buffer over-read in PCX image reader (CVE-2020-35653)
* python-pillow: Buffer over-read in SGI RLE image reader (CVE-2020-35655)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for python-pillow is now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "The python-pillow packages contain a Python image processing library that provides extensive file format support, an efficient internal representation, and powerful image-processing capabilities.\n\nSecurity Fix(es):\n\n* python-pillow: Out-of-bounds read in J2K image reader (CVE-2021-25287)\n\n* python-pillow: Out-of-bounds read in J2K image reader (CVE-2021-25288)\n\n* python-pillow: Negative-offset memcpy in TIFF image reader (CVE-2021-25290)\n\n* python-pillow: Regular expression DoS in PDF format parser (CVE-2021-25292)\n\n* python-pillow: Out-of-bounds read in SGI RLE image reader (CVE-2021-25293)\n\n* python-pillow: Excessive memory allocation in BLP image reader (CVE-2021-27921)\n\n* python-pillow: Excessive memory allocation in ICNS image reader (CVE-2021-27922)\n\n* python-pillow: Excessive memory allocation in ICO image reader (CVE-2021-27923)\n\n* python-pillow: Excessive memory allocation in PSD image reader (CVE-2021-28675)\n\n* python-pillow: Infinite loop in FLI image reader (CVE-2021-28676)\n\n* python-pillow: Excessive CPU use in EPS image reader (CVE-2021-28677)\n\n* python-pillow: Excessive looping in BLP image reader (CVE-2021-28678)\n\n* python-pillow: Buffer overflow in image convert function (CVE-2021-34552)\n\n* python-pillow: Buffer over-read in PCX image reader (CVE-2020-35653)\n\n* python-pillow: Buffer over-read in SGI RLE image reader (CVE-2020-35655)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2021:4149", url: "https://access.redhat.com/errata/RHSA-2021:4149", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.5_release_notes/", url: "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.5_release_notes/", }, { category: "external", summary: "1915420", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1915420", }, { category: "external", summary: "1915432", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1915432", }, { category: "external", summary: "1934685", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1934685", }, { category: "external", summary: "1934699", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1934699", }, { category: "external", summary: "1934705", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1934705", }, { category: "external", summary: "1935384", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1935384", }, { category: "external", summary: "1935396", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1935396", }, { category: "external", summary: "1935401", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1935401", }, { category: "external", summary: "1958226", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1958226", }, { category: "external", summary: "1958231", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1958231", }, { category: "external", summary: "1958240", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1958240", }, { category: "external", summary: "1958252", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1958252", }, { category: "external", summary: "1958257", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1958257", }, { category: "external", summary: "1958263", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1958263", }, { category: "external", summary: "1982378", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1982378", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_4149.json", }, ], title: "Red Hat Security Advisory: python-pillow security update", tracking: { current_release_date: "2024-11-13T23:33:33+00:00", generator: { date: "2024-11-13T23:33:33+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.0", }, }, id: "RHSA-2021:4149", initial_release_date: "2021-11-09T17:42:23+00:00", revision_history: [ { date: "2021-11-09T17:42:23+00:00", number: "1", summary: "Initial version", }, { date: "2021-11-09T17:42:23+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-13T23:33:33+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux AppStream (v. 8)", product: { name: "Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA", product_identification_helper: { cpe: "cpe:/a:redhat:enterprise_linux:8::appstream", }, }, }, ], category: "product_family", name: "Red Hat Enterprise Linux", }, { branches: [ { category: "product_version", name: "python-pillow-0:5.1.1-16.el8.src", product: { name: "python-pillow-0:5.1.1-16.el8.src", product_id: "python-pillow-0:5.1.1-16.el8.src", product_identification_helper: { purl: "pkg:rpm/redhat/python-pillow@5.1.1-16.el8?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "python3-pillow-0:5.1.1-16.el8.aarch64", product: { name: "python3-pillow-0:5.1.1-16.el8.aarch64", product_id: "python3-pillow-0:5.1.1-16.el8.aarch64", product_identification_helper: { purl: "pkg:rpm/redhat/python3-pillow@5.1.1-16.el8?arch=aarch64", }, }, }, { category: "product_version", name: "python-pillow-debugsource-0:5.1.1-16.el8.aarch64", product: { name: "python-pillow-debugsource-0:5.1.1-16.el8.aarch64", product_id: "python-pillow-debugsource-0:5.1.1-16.el8.aarch64", product_identification_helper: { purl: "pkg:rpm/redhat/python-pillow-debugsource@5.1.1-16.el8?arch=aarch64", }, }, }, { category: "product_version", name: "python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", product: { name: "python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", product_id: "python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", product_identification_helper: { purl: "pkg:rpm/redhat/python-pillow-debuginfo@5.1.1-16.el8?arch=aarch64", }, }, }, { category: "product_version", name: "python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", product: { name: "python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", product_id: "python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", product_identification_helper: { purl: "pkg:rpm/redhat/python3-pillow-debuginfo@5.1.1-16.el8?arch=aarch64", }, }, }, { category: "product_version", name: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", product: { name: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", product_id: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", product_identification_helper: { purl: "pkg:rpm/redhat/python3-pillow-tk-debuginfo@5.1.1-16.el8?arch=aarch64", }, }, }, ], category: "architecture", name: "aarch64", }, { branches: [ { category: "product_version", name: "python3-pillow-0:5.1.1-16.el8.ppc64le", product: { name: "python3-pillow-0:5.1.1-16.el8.ppc64le", product_id: "python3-pillow-0:5.1.1-16.el8.ppc64le", product_identification_helper: { purl: "pkg:rpm/redhat/python3-pillow@5.1.1-16.el8?arch=ppc64le", }, }, }, { category: "product_version", name: "python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", product: { name: "python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", product_id: "python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", product_identification_helper: { purl: "pkg:rpm/redhat/python-pillow-debugsource@5.1.1-16.el8?arch=ppc64le", }, }, }, { category: "product_version", name: "python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", product: { name: "python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", product_id: "python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", product_identification_helper: { purl: "pkg:rpm/redhat/python-pillow-debuginfo@5.1.1-16.el8?arch=ppc64le", }, }, }, { category: "product_version", name: "python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", product: { name: "python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", product_id: "python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", product_identification_helper: { purl: "pkg:rpm/redhat/python3-pillow-debuginfo@5.1.1-16.el8?arch=ppc64le", }, }, }, { category: "product_version", name: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", product: { name: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", product_id: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", product_identification_helper: { purl: "pkg:rpm/redhat/python3-pillow-tk-debuginfo@5.1.1-16.el8?arch=ppc64le", }, }, }, ], category: "architecture", name: "ppc64le", }, { branches: [ { category: "product_version", name: "python3-pillow-0:5.1.1-16.el8.x86_64", product: { name: "python3-pillow-0:5.1.1-16.el8.x86_64", product_id: "python3-pillow-0:5.1.1-16.el8.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/python3-pillow@5.1.1-16.el8?arch=x86_64", }, }, }, { category: "product_version", name: "python-pillow-debugsource-0:5.1.1-16.el8.x86_64", product: { name: "python-pillow-debugsource-0:5.1.1-16.el8.x86_64", product_id: "python-pillow-debugsource-0:5.1.1-16.el8.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/python-pillow-debugsource@5.1.1-16.el8?arch=x86_64", }, }, }, { category: "product_version", name: "python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", product: { name: "python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", product_id: "python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/python-pillow-debuginfo@5.1.1-16.el8?arch=x86_64", }, }, }, { category: "product_version", name: "python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", product: { name: "python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", product_id: "python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/python3-pillow-debuginfo@5.1.1-16.el8?arch=x86_64", }, }, }, { category: "product_version", name: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", product: { name: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", product_id: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/python3-pillow-tk-debuginfo@5.1.1-16.el8?arch=x86_64", }, }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_version", name: "python3-pillow-0:5.1.1-16.el8.s390x", product: { name: "python3-pillow-0:5.1.1-16.el8.s390x", product_id: "python3-pillow-0:5.1.1-16.el8.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/python3-pillow@5.1.1-16.el8?arch=s390x", }, }, }, { category: "product_version", name: "python-pillow-debugsource-0:5.1.1-16.el8.s390x", product: { name: "python-pillow-debugsource-0:5.1.1-16.el8.s390x", product_id: "python-pillow-debugsource-0:5.1.1-16.el8.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/python-pillow-debugsource@5.1.1-16.el8?arch=s390x", }, }, }, { category: "product_version", name: "python-pillow-debuginfo-0:5.1.1-16.el8.s390x", product: { name: "python-pillow-debuginfo-0:5.1.1-16.el8.s390x", product_id: "python-pillow-debuginfo-0:5.1.1-16.el8.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/python-pillow-debuginfo@5.1.1-16.el8?arch=s390x", }, }, }, { category: "product_version", name: "python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", product: { name: "python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", product_id: "python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/python3-pillow-debuginfo@5.1.1-16.el8?arch=s390x", }, }, }, { category: "product_version", name: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", product: { name: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", product_id: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/python3-pillow-tk-debuginfo@5.1.1-16.el8?arch=s390x", }, }, }, ], category: "architecture", name: "s390x", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "python-pillow-0:5.1.1-16.el8.src as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", }, product_reference: "python-pillow-0:5.1.1-16.el8.src", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python-pillow-debuginfo-0:5.1.1-16.el8.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", }, product_reference: "python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", }, product_reference: "python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python-pillow-debuginfo-0:5.1.1-16.el8.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", }, product_reference: "python-pillow-debuginfo-0:5.1.1-16.el8.s390x", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python-pillow-debuginfo-0:5.1.1-16.el8.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", }, product_reference: "python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python-pillow-debugsource-0:5.1.1-16.el8.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", }, product_reference: "python-pillow-debugsource-0:5.1.1-16.el8.aarch64", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python-pillow-debugsource-0:5.1.1-16.el8.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", }, product_reference: "python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python-pillow-debugsource-0:5.1.1-16.el8.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", }, product_reference: "python-pillow-debugsource-0:5.1.1-16.el8.s390x", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python-pillow-debugsource-0:5.1.1-16.el8.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", }, product_reference: "python-pillow-debugsource-0:5.1.1-16.el8.x86_64", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python3-pillow-0:5.1.1-16.el8.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", }, product_reference: "python3-pillow-0:5.1.1-16.el8.aarch64", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python3-pillow-0:5.1.1-16.el8.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", }, product_reference: "python3-pillow-0:5.1.1-16.el8.ppc64le", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python3-pillow-0:5.1.1-16.el8.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", }, product_reference: "python3-pillow-0:5.1.1-16.el8.s390x", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python3-pillow-0:5.1.1-16.el8.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", }, product_reference: "python3-pillow-0:5.1.1-16.el8.x86_64", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", }, product_reference: "python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", }, product_reference: "python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python3-pillow-debuginfo-0:5.1.1-16.el8.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", }, product_reference: "python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", }, product_reference: "python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", }, product_reference: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", }, product_reference: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", }, product_reference: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", }, product_reference: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", relates_to_product_reference: "AppStream-8.5.0.GA", }, ], }, vulnerabilities: [ { cve: "CVE-2020-35653", cwe: { id: "CWE-125", name: "Out-of-bounds Read", }, discovery_date: "2021-01-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1915420", }, ], notes: [ { category: "description", text: "A flaw was found in python-pillow. The PcxDecode in Pillow has a buffer over-read when decoding a crafted PCX file due to the user-supplied stride value trusted for buffer calculations. The highest threat from this vulnerability is to system availability.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Buffer over-read in PCX image reader", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-35653", }, { category: "external", summary: "RHBZ#1915420", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1915420", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-35653", url: "https://www.cve.org/CVERecord?id=CVE-2020-35653", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-35653", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-35653", }, { category: "external", summary: "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.0.html#security", url: "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.0.html#security", }, ], release_date: "2021-01-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.1, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "python-pillow: Buffer over-read in PCX image reader", }, { cve: "CVE-2020-35655", cwe: { id: "CWE-125", name: "Out-of-bounds Read", }, discovery_date: "2021-01-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1915432", }, ], notes: [ { category: "description", text: "A flaw was found in python-pillow. SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Buffer over-read in SGI RLE image reader", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-35655", }, { category: "external", summary: "RHBZ#1915432", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1915432", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-35655", url: "https://www.cve.org/CVERecord?id=CVE-2020-35655", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-35655", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-35655", }, { category: "external", summary: "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.0.html#security", url: "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.0.html#security", }, ], release_date: "2021-01-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "python-pillow: Buffer over-read in SGI RLE image reader", }, { cve: "CVE-2021-25287", cwe: { id: "CWE-125", name: "Out-of-bounds Read", }, discovery_date: "2021-04-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1958226", }, ], notes: [ { category: "description", text: "There is an out-of-bounds read in J2kDecode in j2ku_graya_la. For J2k images with multiple bands, it’s legal to have different widths for each band, e.g. 1 byte for L, 4 bytes for A.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Out-of-bounds read in J2K image reader", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-25287", }, { category: "external", summary: "RHBZ#1958226", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1958226", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-25287", url: "https://www.cve.org/CVERecord?id=CVE-2021-25287", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-25287", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-25287", }, ], release_date: "2021-04-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, { category: "workaround", details: "To mitigate this feature on Red Hat Quay keep the invoice generation feature disabled as it is by default.", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.1, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-pillow: Out-of-bounds read in J2K image reader", }, { cve: "CVE-2021-25288", cwe: { id: "CWE-125", name: "Out-of-bounds Read", }, discovery_date: "2021-04-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1958231", }, ], notes: [ { category: "description", text: "There is an out-of-bounds read in J2kDecode in j2ku_gray_i. For J2k images with multiple bands, it’s legal to have different widths for each band, e.g. 1 byte for L, 4 bytes for A.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Out-of-bounds read in J2K image reader", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-25288", }, { category: "external", summary: "RHBZ#1958231", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1958231", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-25288", url: "https://www.cve.org/CVERecord?id=CVE-2021-25288", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-25288", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-25288", }, ], release_date: "2021-04-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, { category: "workaround", details: "To mitigate this feature on Red Hat Quay keep the invoice generation feature disabled, as it is by default.", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.1, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-pillow: Out-of-bounds read in J2K image reader", }, { cve: "CVE-2021-25290", cwe: { id: "CWE-120", name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", }, discovery_date: "2021-03-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1934685", }, ], notes: [ { category: "description", text: "A flaw was found in python-pillow. In TiffDecode.c, there is a negative-offset memcpy with an invalid size which could lead to a system crash.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Negative-offset memcpy in TIFF image reader", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-25290", }, { category: "external", summary: "RHBZ#1934685", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1934685", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-25290", url: "https://www.cve.org/CVERecord?id=CVE-2021-25290", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-25290", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-25290", }, ], release_date: "2021-02-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, { category: "workaround", details: "Disable the invoice generation feature to mitigate this vulnerability in Red Hat Quay.", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-pillow: Negative-offset memcpy in TIFF image reader", }, { cve: "CVE-2021-25292", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2021-03-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1934699", }, ], notes: [ { category: "description", text: "A flaw was found in python-pillow. The PDF parser has a catastrophic backtracking regex that could be used as a DOS attack.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Regular expression DoS in PDF format parser", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-25292", }, { category: "external", summary: "RHBZ#1934699", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1934699", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-25292", url: "https://www.cve.org/CVERecord?id=CVE-2021-25292", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-25292", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-25292", }, ], release_date: "2021-02-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, { category: "workaround", details: "Disable the invoice generation feature to mitigate this vulnerability in Red Hat Quay.", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-pillow: Regular expression DoS in PDF format parser", }, { cve: "CVE-2021-25293", cwe: { id: "CWE-125", name: "Out-of-bounds Read", }, discovery_date: "2021-03-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1934705", }, ], notes: [ { category: "description", text: "A flaw was found in python-pillow. There is an Out of Bounds Read in SGIRleDecode.c.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Out-of-bounds read in SGI RLE image reader", title: "Vulnerability summary", }, { category: "other", text: "Disable the invoice generation feature to mitigate this vulnerability in Red Hat Quay.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-25293", }, { category: "external", summary: "RHBZ#1934705", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1934705", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-25293", url: "https://www.cve.org/CVERecord?id=CVE-2021-25293", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-25293", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-25293", }, ], release_date: "2021-02-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-pillow: Out-of-bounds read in SGI RLE image reader", }, { cve: "CVE-2021-27921", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2021-03-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1935384", }, ], notes: [ { category: "description", text: "A flaw was found in python-pillow. Attackers can cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Excessive memory allocation in BLP image reader", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-27921", }, { category: "external", summary: "RHBZ#1935384", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1935384", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-27921", url: "https://www.cve.org/CVERecord?id=CVE-2021-27921", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-27921", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-27921", }, ], release_date: "2021-03-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, { category: "workaround", details: "Disable the invoice generation feature to mitigate this vulnerability in Red Hat Quay.", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-pillow: Excessive memory allocation in BLP image reader", }, { cve: "CVE-2021-27922", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2021-03-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1935396", }, ], notes: [ { category: "description", text: "A flaw was found in python-pillow. Attackers can cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Excessive memory allocation in ICNS image reader", title: "Vulnerability summary", }, { category: "other", text: "Disable the invoice generation feature to mitigate this vulnerability in Red Hat Quay.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-27922", }, { category: "external", summary: "RHBZ#1935396", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1935396", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-27922", url: "https://www.cve.org/CVERecord?id=CVE-2021-27922", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-27922", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-27922", }, ], release_date: "2021-03-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-pillow: Excessive memory allocation in ICNS image reader", }, { cve: "CVE-2021-27923", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2021-03-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1935401", }, ], notes: [ { category: "description", text: "A flaw was found in python-pillow. Attackers can cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Excessive memory allocation in ICO image reader", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-27923", }, { category: "external", summary: "RHBZ#1935401", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1935401", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-27923", url: "https://www.cve.org/CVERecord?id=CVE-2021-27923", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-27923", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-27923", }, ], release_date: "2021-03-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, { category: "workaround", details: "Disable the invoice generation feature to mitigate this vulnerability in Red Hat Quay.", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-pillow: Excessive memory allocation in ICO image reader", }, { cve: "CVE-2021-28675", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2021-04-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1958240", }, ], notes: [ { category: "description", text: "A flaw was found in python-pillow. PsdImagePlugin.PsdImageFile does not sanity check the number of input layers with regard to the size of the data block which could lead to a denial-of-service.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Excessive memory allocation in PSD image reader", title: "Vulnerability summary", }, { category: "other", text: "To mitigate this feature on Red Hat Quay keep the invoice generation feature disabled, as it is by default.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-28675", }, { category: "external", summary: "RHBZ#1958240", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1958240", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-28675", url: "https://www.cve.org/CVERecord?id=CVE-2021-28675", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-28675", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-28675", }, ], release_date: "2021-04-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-pillow: Excessive memory allocation in PSD image reader", }, { cve: "CVE-2021-28676", cwe: { id: "CWE-835", name: "Loop with Unreachable Exit Condition ('Infinite Loop')", }, discovery_date: "2021-04-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1958252", }, ], notes: [ { category: "description", text: "A flaw was found in python-pillow. FliDecode.c did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load. This issue dates to the PIL fork. The highest threat from this vulnerability is to system availability.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Infinite loop in FLI image reader", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-28676", }, { category: "external", summary: "RHBZ#1958252", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1958252", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-28676", url: "https://www.cve.org/CVERecord?id=CVE-2021-28676", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-28676", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-28676", }, { category: "external", summary: "https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#security", url: "https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#security", }, ], release_date: "2021-04-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, { category: "workaround", details: "To mitigate this feature on Red Hat Quay, keep the invoice generation feature disabled, as it is by default.", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-pillow: Infinite loop in FLI image reader", }, { cve: "CVE-2021-28677", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2021-04-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1958257", }, ], notes: [ { category: "description", text: "A flaw was found in python-pillow. The readline used in EPS has to deal with any combination of \\r and \\n as line endings. It accidentally used a quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a denial-of-service of Pillow in the open phase, before an image was accepted for opening.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Excessive CPU use in EPS image reader", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-28677", }, { category: "external", summary: "RHBZ#1958257", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1958257", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-28677", url: "https://www.cve.org/CVERecord?id=CVE-2021-28677", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-28677", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-28677", }, ], release_date: "2021-04-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, { category: "workaround", details: "To mitigate this feature on Red Hat Quay keep the invoice generation feature disabled, as it is by default.", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-pillow: Excessive CPU use in EPS image reader", }, { cve: "CVE-2021-28678", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2021-04-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1958263", }, ], notes: [ { category: "description", text: "A flaw was found in python-pillow. BlpImagePlugin did not properly check that reads after jumping to file offsets returned data. This could lead to a denial-of-service where the decoder could be run a large number of times on empty data.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Excessive looping in BLP image reader", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-28678", }, { category: "external", summary: "RHBZ#1958263", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1958263", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-28678", url: "https://www.cve.org/CVERecord?id=CVE-2021-28678", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-28678", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-28678", }, ], release_date: "2021-04-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, { category: "workaround", details: "To mitigate this feature on Red Hat Quay keep the invoice generation feature disabled, as it is by default.", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-pillow: Excessive looping in BLP image reader", }, { cve: "CVE-2021-34552", cwe: { id: "CWE-119", name: "Improper Restriction of Operations within the Bounds of a Memory Buffer", }, discovery_date: "2021-07-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1982378", }, ], notes: [ { category: "description", text: "A flaw was found in python-pillow. This flaw allows an attacker to pass controlled parameters directly into a convert function, triggering a buffer overflow in the \"convert()\" or \"ImagingConvertTransparent()\" functions in Convert.c. The highest threat to this vulnerability is to system availability.\r\n\r\nIn Red Hat Quay, a vulnerable version of python-pillow is shipped with quay-registry-container, however the invoice generation feature which uses python-pillow is disabled by default. Therefore impact has been rated Moderate.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Buffer overflow in image convert function", title: "Vulnerability summary", }, { category: "other", text: "Due to the compiler options used, the buffer overflow is detected and the impact is lowered to a crash only. Additionally, the \"mode\" parameter has to be attacker controlled, which is considered a rare case.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-34552", }, { category: "external", summary: "RHBZ#1982378", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1982378", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-34552", url: "https://www.cve.org/CVERecord?id=CVE-2021-34552", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-34552", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-34552", }, { category: "external", summary: "https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow", url: "https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow", }, ], release_date: "2021-07-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, { category: "workaround", details: "To mitigate this flaw on Red Hat Quay, keep the invoice generation feature disabled, as it is by default.\n\nRed Hat Satellite 6.9 customers can apply following hotfix to eliminate the vulnerability warnings.\n* Download python2-daemon-2.1.2-7.1.HFRHBZ1998199.el7sat.noarch.rpm from https://bugzilla.redhat.com/attachment.cgi?id=1819471\n* Stop services:\n# satellite-maintain service stop\n* Upgrade python2-daemon and remove affected package\n# rpm -Uvh python2-daemon-2.1.2-7.1.HFRHBZ1998199.el7sat.noarch.rpm\n# yum remove python-pillow\n* Restart services:\n# satellite-maintain service start\n\nSatellite 6.10 future release is also fixing this.", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-pillow: Buffer overflow in image convert function", }, ], }
RHSA-2021:4149
Vulnerability from csaf_redhat
Published
2021-11-09 17:42
Modified
2024-11-13 23:33
Summary
Red Hat Security Advisory: python-pillow security update
Notes
Topic
An update for python-pillow is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The python-pillow packages contain a Python image processing library that provides extensive file format support, an efficient internal representation, and powerful image-processing capabilities.
Security Fix(es):
* python-pillow: Out-of-bounds read in J2K image reader (CVE-2021-25287)
* python-pillow: Out-of-bounds read in J2K image reader (CVE-2021-25288)
* python-pillow: Negative-offset memcpy in TIFF image reader (CVE-2021-25290)
* python-pillow: Regular expression DoS in PDF format parser (CVE-2021-25292)
* python-pillow: Out-of-bounds read in SGI RLE image reader (CVE-2021-25293)
* python-pillow: Excessive memory allocation in BLP image reader (CVE-2021-27921)
* python-pillow: Excessive memory allocation in ICNS image reader (CVE-2021-27922)
* python-pillow: Excessive memory allocation in ICO image reader (CVE-2021-27923)
* python-pillow: Excessive memory allocation in PSD image reader (CVE-2021-28675)
* python-pillow: Infinite loop in FLI image reader (CVE-2021-28676)
* python-pillow: Excessive CPU use in EPS image reader (CVE-2021-28677)
* python-pillow: Excessive looping in BLP image reader (CVE-2021-28678)
* python-pillow: Buffer overflow in image convert function (CVE-2021-34552)
* python-pillow: Buffer over-read in PCX image reader (CVE-2020-35653)
* python-pillow: Buffer over-read in SGI RLE image reader (CVE-2020-35655)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for python-pillow is now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "The python-pillow packages contain a Python image processing library that provides extensive file format support, an efficient internal representation, and powerful image-processing capabilities.\n\nSecurity Fix(es):\n\n* python-pillow: Out-of-bounds read in J2K image reader (CVE-2021-25287)\n\n* python-pillow: Out-of-bounds read in J2K image reader (CVE-2021-25288)\n\n* python-pillow: Negative-offset memcpy in TIFF image reader (CVE-2021-25290)\n\n* python-pillow: Regular expression DoS in PDF format parser (CVE-2021-25292)\n\n* python-pillow: Out-of-bounds read in SGI RLE image reader (CVE-2021-25293)\n\n* python-pillow: Excessive memory allocation in BLP image reader (CVE-2021-27921)\n\n* python-pillow: Excessive memory allocation in ICNS image reader (CVE-2021-27922)\n\n* python-pillow: Excessive memory allocation in ICO image reader (CVE-2021-27923)\n\n* python-pillow: Excessive memory allocation in PSD image reader (CVE-2021-28675)\n\n* python-pillow: Infinite loop in FLI image reader (CVE-2021-28676)\n\n* python-pillow: Excessive CPU use in EPS image reader (CVE-2021-28677)\n\n* python-pillow: Excessive looping in BLP image reader (CVE-2021-28678)\n\n* python-pillow: Buffer overflow in image convert function (CVE-2021-34552)\n\n* python-pillow: Buffer over-read in PCX image reader (CVE-2020-35653)\n\n* python-pillow: Buffer over-read in SGI RLE image reader (CVE-2020-35655)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2021:4149", url: "https://access.redhat.com/errata/RHSA-2021:4149", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.5_release_notes/", url: "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.5_release_notes/", }, { category: "external", summary: "1915420", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1915420", }, { category: "external", summary: "1915432", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1915432", }, { category: "external", summary: "1934685", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1934685", }, { category: "external", summary: "1934699", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1934699", }, { category: "external", summary: "1934705", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1934705", }, { category: "external", summary: "1935384", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1935384", }, { category: "external", summary: "1935396", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1935396", }, { category: "external", summary: "1935401", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1935401", }, { category: "external", summary: "1958226", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1958226", }, { category: "external", summary: "1958231", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1958231", }, { category: "external", summary: "1958240", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1958240", }, { category: "external", summary: "1958252", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1958252", }, { category: "external", summary: "1958257", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1958257", }, { category: "external", summary: "1958263", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1958263", }, { category: "external", summary: "1982378", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1982378", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_4149.json", }, ], title: "Red Hat Security Advisory: python-pillow security update", tracking: { current_release_date: "2024-11-13T23:33:33+00:00", generator: { date: "2024-11-13T23:33:33+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.0", }, }, id: "RHSA-2021:4149", initial_release_date: "2021-11-09T17:42:23+00:00", revision_history: [ { date: "2021-11-09T17:42:23+00:00", number: "1", summary: "Initial version", }, { date: "2021-11-09T17:42:23+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-13T23:33:33+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux AppStream (v. 8)", product: { name: "Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA", product_identification_helper: { cpe: "cpe:/a:redhat:enterprise_linux:8::appstream", }, }, }, ], category: "product_family", name: "Red Hat Enterprise Linux", }, { branches: [ { category: "product_version", name: "python-pillow-0:5.1.1-16.el8.src", product: { name: "python-pillow-0:5.1.1-16.el8.src", product_id: "python-pillow-0:5.1.1-16.el8.src", product_identification_helper: { purl: "pkg:rpm/redhat/python-pillow@5.1.1-16.el8?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "python3-pillow-0:5.1.1-16.el8.aarch64", product: { name: "python3-pillow-0:5.1.1-16.el8.aarch64", product_id: "python3-pillow-0:5.1.1-16.el8.aarch64", product_identification_helper: { purl: "pkg:rpm/redhat/python3-pillow@5.1.1-16.el8?arch=aarch64", }, }, }, { category: "product_version", name: "python-pillow-debugsource-0:5.1.1-16.el8.aarch64", product: { name: "python-pillow-debugsource-0:5.1.1-16.el8.aarch64", product_id: "python-pillow-debugsource-0:5.1.1-16.el8.aarch64", product_identification_helper: { purl: "pkg:rpm/redhat/python-pillow-debugsource@5.1.1-16.el8?arch=aarch64", }, }, }, { category: "product_version", name: "python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", product: { name: "python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", product_id: "python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", product_identification_helper: { purl: "pkg:rpm/redhat/python-pillow-debuginfo@5.1.1-16.el8?arch=aarch64", }, }, }, { category: "product_version", name: "python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", product: { name: "python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", product_id: "python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", product_identification_helper: { purl: "pkg:rpm/redhat/python3-pillow-debuginfo@5.1.1-16.el8?arch=aarch64", }, }, }, { category: "product_version", name: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", product: { name: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", product_id: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", product_identification_helper: { purl: "pkg:rpm/redhat/python3-pillow-tk-debuginfo@5.1.1-16.el8?arch=aarch64", }, }, }, ], category: "architecture", name: "aarch64", }, { branches: [ { category: "product_version", name: "python3-pillow-0:5.1.1-16.el8.ppc64le", product: { name: "python3-pillow-0:5.1.1-16.el8.ppc64le", product_id: "python3-pillow-0:5.1.1-16.el8.ppc64le", product_identification_helper: { purl: "pkg:rpm/redhat/python3-pillow@5.1.1-16.el8?arch=ppc64le", }, }, }, { category: "product_version", name: "python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", product: { name: "python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", product_id: "python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", product_identification_helper: { purl: "pkg:rpm/redhat/python-pillow-debugsource@5.1.1-16.el8?arch=ppc64le", }, }, }, { category: "product_version", name: "python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", product: { name: "python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", product_id: "python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", product_identification_helper: { purl: "pkg:rpm/redhat/python-pillow-debuginfo@5.1.1-16.el8?arch=ppc64le", }, }, }, { category: "product_version", name: "python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", product: { name: "python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", product_id: "python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", product_identification_helper: { purl: "pkg:rpm/redhat/python3-pillow-debuginfo@5.1.1-16.el8?arch=ppc64le", }, }, }, { category: "product_version", name: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", product: { name: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", product_id: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", product_identification_helper: { purl: "pkg:rpm/redhat/python3-pillow-tk-debuginfo@5.1.1-16.el8?arch=ppc64le", }, }, }, ], category: "architecture", name: "ppc64le", }, { branches: [ { category: "product_version", name: "python3-pillow-0:5.1.1-16.el8.x86_64", product: { name: "python3-pillow-0:5.1.1-16.el8.x86_64", product_id: "python3-pillow-0:5.1.1-16.el8.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/python3-pillow@5.1.1-16.el8?arch=x86_64", }, }, }, { category: "product_version", name: "python-pillow-debugsource-0:5.1.1-16.el8.x86_64", product: { name: "python-pillow-debugsource-0:5.1.1-16.el8.x86_64", product_id: "python-pillow-debugsource-0:5.1.1-16.el8.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/python-pillow-debugsource@5.1.1-16.el8?arch=x86_64", }, }, }, { category: "product_version", name: "python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", product: { name: "python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", product_id: "python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/python-pillow-debuginfo@5.1.1-16.el8?arch=x86_64", }, }, }, { category: "product_version", name: "python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", product: { name: "python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", product_id: "python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/python3-pillow-debuginfo@5.1.1-16.el8?arch=x86_64", }, }, }, { category: "product_version", name: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", product: { name: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", product_id: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/python3-pillow-tk-debuginfo@5.1.1-16.el8?arch=x86_64", }, }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_version", name: "python3-pillow-0:5.1.1-16.el8.s390x", product: { name: "python3-pillow-0:5.1.1-16.el8.s390x", product_id: "python3-pillow-0:5.1.1-16.el8.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/python3-pillow@5.1.1-16.el8?arch=s390x", }, }, }, { category: "product_version", name: "python-pillow-debugsource-0:5.1.1-16.el8.s390x", product: { name: "python-pillow-debugsource-0:5.1.1-16.el8.s390x", product_id: "python-pillow-debugsource-0:5.1.1-16.el8.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/python-pillow-debugsource@5.1.1-16.el8?arch=s390x", }, }, }, { category: "product_version", name: "python-pillow-debuginfo-0:5.1.1-16.el8.s390x", product: { name: "python-pillow-debuginfo-0:5.1.1-16.el8.s390x", product_id: "python-pillow-debuginfo-0:5.1.1-16.el8.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/python-pillow-debuginfo@5.1.1-16.el8?arch=s390x", }, }, }, { category: "product_version", name: "python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", product: { name: "python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", product_id: "python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/python3-pillow-debuginfo@5.1.1-16.el8?arch=s390x", }, }, }, { category: "product_version", name: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", product: { name: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", product_id: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/python3-pillow-tk-debuginfo@5.1.1-16.el8?arch=s390x", }, }, }, ], category: "architecture", name: "s390x", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "python-pillow-0:5.1.1-16.el8.src as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", }, product_reference: "python-pillow-0:5.1.1-16.el8.src", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python-pillow-debuginfo-0:5.1.1-16.el8.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", }, product_reference: "python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", }, product_reference: "python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python-pillow-debuginfo-0:5.1.1-16.el8.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", }, product_reference: "python-pillow-debuginfo-0:5.1.1-16.el8.s390x", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python-pillow-debuginfo-0:5.1.1-16.el8.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", }, product_reference: "python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python-pillow-debugsource-0:5.1.1-16.el8.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", }, product_reference: "python-pillow-debugsource-0:5.1.1-16.el8.aarch64", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python-pillow-debugsource-0:5.1.1-16.el8.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", }, product_reference: "python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python-pillow-debugsource-0:5.1.1-16.el8.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", }, product_reference: "python-pillow-debugsource-0:5.1.1-16.el8.s390x", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python-pillow-debugsource-0:5.1.1-16.el8.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", }, product_reference: "python-pillow-debugsource-0:5.1.1-16.el8.x86_64", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python3-pillow-0:5.1.1-16.el8.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", }, product_reference: "python3-pillow-0:5.1.1-16.el8.aarch64", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python3-pillow-0:5.1.1-16.el8.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", }, product_reference: "python3-pillow-0:5.1.1-16.el8.ppc64le", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python3-pillow-0:5.1.1-16.el8.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", }, product_reference: "python3-pillow-0:5.1.1-16.el8.s390x", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python3-pillow-0:5.1.1-16.el8.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", }, product_reference: "python3-pillow-0:5.1.1-16.el8.x86_64", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", }, product_reference: "python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", }, product_reference: "python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python3-pillow-debuginfo-0:5.1.1-16.el8.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", }, product_reference: "python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", }, product_reference: "python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", }, product_reference: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", }, product_reference: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", }, product_reference: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", relates_to_product_reference: "AppStream-8.5.0.GA", }, { category: "default_component_of", full_product_name: { name: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)", product_id: "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", }, product_reference: "python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", relates_to_product_reference: "AppStream-8.5.0.GA", }, ], }, vulnerabilities: [ { cve: "CVE-2020-35653", cwe: { id: "CWE-125", name: "Out-of-bounds Read", }, discovery_date: "2021-01-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1915420", }, ], notes: [ { category: "description", text: "A flaw was found in python-pillow. The PcxDecode in Pillow has a buffer over-read when decoding a crafted PCX file due to the user-supplied stride value trusted for buffer calculations. The highest threat from this vulnerability is to system availability.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Buffer over-read in PCX image reader", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-35653", }, { category: "external", summary: "RHBZ#1915420", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1915420", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-35653", url: "https://www.cve.org/CVERecord?id=CVE-2020-35653", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-35653", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-35653", }, { category: "external", summary: "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.0.html#security", url: "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.0.html#security", }, ], release_date: "2021-01-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.1, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "python-pillow: Buffer over-read in PCX image reader", }, { cve: "CVE-2020-35655", cwe: { id: "CWE-125", name: "Out-of-bounds Read", }, discovery_date: "2021-01-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1915432", }, ], notes: [ { category: "description", text: "A flaw was found in python-pillow. SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Buffer over-read in SGI RLE image reader", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-35655", }, { category: "external", summary: "RHBZ#1915432", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1915432", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-35655", url: "https://www.cve.org/CVERecord?id=CVE-2020-35655", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-35655", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-35655", }, { category: "external", summary: "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.0.html#security", url: "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.0.html#security", }, ], release_date: "2021-01-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "python-pillow: Buffer over-read in SGI RLE image reader", }, { cve: "CVE-2021-25287", cwe: { id: "CWE-125", name: "Out-of-bounds Read", }, discovery_date: "2021-04-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1958226", }, ], notes: [ { category: "description", text: "There is an out-of-bounds read in J2kDecode in j2ku_graya_la. For J2k images with multiple bands, it’s legal to have different widths for each band, e.g. 1 byte for L, 4 bytes for A.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Out-of-bounds read in J2K image reader", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-25287", }, { category: "external", summary: "RHBZ#1958226", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1958226", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-25287", url: "https://www.cve.org/CVERecord?id=CVE-2021-25287", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-25287", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-25287", }, ], release_date: "2021-04-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, { category: "workaround", details: "To mitigate this feature on Red Hat Quay keep the invoice generation feature disabled as it is by default.", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.1, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-pillow: Out-of-bounds read in J2K image reader", }, { cve: "CVE-2021-25288", cwe: { id: "CWE-125", name: "Out-of-bounds Read", }, discovery_date: "2021-04-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1958231", }, ], notes: [ { category: "description", text: "There is an out-of-bounds read in J2kDecode in j2ku_gray_i. For J2k images with multiple bands, it’s legal to have different widths for each band, e.g. 1 byte for L, 4 bytes for A.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Out-of-bounds read in J2K image reader", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-25288", }, { category: "external", summary: "RHBZ#1958231", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1958231", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-25288", url: "https://www.cve.org/CVERecord?id=CVE-2021-25288", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-25288", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-25288", }, ], release_date: "2021-04-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, { category: "workaround", details: "To mitigate this feature on Red Hat Quay keep the invoice generation feature disabled, as it is by default.", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.1, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-pillow: Out-of-bounds read in J2K image reader", }, { cve: "CVE-2021-25290", cwe: { id: "CWE-120", name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", }, discovery_date: "2021-03-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1934685", }, ], notes: [ { category: "description", text: "A flaw was found in python-pillow. In TiffDecode.c, there is a negative-offset memcpy with an invalid size which could lead to a system crash.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Negative-offset memcpy in TIFF image reader", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-25290", }, { category: "external", summary: "RHBZ#1934685", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1934685", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-25290", url: "https://www.cve.org/CVERecord?id=CVE-2021-25290", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-25290", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-25290", }, ], release_date: "2021-02-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, { category: "workaround", details: "Disable the invoice generation feature to mitigate this vulnerability in Red Hat Quay.", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-pillow: Negative-offset memcpy in TIFF image reader", }, { cve: "CVE-2021-25292", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2021-03-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1934699", }, ], notes: [ { category: "description", text: "A flaw was found in python-pillow. The PDF parser has a catastrophic backtracking regex that could be used as a DOS attack.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Regular expression DoS in PDF format parser", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-25292", }, { category: "external", summary: "RHBZ#1934699", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1934699", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-25292", url: "https://www.cve.org/CVERecord?id=CVE-2021-25292", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-25292", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-25292", }, ], release_date: "2021-02-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, { category: "workaround", details: "Disable the invoice generation feature to mitigate this vulnerability in Red Hat Quay.", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-pillow: Regular expression DoS in PDF format parser", }, { cve: "CVE-2021-25293", cwe: { id: "CWE-125", name: "Out-of-bounds Read", }, discovery_date: "2021-03-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1934705", }, ], notes: [ { category: "description", text: "A flaw was found in python-pillow. There is an Out of Bounds Read in SGIRleDecode.c.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Out-of-bounds read in SGI RLE image reader", title: "Vulnerability summary", }, { category: "other", text: "Disable the invoice generation feature to mitigate this vulnerability in Red Hat Quay.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-25293", }, { category: "external", summary: "RHBZ#1934705", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1934705", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-25293", url: "https://www.cve.org/CVERecord?id=CVE-2021-25293", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-25293", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-25293", }, ], release_date: "2021-02-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-pillow: Out-of-bounds read in SGI RLE image reader", }, { cve: "CVE-2021-27921", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2021-03-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1935384", }, ], notes: [ { category: "description", text: "A flaw was found in python-pillow. Attackers can cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Excessive memory allocation in BLP image reader", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-27921", }, { category: "external", summary: "RHBZ#1935384", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1935384", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-27921", url: "https://www.cve.org/CVERecord?id=CVE-2021-27921", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-27921", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-27921", }, ], release_date: "2021-03-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, { category: "workaround", details: "Disable the invoice generation feature to mitigate this vulnerability in Red Hat Quay.", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-pillow: Excessive memory allocation in BLP image reader", }, { cve: "CVE-2021-27922", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2021-03-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1935396", }, ], notes: [ { category: "description", text: "A flaw was found in python-pillow. Attackers can cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Excessive memory allocation in ICNS image reader", title: "Vulnerability summary", }, { category: "other", text: "Disable the invoice generation feature to mitigate this vulnerability in Red Hat Quay.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-27922", }, { category: "external", summary: "RHBZ#1935396", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1935396", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-27922", url: "https://www.cve.org/CVERecord?id=CVE-2021-27922", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-27922", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-27922", }, ], release_date: "2021-03-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-pillow: Excessive memory allocation in ICNS image reader", }, { cve: "CVE-2021-27923", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2021-03-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1935401", }, ], notes: [ { category: "description", text: "A flaw was found in python-pillow. Attackers can cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Excessive memory allocation in ICO image reader", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-27923", }, { category: "external", summary: "RHBZ#1935401", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1935401", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-27923", url: "https://www.cve.org/CVERecord?id=CVE-2021-27923", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-27923", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-27923", }, ], release_date: "2021-03-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, { category: "workaround", details: "Disable the invoice generation feature to mitigate this vulnerability in Red Hat Quay.", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-pillow: Excessive memory allocation in ICO image reader", }, { cve: "CVE-2021-28675", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2021-04-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1958240", }, ], notes: [ { category: "description", text: "A flaw was found in python-pillow. PsdImagePlugin.PsdImageFile does not sanity check the number of input layers with regard to the size of the data block which could lead to a denial-of-service.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Excessive memory allocation in PSD image reader", title: "Vulnerability summary", }, { category: "other", text: "To mitigate this feature on Red Hat Quay keep the invoice generation feature disabled, as it is by default.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-28675", }, { category: "external", summary: "RHBZ#1958240", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1958240", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-28675", url: "https://www.cve.org/CVERecord?id=CVE-2021-28675", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-28675", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-28675", }, ], release_date: "2021-04-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-pillow: Excessive memory allocation in PSD image reader", }, { cve: "CVE-2021-28676", cwe: { id: "CWE-835", name: "Loop with Unreachable Exit Condition ('Infinite Loop')", }, discovery_date: "2021-04-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1958252", }, ], notes: [ { category: "description", text: "A flaw was found in python-pillow. FliDecode.c did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load. This issue dates to the PIL fork. The highest threat from this vulnerability is to system availability.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Infinite loop in FLI image reader", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-28676", }, { category: "external", summary: "RHBZ#1958252", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1958252", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-28676", url: "https://www.cve.org/CVERecord?id=CVE-2021-28676", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-28676", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-28676", }, { category: "external", summary: "https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#security", url: "https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#security", }, ], release_date: "2021-04-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, { category: "workaround", details: "To mitigate this feature on Red Hat Quay, keep the invoice generation feature disabled, as it is by default.", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-pillow: Infinite loop in FLI image reader", }, { cve: "CVE-2021-28677", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2021-04-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1958257", }, ], notes: [ { category: "description", text: "A flaw was found in python-pillow. The readline used in EPS has to deal with any combination of \\r and \\n as line endings. It accidentally used a quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a denial-of-service of Pillow in the open phase, before an image was accepted for opening.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Excessive CPU use in EPS image reader", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-28677", }, { category: "external", summary: "RHBZ#1958257", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1958257", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-28677", url: "https://www.cve.org/CVERecord?id=CVE-2021-28677", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-28677", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-28677", }, ], release_date: "2021-04-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, { category: "workaround", details: "To mitigate this feature on Red Hat Quay keep the invoice generation feature disabled, as it is by default.", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-pillow: Excessive CPU use in EPS image reader", }, { cve: "CVE-2021-28678", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2021-04-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1958263", }, ], notes: [ { category: "description", text: "A flaw was found in python-pillow. BlpImagePlugin did not properly check that reads after jumping to file offsets returned data. This could lead to a denial-of-service where the decoder could be run a large number of times on empty data.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Excessive looping in BLP image reader", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-28678", }, { category: "external", summary: "RHBZ#1958263", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1958263", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-28678", url: "https://www.cve.org/CVERecord?id=CVE-2021-28678", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-28678", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-28678", }, ], release_date: "2021-04-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, { category: "workaround", details: "To mitigate this feature on Red Hat Quay keep the invoice generation feature disabled, as it is by default.", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-pillow: Excessive looping in BLP image reader", }, { cve: "CVE-2021-34552", cwe: { id: "CWE-119", name: "Improper Restriction of Operations within the Bounds of a Memory Buffer", }, discovery_date: "2021-07-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1982378", }, ], notes: [ { category: "description", text: "A flaw was found in python-pillow. This flaw allows an attacker to pass controlled parameters directly into a convert function, triggering a buffer overflow in the \"convert()\" or \"ImagingConvertTransparent()\" functions in Convert.c. The highest threat to this vulnerability is to system availability.\r\n\r\nIn Red Hat Quay, a vulnerable version of python-pillow is shipped with quay-registry-container, however the invoice generation feature which uses python-pillow is disabled by default. Therefore impact has been rated Moderate.", title: "Vulnerability description", }, { category: "summary", text: "python-pillow: Buffer overflow in image convert function", title: "Vulnerability summary", }, { category: "other", text: "Due to the compiler options used, the buffer overflow is detected and the impact is lowered to a crash only. Additionally, the \"mode\" parameter has to be attacker controlled, which is considered a rare case.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-34552", }, { category: "external", summary: "RHBZ#1982378", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1982378", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-34552", url: "https://www.cve.org/CVERecord?id=CVE-2021-34552", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-34552", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-34552", }, { category: "external", summary: "https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow", url: "https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow", }, ], release_date: "2021-07-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-11-09T17:42:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:4149", }, { category: "workaround", details: "To mitigate this flaw on Red Hat Quay, keep the invoice generation feature disabled, as it is by default.\n\nRed Hat Satellite 6.9 customers can apply following hotfix to eliminate the vulnerability warnings.\n* Download python2-daemon-2.1.2-7.1.HFRHBZ1998199.el7sat.noarch.rpm from https://bugzilla.redhat.com/attachment.cgi?id=1819471\n* Stop services:\n# satellite-maintain service stop\n* Upgrade python2-daemon and remove affected package\n# rpm -Uvh python2-daemon-2.1.2-7.1.HFRHBZ1998199.el7sat.noarch.rpm\n# yum remove python-pillow\n* Restart services:\n# satellite-maintain service start\n\nSatellite 6.10 future release is also fixing this.", product_ids: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AppStream-8.5.0.GA:python-pillow-0:5.1.1-16.el8.src", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python-pillow-debugsource-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-debuginfo-0:5.1.1-16.el8.x86_64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.aarch64", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.ppc64le", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.s390x", "AppStream-8.5.0.GA:python3-pillow-tk-debuginfo-0:5.1.1-16.el8.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-pillow: Buffer overflow in image convert function", }, ], }
pysec-2021-71
Vulnerability from pysec
Published
2021-01-12 09:15
Modified
2021-01-29 00:46
Details
In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.
Impacted products
| Name | purl |
|---|---|
| pillow | pkg:pypi/pillow |
Aliases
{ affected: [ { package: { ecosystem: "PyPI", name: "pillow", purl: "pkg:pypi/pillow", }, ranges: [ { events: [ { introduced: "4.3.0", }, { fixed: "8.1.0", }, ], type: "ECOSYSTEM", }, ], versions: [ "4.3.0", "5.0.0", "5.1.0", "5.2.0", "5.3.0", "5.4.0.dev0", "5.4.0", "5.4.1", "6.0.0", "6.1.0", "6.2.0", "6.2.1", "6.2.2", "7.0.0", "7.1.0", "7.1.1", "7.1.2", "7.2.0", "8.0.0", "8.0.1", ], }, ], aliases: [ "CVE-2020-35655", "GHSA-hf64-x4gq-p99h", ], details: "In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.", id: "PYSEC-2021-71", modified: "2021-01-29T00:46:00Z", published: "2021-01-12T09:15:00Z", references: [ { type: "WEB", url: "https://pillow.readthedocs.io/en/stable/releasenotes/index.html", }, { type: "WEB", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD/", }, { type: "WEB", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE/", }, { type: "ADVISORY", url: "https://github.com/advisories/GHSA-hf64-x4gq-p99h", }, ], }
wid-sec-w-2022-1835
Vulnerability from csaf_certbund
Published
2021-11-09 23:00
Modified
2024-06-13 22:00
Summary
Red Hat Enterprise Linux (python-pillow): Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Red Hat Enterprise Linux (RHEL) ist eine populäre Linux-Distribution.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat Enterprise Linux in python-pillow ausnutzen, um einen Denial of Service Angriff durchzuführen und vertrauliche Informationen offenzulegen.
Betroffene Betriebssysteme
- Linux
- UNIX
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Red Hat Enterprise Linux (RHEL) ist eine populäre Linux-Distribution.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat Enterprise Linux in python-pillow ausnutzen, um einen Denial of Service Angriff durchzuführen und vertrauliche Informationen offenzulegen.", title: "Angriff", }, { category: "general", text: "- Linux\n- UNIX", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2022-1835 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2021/wid-sec-w-2022-1835.json", }, { category: "self", summary: "WID-SEC-2022-1835 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1835", }, { category: "external", summary: "Red Hat Security Advisory vom 2021-11-09", url: "https://access.redhat.com/errata/RHSA-2021:4149", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2021:4702 vom 2021-11-16", url: "https://access.redhat.com/errata/RHSA-2021:4702", }, { category: "external", summary: "Ubuntu Security Notice USN-5227-1 vom 2022-01-17", url: "https://packetstormsecurity.com/files/165588/USN-5227-2.txt", }, { category: "external", summary: "Ubuntu Security Notice USN-5227-3 vom 2022-10-24", url: "https://ubuntu.com/security/notices/USN-5227-3", }, { category: "external", summary: "Amazon Linux Security Advisory ALAS2-2023-2083 vom 2023-06-08", url: "https://alas.aws.amazon.com/AL2/ALAS-2023-2083.html", }, { category: "external", summary: "Amazon Linux Security Advisory ALAS-2023-2087 vom 2023-06-13", url: "https://alas.aws.amazon.com/AL2/ALAS-2023-2087.html", }, { category: "external", summary: "Amazon Linux Security Advisory ALAS2-2023-2105 vom 2023-07-01", url: "https://alas.aws.amazon.com/AL2/ALAS-2023-2105.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:1607-1 vom 2024-05-11", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/G2ZGHJ52ROAMO32KNZTUOETPD6QKSIDY/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:1673-2 vom 2024-06-13", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-June/018714.html", }, ], source_lang: "en-US", title: "Red Hat Enterprise Linux (python-pillow): Mehrere Schwachstellen", tracking: { current_release_date: "2024-06-13T22:00:00.000+00:00", generator: { date: "2024-08-15T17:36:59.405+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2022-1835", initial_release_date: "2021-11-09T23:00:00.000+00:00", revision_history: [ { date: "2021-11-09T23:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2021-11-10T23:00:00.000+00:00", number: "2", summary: "Anpassung", }, { date: "2021-11-16T23:00:00.000+00:00", number: "3", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2022-01-17T23:00:00.000+00:00", number: "4", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2022-10-24T22:00:00.000+00:00", number: "5", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2023-06-08T22:00:00.000+00:00", number: "6", summary: "Neue Updates von Amazon aufgenommen", }, { date: "2023-06-12T22:00:00.000+00:00", number: "7", summary: "Neue Updates von Amazon aufgenommen", }, { date: "2023-07-02T22:00:00.000+00:00", number: "8", summary: "Neue Updates von Amazon aufgenommen", }, { date: "2024-05-12T22:00:00.000+00:00", number: "9", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2024-06-13T22:00:00.000+00:00", number: "10", summary: "Neue Updates von SUSE aufgenommen", }, ], status: "final", version: "10", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "Amazon Linux 2", product: { name: "Amazon Linux 2", product_id: "398363", product_identification_helper: { cpe: "cpe:/o:amazon:linux_2:-", }, }, }, ], category: "vendor", name: "Amazon", }, { branches: [ { branches: [ { category: "product_version", name: "Pillow", product: { name: "Open Source Python Pillow", product_id: "T020996", product_identification_helper: { cpe: "cpe:/a:python:python:pillow", }, }, }, ], category: "product_name", name: "Python", }, ], category: "vendor", name: "Open Source", }, { branches: [ { branches: [ { category: "product_version", name: "8", product: { name: "Red Hat Enterprise Linux 8", product_id: "T014111", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:8", }, }, }, ], category: "product_name", name: "Enterprise Linux", }, ], category: "vendor", name: "Red Hat", }, { branches: [ { category: "product_name", name: "SUSE Linux", product: { name: "SUSE Linux", product_id: "T002207", product_identification_helper: { cpe: "cpe:/o:suse:suse_linux:-", }, }, }, ], category: "vendor", name: "SUSE", }, { branches: [ { category: "product_name", name: "Ubuntu Linux", product: { name: "Ubuntu Linux", product_id: "T000126", product_identification_helper: { cpe: "cpe:/o:canonical:ubuntu_linux:-", }, }, }, ], category: "vendor", name: "Ubuntu", }, ], }, vulnerabilities: [ { cve: "CVE-2020-35653", notes: [ { category: "description", text: "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente Python Pillow aufgrund mehrerer Out-of-Bounds-Reads, eines negativen Offsets, eines Fehlers bei regulären Ausdrücken, mehrerer übermäßiger Speicherzuweisungen, einer Endlosschleife, übermäßiger CPU-Auslastung, übermäßiger Schleifenbildung, eines Pufferüberlaufs und mehrerer Puffer-Over-Reads. Ein entfernter anonymer Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.", }, ], product_status: { known_affected: [ "T002207", "T000126", "T020996", "398363", "T014111", ], }, release_date: "2021-11-09T23:00:00.000+00:00", title: "CVE-2020-35653", }, { cve: "CVE-2020-35655", notes: [ { category: "description", text: "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente Python Pillow aufgrund mehrerer Out-of-Bounds-Reads, eines negativen Offsets, eines Fehlers bei regulären Ausdrücken, mehrerer übermäßiger Speicherzuweisungen, einer Endlosschleife, übermäßiger CPU-Auslastung, übermäßiger Schleifenbildung, eines Pufferüberlaufs und mehrerer Puffer-Over-Reads. Ein entfernter anonymer Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.", }, ], product_status: { known_affected: [ "T002207", "T000126", "T020996", "398363", "T014111", ], }, release_date: "2021-11-09T23:00:00.000+00:00", title: "CVE-2020-35655", }, { cve: "CVE-2021-25287", notes: [ { category: "description", text: "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente Python Pillow aufgrund mehrerer Out-of-Bounds-Reads, eines negativen Offsets, eines Fehlers bei regulären Ausdrücken, mehrerer übermäßiger Speicherzuweisungen, einer Endlosschleife, übermäßiger CPU-Auslastung, übermäßiger Schleifenbildung, eines Pufferüberlaufs und mehrerer Puffer-Over-Reads. Ein entfernter anonymer Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.", }, ], product_status: { known_affected: [ "T002207", "T000126", "T020996", "398363", "T014111", ], }, release_date: "2021-11-09T23:00:00.000+00:00", title: "CVE-2021-25287", }, { cve: "CVE-2021-25288", notes: [ { category: "description", text: "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente Python Pillow aufgrund mehrerer Out-of-Bounds-Reads, eines negativen Offsets, eines Fehlers bei regulären Ausdrücken, mehrerer übermäßiger Speicherzuweisungen, einer Endlosschleife, übermäßiger CPU-Auslastung, übermäßiger Schleifenbildung, eines Pufferüberlaufs und mehrerer Puffer-Over-Reads. Ein entfernter anonymer Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.", }, ], product_status: { known_affected: [ "T002207", "T000126", "T020996", "398363", "T014111", ], }, release_date: "2021-11-09T23:00:00.000+00:00", title: "CVE-2021-25288", }, { cve: "CVE-2021-25290", notes: [ { category: "description", text: "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente Python Pillow aufgrund mehrerer Out-of-Bounds-Reads, eines negativen Offsets, eines Fehlers bei regulären Ausdrücken, mehrerer übermäßiger Speicherzuweisungen, einer Endlosschleife, übermäßiger CPU-Auslastung, übermäßiger Schleifenbildung, eines Pufferüberlaufs und mehrerer Puffer-Over-Reads. Ein entfernter anonymer Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.", }, ], product_status: { known_affected: [ "T002207", "T000126", "T020996", "398363", "T014111", ], }, release_date: "2021-11-09T23:00:00.000+00:00", title: "CVE-2021-25290", }, { cve: "CVE-2021-25292", notes: [ { category: "description", text: "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente Python Pillow aufgrund mehrerer Out-of-Bounds-Reads, eines negativen Offsets, eines Fehlers bei regulären Ausdrücken, mehrerer übermäßiger Speicherzuweisungen, einer Endlosschleife, übermäßiger CPU-Auslastung, übermäßiger Schleifenbildung, eines Pufferüberlaufs und mehrerer Puffer-Over-Reads. Ein entfernter anonymer Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.", }, ], product_status: { known_affected: [ "T002207", "T000126", "T020996", "398363", "T014111", ], }, release_date: "2021-11-09T23:00:00.000+00:00", title: "CVE-2021-25292", }, { cve: "CVE-2021-25293", notes: [ { category: "description", text: "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente Python Pillow aufgrund mehrerer Out-of-Bounds-Reads, eines negativen Offsets, eines Fehlers bei regulären Ausdrücken, mehrerer übermäßiger Speicherzuweisungen, einer Endlosschleife, übermäßiger CPU-Auslastung, übermäßiger Schleifenbildung, eines Pufferüberlaufs und mehrerer Puffer-Over-Reads. Ein entfernter anonymer Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.", }, ], product_status: { known_affected: [ "T002207", "T000126", "T020996", "398363", "T014111", ], }, release_date: "2021-11-09T23:00:00.000+00:00", title: "CVE-2021-25293", }, { cve: "CVE-2021-27921", notes: [ { category: "description", text: "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente Python Pillow aufgrund mehrerer Out-of-Bounds-Reads, eines negativen Offsets, eines Fehlers bei regulären Ausdrücken, mehrerer übermäßiger Speicherzuweisungen, einer Endlosschleife, übermäßiger CPU-Auslastung, übermäßiger Schleifenbildung, eines Pufferüberlaufs und mehrerer Puffer-Over-Reads. Ein entfernter anonymer Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.", }, ], product_status: { known_affected: [ "T002207", "T000126", "T020996", "398363", "T014111", ], }, release_date: "2021-11-09T23:00:00.000+00:00", title: "CVE-2021-27921", }, { cve: "CVE-2021-27922", notes: [ { category: "description", text: "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente Python Pillow aufgrund mehrerer Out-of-Bounds-Reads, eines negativen Offsets, eines Fehlers bei regulären Ausdrücken, mehrerer übermäßiger Speicherzuweisungen, einer Endlosschleife, übermäßiger CPU-Auslastung, übermäßiger Schleifenbildung, eines Pufferüberlaufs und mehrerer Puffer-Over-Reads. Ein entfernter anonymer Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.", }, ], product_status: { known_affected: [ "T002207", "T000126", "T020996", "398363", "T014111", ], }, release_date: "2021-11-09T23:00:00.000+00:00", title: "CVE-2021-27922", }, { cve: "CVE-2021-27923", notes: [ { category: "description", text: "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente Python Pillow aufgrund mehrerer Out-of-Bounds-Reads, eines negativen Offsets, eines Fehlers bei regulären Ausdrücken, mehrerer übermäßiger Speicherzuweisungen, einer Endlosschleife, übermäßiger CPU-Auslastung, übermäßiger Schleifenbildung, eines Pufferüberlaufs und mehrerer Puffer-Over-Reads. Ein entfernter anonymer Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.", }, ], product_status: { known_affected: [ "T002207", "T000126", "T020996", "398363", "T014111", ], }, release_date: "2021-11-09T23:00:00.000+00:00", title: "CVE-2021-27923", }, { cve: "CVE-2021-28675", notes: [ { category: "description", text: "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente Python Pillow aufgrund mehrerer Out-of-Bounds-Reads, eines negativen Offsets, eines Fehlers bei regulären Ausdrücken, mehrerer übermäßiger Speicherzuweisungen, einer Endlosschleife, übermäßiger CPU-Auslastung, übermäßiger Schleifenbildung, eines Pufferüberlaufs und mehrerer Puffer-Over-Reads. Ein entfernter anonymer Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.", }, ], product_status: { known_affected: [ "T002207", "T000126", "T020996", "398363", "T014111", ], }, release_date: "2021-11-09T23:00:00.000+00:00", title: "CVE-2021-28675", }, { cve: "CVE-2021-28676", notes: [ { category: "description", text: "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente Python Pillow aufgrund mehrerer Out-of-Bounds-Reads, eines negativen Offsets, eines Fehlers bei regulären Ausdrücken, mehrerer übermäßiger Speicherzuweisungen, einer Endlosschleife, übermäßiger CPU-Auslastung, übermäßiger Schleifenbildung, eines Pufferüberlaufs und mehrerer Puffer-Over-Reads. Ein entfernter anonymer Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.", }, ], product_status: { known_affected: [ "T002207", "T000126", "T020996", "398363", "T014111", ], }, release_date: "2021-11-09T23:00:00.000+00:00", title: "CVE-2021-28676", }, { cve: "CVE-2021-28677", notes: [ { category: "description", text: "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente Python Pillow aufgrund mehrerer Out-of-Bounds-Reads, eines negativen Offsets, eines Fehlers bei regulären Ausdrücken, mehrerer übermäßiger Speicherzuweisungen, einer Endlosschleife, übermäßiger CPU-Auslastung, übermäßiger Schleifenbildung, eines Pufferüberlaufs und mehrerer Puffer-Over-Reads. Ein entfernter anonymer Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.", }, ], product_status: { known_affected: [ "T002207", "T000126", "T020996", "398363", "T014111", ], }, release_date: "2021-11-09T23:00:00.000+00:00", title: "CVE-2021-28677", }, { cve: "CVE-2021-28678", notes: [ { category: "description", text: "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente Python Pillow aufgrund mehrerer Out-of-Bounds-Reads, eines negativen Offsets, eines Fehlers bei regulären Ausdrücken, mehrerer übermäßiger Speicherzuweisungen, einer Endlosschleife, übermäßiger CPU-Auslastung, übermäßiger Schleifenbildung, eines Pufferüberlaufs und mehrerer Puffer-Over-Reads. Ein entfernter anonymer Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.", }, ], product_status: { known_affected: [ "T002207", "T000126", "T020996", "398363", "T014111", ], }, release_date: "2021-11-09T23:00:00.000+00:00", title: "CVE-2021-28678", }, { cve: "CVE-2021-34552", notes: [ { category: "description", text: "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente Python Pillow aufgrund mehrerer Out-of-Bounds-Reads, eines negativen Offsets, eines Fehlers bei regulären Ausdrücken, mehrerer übermäßiger Speicherzuweisungen, einer Endlosschleife, übermäßiger CPU-Auslastung, übermäßiger Schleifenbildung, eines Pufferüberlaufs und mehrerer Puffer-Over-Reads. Ein entfernter anonymer Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.", }, ], product_status: { known_affected: [ "T002207", "T000126", "T020996", "398363", "T014111", ], }, release_date: "2021-11-09T23:00:00.000+00:00", title: "CVE-2021-34552", }, ], }
WID-SEC-W-2022-1835
Vulnerability from csaf_certbund
Published
2021-11-09 23:00
Modified
2024-06-13 22:00
Summary
Red Hat Enterprise Linux (python-pillow): Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Red Hat Enterprise Linux (RHEL) ist eine populäre Linux-Distribution.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat Enterprise Linux in python-pillow ausnutzen, um einen Denial of Service Angriff durchzuführen und vertrauliche Informationen offenzulegen.
Betroffene Betriebssysteme
- Linux
- UNIX
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Red Hat Enterprise Linux (RHEL) ist eine populäre Linux-Distribution.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat Enterprise Linux in python-pillow ausnutzen, um einen Denial of Service Angriff durchzuführen und vertrauliche Informationen offenzulegen.", title: "Angriff", }, { category: "general", text: "- Linux\n- UNIX", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2022-1835 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2021/wid-sec-w-2022-1835.json", }, { category: "self", summary: "WID-SEC-2022-1835 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1835", }, { category: "external", summary: "Red Hat Security Advisory vom 2021-11-09", url: "https://access.redhat.com/errata/RHSA-2021:4149", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2021:4702 vom 2021-11-16", url: "https://access.redhat.com/errata/RHSA-2021:4702", }, { category: "external", summary: "Ubuntu Security Notice USN-5227-1 vom 2022-01-17", url: "https://packetstormsecurity.com/files/165588/USN-5227-2.txt", }, { category: "external", summary: "Ubuntu Security Notice USN-5227-3 vom 2022-10-24", url: "https://ubuntu.com/security/notices/USN-5227-3", }, { category: "external", summary: "Amazon Linux Security Advisory ALAS2-2023-2083 vom 2023-06-08", url: "https://alas.aws.amazon.com/AL2/ALAS-2023-2083.html", }, { category: "external", summary: "Amazon Linux Security Advisory ALAS-2023-2087 vom 2023-06-13", url: "https://alas.aws.amazon.com/AL2/ALAS-2023-2087.html", }, { category: "external", summary: "Amazon Linux Security Advisory ALAS2-2023-2105 vom 2023-07-01", url: "https://alas.aws.amazon.com/AL2/ALAS-2023-2105.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:1607-1 vom 2024-05-11", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/G2ZGHJ52ROAMO32KNZTUOETPD6QKSIDY/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:1673-2 vom 2024-06-13", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-June/018714.html", }, ], source_lang: "en-US", title: "Red Hat Enterprise Linux (python-pillow): Mehrere Schwachstellen", tracking: { current_release_date: "2024-06-13T22:00:00.000+00:00", generator: { date: "2024-08-15T17:36:59.405+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2022-1835", initial_release_date: "2021-11-09T23:00:00.000+00:00", revision_history: [ { date: "2021-11-09T23:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2021-11-10T23:00:00.000+00:00", number: "2", summary: "Anpassung", }, { date: "2021-11-16T23:00:00.000+00:00", number: "3", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2022-01-17T23:00:00.000+00:00", number: "4", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2022-10-24T22:00:00.000+00:00", number: "5", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2023-06-08T22:00:00.000+00:00", number: "6", summary: "Neue Updates von Amazon aufgenommen", }, { date: "2023-06-12T22:00:00.000+00:00", number: "7", summary: "Neue Updates von Amazon aufgenommen", }, { date: "2023-07-02T22:00:00.000+00:00", number: "8", summary: "Neue Updates von Amazon aufgenommen", }, { date: "2024-05-12T22:00:00.000+00:00", number: "9", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2024-06-13T22:00:00.000+00:00", number: "10", summary: "Neue Updates von SUSE aufgenommen", }, ], status: "final", version: "10", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "Amazon Linux 2", product: { name: "Amazon Linux 2", product_id: "398363", product_identification_helper: { cpe: "cpe:/o:amazon:linux_2:-", }, }, }, ], category: "vendor", name: "Amazon", }, { branches: [ { branches: [ { category: "product_version", name: "Pillow", product: { name: "Open Source Python Pillow", product_id: "T020996", product_identification_helper: { cpe: "cpe:/a:python:python:pillow", }, }, }, ], category: "product_name", name: "Python", }, ], category: "vendor", name: "Open Source", }, { branches: [ { branches: [ { category: "product_version", name: "8", product: { name: "Red Hat Enterprise Linux 8", product_id: "T014111", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:8", }, }, }, ], category: "product_name", name: "Enterprise Linux", }, ], category: "vendor", name: "Red Hat", }, { branches: [ { category: "product_name", name: "SUSE Linux", product: { name: "SUSE Linux", product_id: "T002207", product_identification_helper: { cpe: "cpe:/o:suse:suse_linux:-", }, }, }, ], category: "vendor", name: "SUSE", }, { branches: [ { category: "product_name", name: "Ubuntu Linux", product: { name: "Ubuntu Linux", product_id: "T000126", product_identification_helper: { cpe: "cpe:/o:canonical:ubuntu_linux:-", }, }, }, ], category: "vendor", name: "Ubuntu", }, ], }, vulnerabilities: [ { cve: "CVE-2020-35653", notes: [ { category: "description", text: "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente Python Pillow aufgrund mehrerer Out-of-Bounds-Reads, eines negativen Offsets, eines Fehlers bei regulären Ausdrücken, mehrerer übermäßiger Speicherzuweisungen, einer Endlosschleife, übermäßiger CPU-Auslastung, übermäßiger Schleifenbildung, eines Pufferüberlaufs und mehrerer Puffer-Over-Reads. Ein entfernter anonymer Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.", }, ], product_status: { known_affected: [ "T002207", "T000126", "T020996", "398363", "T014111", ], }, release_date: "2021-11-09T23:00:00.000+00:00", title: "CVE-2020-35653", }, { cve: "CVE-2020-35655", notes: [ { category: "description", text: "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente Python Pillow aufgrund mehrerer Out-of-Bounds-Reads, eines negativen Offsets, eines Fehlers bei regulären Ausdrücken, mehrerer übermäßiger Speicherzuweisungen, einer Endlosschleife, übermäßiger CPU-Auslastung, übermäßiger Schleifenbildung, eines Pufferüberlaufs und mehrerer Puffer-Over-Reads. Ein entfernter anonymer Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.", }, ], product_status: { known_affected: [ "T002207", "T000126", "T020996", "398363", "T014111", ], }, release_date: "2021-11-09T23:00:00.000+00:00", title: "CVE-2020-35655", }, { cve: "CVE-2021-25287", notes: [ { category: "description", text: "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente Python Pillow aufgrund mehrerer Out-of-Bounds-Reads, eines negativen Offsets, eines Fehlers bei regulären Ausdrücken, mehrerer übermäßiger Speicherzuweisungen, einer Endlosschleife, übermäßiger CPU-Auslastung, übermäßiger Schleifenbildung, eines Pufferüberlaufs und mehrerer Puffer-Over-Reads. Ein entfernter anonymer Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.", }, ], product_status: { known_affected: [ "T002207", "T000126", "T020996", "398363", "T014111", ], }, release_date: "2021-11-09T23:00:00.000+00:00", title: "CVE-2021-25287", }, { cve: "CVE-2021-25288", notes: [ { category: "description", text: "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente Python Pillow aufgrund mehrerer Out-of-Bounds-Reads, eines negativen Offsets, eines Fehlers bei regulären Ausdrücken, mehrerer übermäßiger Speicherzuweisungen, einer Endlosschleife, übermäßiger CPU-Auslastung, übermäßiger Schleifenbildung, eines Pufferüberlaufs und mehrerer Puffer-Over-Reads. Ein entfernter anonymer Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.", }, ], product_status: { known_affected: [ "T002207", "T000126", "T020996", "398363", "T014111", ], }, release_date: "2021-11-09T23:00:00.000+00:00", title: "CVE-2021-25288", }, { cve: "CVE-2021-25290", notes: [ { category: "description", text: "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente Python Pillow aufgrund mehrerer Out-of-Bounds-Reads, eines negativen Offsets, eines Fehlers bei regulären Ausdrücken, mehrerer übermäßiger Speicherzuweisungen, einer Endlosschleife, übermäßiger CPU-Auslastung, übermäßiger Schleifenbildung, eines Pufferüberlaufs und mehrerer Puffer-Over-Reads. Ein entfernter anonymer Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.", }, ], product_status: { known_affected: [ "T002207", "T000126", "T020996", "398363", "T014111", ], }, release_date: "2021-11-09T23:00:00.000+00:00", title: "CVE-2021-25290", }, { cve: "CVE-2021-25292", notes: [ { category: "description", text: "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente Python Pillow aufgrund mehrerer Out-of-Bounds-Reads, eines negativen Offsets, eines Fehlers bei regulären Ausdrücken, mehrerer übermäßiger Speicherzuweisungen, einer Endlosschleife, übermäßiger CPU-Auslastung, übermäßiger Schleifenbildung, eines Pufferüberlaufs und mehrerer Puffer-Over-Reads. Ein entfernter anonymer Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.", }, ], product_status: { known_affected: [ "T002207", "T000126", "T020996", "398363", "T014111", ], }, release_date: "2021-11-09T23:00:00.000+00:00", title: "CVE-2021-25292", }, { cve: "CVE-2021-25293", notes: [ { category: "description", text: "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente Python Pillow aufgrund mehrerer Out-of-Bounds-Reads, eines negativen Offsets, eines Fehlers bei regulären Ausdrücken, mehrerer übermäßiger Speicherzuweisungen, einer Endlosschleife, übermäßiger CPU-Auslastung, übermäßiger Schleifenbildung, eines Pufferüberlaufs und mehrerer Puffer-Over-Reads. Ein entfernter anonymer Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.", }, ], product_status: { known_affected: [ "T002207", "T000126", "T020996", "398363", "T014111", ], }, release_date: "2021-11-09T23:00:00.000+00:00", title: "CVE-2021-25293", }, { cve: "CVE-2021-27921", notes: [ { category: "description", text: "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente Python Pillow aufgrund mehrerer Out-of-Bounds-Reads, eines negativen Offsets, eines Fehlers bei regulären Ausdrücken, mehrerer übermäßiger Speicherzuweisungen, einer Endlosschleife, übermäßiger CPU-Auslastung, übermäßiger Schleifenbildung, eines Pufferüberlaufs und mehrerer Puffer-Over-Reads. Ein entfernter anonymer Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.", }, ], product_status: { known_affected: [ "T002207", "T000126", "T020996", "398363", "T014111", ], }, release_date: "2021-11-09T23:00:00.000+00:00", title: "CVE-2021-27921", }, { cve: "CVE-2021-27922", notes: [ { category: "description", text: "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente Python Pillow aufgrund mehrerer Out-of-Bounds-Reads, eines negativen Offsets, eines Fehlers bei regulären Ausdrücken, mehrerer übermäßiger Speicherzuweisungen, einer Endlosschleife, übermäßiger CPU-Auslastung, übermäßiger Schleifenbildung, eines Pufferüberlaufs und mehrerer Puffer-Over-Reads. Ein entfernter anonymer Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.", }, ], product_status: { known_affected: [ "T002207", "T000126", "T020996", "398363", "T014111", ], }, release_date: "2021-11-09T23:00:00.000+00:00", title: "CVE-2021-27922", }, { cve: "CVE-2021-27923", notes: [ { category: "description", text: "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente Python Pillow aufgrund mehrerer Out-of-Bounds-Reads, eines negativen Offsets, eines Fehlers bei regulären Ausdrücken, mehrerer übermäßiger Speicherzuweisungen, einer Endlosschleife, übermäßiger CPU-Auslastung, übermäßiger Schleifenbildung, eines Pufferüberlaufs und mehrerer Puffer-Over-Reads. Ein entfernter anonymer Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.", }, ], product_status: { known_affected: [ "T002207", "T000126", "T020996", "398363", "T014111", ], }, release_date: "2021-11-09T23:00:00.000+00:00", title: "CVE-2021-27923", }, { cve: "CVE-2021-28675", notes: [ { category: "description", text: "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente Python Pillow aufgrund mehrerer Out-of-Bounds-Reads, eines negativen Offsets, eines Fehlers bei regulären Ausdrücken, mehrerer übermäßiger Speicherzuweisungen, einer Endlosschleife, übermäßiger CPU-Auslastung, übermäßiger Schleifenbildung, eines Pufferüberlaufs und mehrerer Puffer-Over-Reads. Ein entfernter anonymer Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.", }, ], product_status: { known_affected: [ "T002207", "T000126", "T020996", "398363", "T014111", ], }, release_date: "2021-11-09T23:00:00.000+00:00", title: "CVE-2021-28675", }, { cve: "CVE-2021-28676", notes: [ { category: "description", text: "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente Python Pillow aufgrund mehrerer Out-of-Bounds-Reads, eines negativen Offsets, eines Fehlers bei regulären Ausdrücken, mehrerer übermäßiger Speicherzuweisungen, einer Endlosschleife, übermäßiger CPU-Auslastung, übermäßiger Schleifenbildung, eines Pufferüberlaufs und mehrerer Puffer-Over-Reads. Ein entfernter anonymer Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.", }, ], product_status: { known_affected: [ "T002207", "T000126", "T020996", "398363", "T014111", ], }, release_date: "2021-11-09T23:00:00.000+00:00", title: "CVE-2021-28676", }, { cve: "CVE-2021-28677", notes: [ { category: "description", text: "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente Python Pillow aufgrund mehrerer Out-of-Bounds-Reads, eines negativen Offsets, eines Fehlers bei regulären Ausdrücken, mehrerer übermäßiger Speicherzuweisungen, einer Endlosschleife, übermäßiger CPU-Auslastung, übermäßiger Schleifenbildung, eines Pufferüberlaufs und mehrerer Puffer-Over-Reads. Ein entfernter anonymer Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.", }, ], product_status: { known_affected: [ "T002207", "T000126", "T020996", "398363", "T014111", ], }, release_date: "2021-11-09T23:00:00.000+00:00", title: "CVE-2021-28677", }, { cve: "CVE-2021-28678", notes: [ { category: "description", text: "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente Python Pillow aufgrund mehrerer Out-of-Bounds-Reads, eines negativen Offsets, eines Fehlers bei regulären Ausdrücken, mehrerer übermäßiger Speicherzuweisungen, einer Endlosschleife, übermäßiger CPU-Auslastung, übermäßiger Schleifenbildung, eines Pufferüberlaufs und mehrerer Puffer-Over-Reads. Ein entfernter anonymer Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.", }, ], product_status: { known_affected: [ "T002207", "T000126", "T020996", "398363", "T014111", ], }, release_date: "2021-11-09T23:00:00.000+00:00", title: "CVE-2021-28678", }, { cve: "CVE-2021-34552", notes: [ { category: "description", text: "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente Python Pillow aufgrund mehrerer Out-of-Bounds-Reads, eines negativen Offsets, eines Fehlers bei regulären Ausdrücken, mehrerer übermäßiger Speicherzuweisungen, einer Endlosschleife, übermäßiger CPU-Auslastung, übermäßiger Schleifenbildung, eines Pufferüberlaufs und mehrerer Puffer-Over-Reads. Ein entfernter anonymer Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.", }, ], product_status: { known_affected: [ "T002207", "T000126", "T020996", "398363", "T014111", ], }, release_date: "2021-11-09T23:00:00.000+00:00", title: "CVE-2021-34552", }, ], }
fkie_cve-2020-35655
Vulnerability from fkie_nvd
Published
2021-01-12 09:15
Modified
2024-11-21 05:27
Severity ?
Summary
In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| python | pillow | * | |
| fedoraproject | fedora | 32 | |
| fedoraproject | fedora | 33 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*", matchCriteriaId: "6A90CD66-3F45-4C16-9B6A-3B5F68A97E0A", versionEndExcluding: "8.1.0", versionStartIncluding: "4.3.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", matchCriteriaId: "36D96259-24BD-44E2-96D9-78CE1D41F956", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", matchCriteriaId: "E460AA51-FCDA-46B9-AE97-E6676AA5E194", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.", }, { lang: "es", value: "En Pillow versiones anteriores a 8.1.0, la función SGIRleDecode presenta una lectura excesiva de búfer de 4 bytes cuando se decodifican archivos de imagen SGI RLE diseñados porque unas compensaciones y unas tablas de longitud se manejan inapropiadamente", }, ], id: "CVE-2020-35655", lastModified: "2024-11-21T05:27:46.460", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5.8, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:P", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 4.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.5, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-01-12T09:15:13.967", references: [ { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE/", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD/", }, { source: "cve@mitre.org", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://pillow.readthedocs.io/en/stable/releasenotes/index.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://pillow.readthedocs.io/en/stable/releasenotes/index.html", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-125", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
ghsa-hf64-x4gq-p99h
Vulnerability from github
Published
2021-03-18 19:55
Modified
2024-10-08 13:05
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
6.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
6.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
Summary
Pillow Out-of-bounds Read
Details
In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.
{ affected: [ { package: { ecosystem: "PyPI", name: "pillow", }, ranges: [ { events: [ { introduced: "4.3.0", }, { fixed: "8.1.0", }, ], type: "ECOSYSTEM", }, ], }, ], aliases: [ "CVE-2020-35655", ], database_specific: { cwe_ids: [ "CWE-125", ], github_reviewed: true, github_reviewed_at: "2021-03-12T23:17:03Z", nvd_published_at: "2021-01-12T09:15:00Z", severity: "MODERATE", }, details: "In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.", id: "GHSA-hf64-x4gq-p99h", modified: "2024-10-08T13:05:15Z", published: "2021-03-18T19:55:34Z", references: [ { type: "ADVISORY", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-35655", }, { type: "WEB", url: "https://github.com/python-pillow/Pillow/commit/2f409261eb1228e166868f8f0b5da5cda52e55bf", }, { type: "WEB", url: "https://github.com/python-pillow/Pillow/commit/7e95c63fa7f503f185d3d9eb16b9cee1e54d1e46", }, { type: "ADVISORY", url: "https://github.com/advisories/GHSA-hf64-x4gq-p99h", }, { type: "WEB", url: "https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-71.yaml", }, { type: "PACKAGE", url: "https://github.com/python-pillow/Pillow", }, { type: "WEB", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE", }, { type: "WEB", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD", }, { type: "WEB", url: "https://pillow.readthedocs.io/en/stable/releasenotes/index.html", }, ], schema_version: "1.4.0", severity: [ { score: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L", type: "CVSS_V3", }, { score: "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N", type: "CVSS_V4", }, ], summary: "Pillow Out-of-bounds Read", }
gsd-2020-35655
Vulnerability from gsd
Modified
2023-12-13 01:22
Details
In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.
Aliases
Aliases
{ GSD: { alias: "CVE-2020-35655", description: "In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.", id: "GSD-2020-35655", references: [ "https://www.suse.com/security/cve/CVE-2020-35655.html", "https://access.redhat.com/errata/RHSA-2021:4149", "https://ubuntu.com/security/CVE-2020-35655", "https://security.archlinux.org/CVE-2020-35655", ], }, gsd: { metadata: { exploitCode: "unknown", remediation: "unknown", reportConfidence: "confirmed", type: "vulnerability", }, osvSchema: { aliases: [ "CVE-2020-35655", ], details: "In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.", id: "GSD-2020-35655", modified: "2023-12-13T01:22:01.085671Z", schema_version: "1.4.0", }, }, namespaces: { "cve.org": { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2020-35655", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://pillow.readthedocs.io/en/stable/releasenotes/index.html", refsource: "MISC", url: "https://pillow.readthedocs.io/en/stable/releasenotes/index.html", }, { name: "FEDORA-2021-a8ddc1ce70", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE/", }, { name: "FEDORA-2021-880aa7bd27", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD/", }, ], }, }, "gitlab.com": { advisories: [ { affected_range: ">=4.3.0,<8.1.0", affected_versions: "All versions starting from 4.3.0 before 8.1.0", cvss_v2: "AV:N/AC:M/Au:N/C:P/I:N/A:P", cvss_v3: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L", cwe_ids: [ "CWE-1035", "CWE-125", "CWE-937", ], date: "2021-01-29", description: "In Pillow, `SGIRleDecode` has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.", fixed_versions: [ "8.1.0", ], identifier: "CVE-2020-35655", identifiers: [ "CVE-2020-35655", ], not_impacted: "All versions before 4.3.0, all versions starting from 8.1.0", package_slug: "pypi/Pillow", pubdate: "2021-01-12", solution: "Upgrade to version 8.1.0 or above.", title: "Out-of-bounds Read", urls: [ "https://nvd.nist.gov/vuln/detail/CVE-2020-35655", ], uuid: "b5f0351b-3378-4dd7-aae6-f4f8115e5514", }, ], }, "nvd.nist.gov": { configurations: { CVE_data_version: "4.0", nodes: [ { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*", cpe_name: [], versionEndExcluding: "8.1.0", versionStartIncluding: "4.3.0", vulnerable: true, }, ], operator: "OR", }, { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, ], operator: "OR", }, ], }, cve: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2020-35655", }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "en", value: "In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "en", value: "CWE-125", }, ], }, ], }, references: { reference_data: [ { name: "https://pillow.readthedocs.io/en/stable/releasenotes/index.html", refsource: "MISC", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://pillow.readthedocs.io/en/stable/releasenotes/index.html", }, { name: "FEDORA-2021-880aa7bd27", refsource: "FEDORA", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD/", }, { name: "FEDORA-2021-a8ddc1ce70", refsource: "FEDORA", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE/", }, ], }, }, impact: { baseMetricV2: { acInsufInfo: false, cvssV2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5.8, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:P", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 4.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, severity: "MEDIUM", userInteractionRequired: true, }, baseMetricV3: { cvssV3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.5, }, }, lastModifiedDate: "2021-01-29T00:46Z", publishedDate: "2021-01-12T09:15Z", }, }, }
suse-su-2021:1938-1
Vulnerability from csaf_suse
Published
2021-06-10 08:49
Modified
2021-06-10 08:49
Summary
Security update for python-Pillow
Notes
Title of the patch
Security update for python-Pillow
Description of the patch
This update for python-Pillow fixes the following issues:
- CVE-2020-35655: Fixed a buffer over-read when decoding crafted SGI RLE image files (bsc#1180832).
- CVE-2021-25293: Fixed an out-of-bounds read in SGIRleDecode.c (bsc#1183102).
- CVE-2021-25290: Fixed a negative-offset memcpy with an invalid size in TiffDecode.c (bsc#1183105).
- CVE-2021-25292: Fixed a backtracking regex in PDF parser could be used as a DOS attack (bsc#1183101).
- CVE-2021-27921,CVE-2021-27922,CVE-2021-27923: Fixed improper reported size of a contained image (bsc#1183110,bsc#1183108,bsc#1183107)
- CVE-2020-35653: Fixed buffer over-read in PcxDecode when decoding a crafted PCX file (bsc#1180834).
- CVE-2021-25287: Fixed out-of-bounds read in J2kDecode in j2ku_graya_la (bsc#1185805).
- CVE-2021-25288: Fixed out-of-bounds read in J2kDecode in j2ku_gray_i (bsc#1185803).
- CVE-2021-28675: Fixed DoS in PsdImagePlugin (bsc#1185804).
- CVE-2021-28678: Fixed improper check in BlpImagePlugin (bsc#1185784).
- CVE-2021-28677: Fixed DoS in the open phase via a malicious EPS file (bsc#1185785).
- CVE-2021-28676: Fixed infinite loop in FliDecode.c (bsc#1185786).
Patchnames
SUSE-2021-1938,SUSE-OpenStack-Cloud-9-2021-1938,SUSE-OpenStack-Cloud-Crowbar-9-2021-1938
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Security update for python-Pillow", title: "Title of the patch", }, { category: "description", text: "This update for python-Pillow fixes the following issues:\n\n- CVE-2020-35655: Fixed a buffer over-read when decoding crafted SGI RLE image files (bsc#1180832).\n- CVE-2021-25293: Fixed an out-of-bounds read in SGIRleDecode.c (bsc#1183102).\n- CVE-2021-25290: Fixed a negative-offset memcpy with an invalid size in TiffDecode.c (bsc#1183105).\n- CVE-2021-25292: Fixed a backtracking regex in PDF parser could be used as a DOS attack (bsc#1183101).\n- CVE-2021-27921,CVE-2021-27922,CVE-2021-27923: Fixed improper reported size of a contained image (bsc#1183110,bsc#1183108,bsc#1183107)\n- CVE-2020-35653: Fixed buffer over-read in PcxDecode when decoding a crafted PCX file (bsc#1180834).\n- CVE-2021-25287: Fixed out-of-bounds read in J2kDecode in j2ku_graya_la (bsc#1185805).\n- CVE-2021-25288: Fixed out-of-bounds read in J2kDecode in j2ku_gray_i (bsc#1185803).\n- CVE-2021-28675: Fixed DoS in PsdImagePlugin (bsc#1185804).\n- CVE-2021-28678: Fixed improper check in BlpImagePlugin (bsc#1185784).\n- CVE-2021-28677: Fixed DoS in the open phase via a malicious EPS file (bsc#1185785).\n- CVE-2021-28676: Fixed infinite loop in FliDecode.c (bsc#1185786).\n", title: "Description of the patch", }, { category: "details", text: "SUSE-2021-1938,SUSE-OpenStack-Cloud-9-2021-1938,SUSE-OpenStack-Cloud-Crowbar-9-2021-1938", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2021_1938-1.json", }, { category: "self", summary: "URL for SUSE-SU-2021:1938-1", url: "https://www.suse.com/support/update/announcement/2021/suse-su-20211938-1/", }, { category: "self", summary: "E-Mail link for SUSE-SU-2021:1938-1", url: "https://lists.suse.com/pipermail/sle-security-updates/2021-June/008981.html", }, { category: "self", summary: "SUSE Bug 1180832", url: "https://bugzilla.suse.com/1180832", }, { category: "self", summary: "SUSE Bug 1180834", url: "https://bugzilla.suse.com/1180834", }, { category: "self", summary: "SUSE Bug 1183101", url: "https://bugzilla.suse.com/1183101", }, { category: "self", summary: "SUSE Bug 1183102", url: "https://bugzilla.suse.com/1183102", }, { category: "self", summary: "SUSE Bug 1183105", url: "https://bugzilla.suse.com/1183105", }, { category: "self", summary: "SUSE Bug 1183107", url: "https://bugzilla.suse.com/1183107", }, { category: "self", summary: "SUSE Bug 1183108", url: "https://bugzilla.suse.com/1183108", }, { category: "self", summary: "SUSE Bug 1183110", url: "https://bugzilla.suse.com/1183110", }, { category: "self", summary: "SUSE Bug 1185784", url: "https://bugzilla.suse.com/1185784", }, { category: "self", summary: "SUSE Bug 1185785", url: "https://bugzilla.suse.com/1185785", }, { category: "self", summary: "SUSE Bug 1185786", url: "https://bugzilla.suse.com/1185786", }, { category: "self", summary: "SUSE Bug 1185803", url: "https://bugzilla.suse.com/1185803", }, { category: "self", summary: "SUSE Bug 1185804", url: "https://bugzilla.suse.com/1185804", }, { category: "self", summary: "SUSE Bug 1185805", url: "https://bugzilla.suse.com/1185805", }, { category: "self", summary: "SUSE CVE CVE-2020-35653 page", url: "https://www.suse.com/security/cve/CVE-2020-35653/", }, { category: "self", summary: "SUSE CVE CVE-2020-35655 page", url: "https://www.suse.com/security/cve/CVE-2020-35655/", }, { category: "self", summary: "SUSE CVE CVE-2021-25287 page", url: "https://www.suse.com/security/cve/CVE-2021-25287/", }, { category: "self", summary: "SUSE CVE CVE-2021-25288 page", url: "https://www.suse.com/security/cve/CVE-2021-25288/", }, { category: "self", summary: "SUSE CVE CVE-2021-25290 page", url: "https://www.suse.com/security/cve/CVE-2021-25290/", }, { category: "self", summary: "SUSE CVE CVE-2021-25292 page", url: "https://www.suse.com/security/cve/CVE-2021-25292/", }, { category: "self", summary: "SUSE CVE CVE-2021-25293 page", url: "https://www.suse.com/security/cve/CVE-2021-25293/", }, { category: "self", summary: "SUSE CVE CVE-2021-27921 page", url: "https://www.suse.com/security/cve/CVE-2021-27921/", }, { category: "self", summary: "SUSE CVE CVE-2021-27922 page", url: "https://www.suse.com/security/cve/CVE-2021-27922/", }, { category: "self", summary: "SUSE CVE CVE-2021-27923 page", url: "https://www.suse.com/security/cve/CVE-2021-27923/", }, { category: "self", summary: "SUSE CVE CVE-2021-28675 page", url: "https://www.suse.com/security/cve/CVE-2021-28675/", }, { category: "self", summary: "SUSE CVE CVE-2021-28676 page", url: "https://www.suse.com/security/cve/CVE-2021-28676/", }, { category: "self", summary: "SUSE CVE CVE-2021-28677 page", url: "https://www.suse.com/security/cve/CVE-2021-28677/", }, { category: "self", summary: "SUSE CVE CVE-2021-28678 page", url: "https://www.suse.com/security/cve/CVE-2021-28678/", }, ], title: "Security update for python-Pillow", tracking: { current_release_date: "2021-06-10T08:49:07Z", generator: { date: "2021-06-10T08:49:07Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "SUSE-SU-2021:1938-1", initial_release_date: "2021-06-10T08:49:07Z", revision_history: [ { date: "2021-06-10T08:49:07Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "python-Pillow-5.2.0-3.8.1.aarch64", product: { name: "python-Pillow-5.2.0-3.8.1.aarch64", product_id: "python-Pillow-5.2.0-3.8.1.aarch64", }, }, { category: "product_version", name: "python3-Pillow-5.2.0-3.8.1.aarch64", product: { name: "python3-Pillow-5.2.0-3.8.1.aarch64", product_id: "python3-Pillow-5.2.0-3.8.1.aarch64", }, }, ], category: "architecture", name: "aarch64", }, { branches: [ { category: "product_version", name: "python-Pillow-5.2.0-3.8.1.ppc64le", product: { name: "python-Pillow-5.2.0-3.8.1.ppc64le", product_id: "python-Pillow-5.2.0-3.8.1.ppc64le", }, }, { category: "product_version", name: "python3-Pillow-5.2.0-3.8.1.ppc64le", product: { name: "python3-Pillow-5.2.0-3.8.1.ppc64le", product_id: "python3-Pillow-5.2.0-3.8.1.ppc64le", }, }, ], category: "architecture", name: "ppc64le", }, { branches: [ { category: "product_version", name: "python-Pillow-5.2.0-3.8.1.s390x", product: { name: "python-Pillow-5.2.0-3.8.1.s390x", product_id: "python-Pillow-5.2.0-3.8.1.s390x", }, }, { category: "product_version", name: "python3-Pillow-5.2.0-3.8.1.s390x", product: { name: "python3-Pillow-5.2.0-3.8.1.s390x", product_id: "python3-Pillow-5.2.0-3.8.1.s390x", }, }, ], category: "architecture", name: "s390x", }, { branches: [ { category: "product_version", name: "python-Pillow-5.2.0-3.8.1.x86_64", product: { name: "python-Pillow-5.2.0-3.8.1.x86_64", product_id: "python-Pillow-5.2.0-3.8.1.x86_64", }, }, { category: "product_version", name: "python3-Pillow-5.2.0-3.8.1.x86_64", product: { name: "python3-Pillow-5.2.0-3.8.1.x86_64", product_id: "python3-Pillow-5.2.0-3.8.1.x86_64", }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_name", name: "SUSE OpenStack Cloud 9", product: { name: "SUSE OpenStack Cloud 9", product_id: "SUSE OpenStack Cloud 9", product_identification_helper: { cpe: "cpe:/o:suse:suse-openstack-cloud:9", }, }, }, { category: "product_name", name: "SUSE OpenStack Cloud Crowbar 9", product: { name: "SUSE OpenStack Cloud Crowbar 9", product_id: "SUSE OpenStack Cloud Crowbar 9", product_identification_helper: { cpe: "cpe:/o:suse:suse-openstack-cloud-crowbar:9", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "python-Pillow-5.2.0-3.8.1.x86_64 as component of SUSE OpenStack Cloud 9", product_id: "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", }, product_reference: "python-Pillow-5.2.0-3.8.1.x86_64", relates_to_product_reference: "SUSE OpenStack Cloud 9", }, { category: "default_component_of", full_product_name: { name: "python-Pillow-5.2.0-3.8.1.x86_64 as component of SUSE OpenStack Cloud Crowbar 9", product_id: "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", }, product_reference: "python-Pillow-5.2.0-3.8.1.x86_64", relates_to_product_reference: "SUSE OpenStack Cloud Crowbar 9", }, ], }, vulnerabilities: [ { cve: "CVE-2020-35653", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-35653", }, ], notes: [ { category: "general", text: "In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-35653", url: "https://www.suse.com/security/cve/CVE-2020-35653", }, { category: "external", summary: "SUSE Bug 1180834 for CVE-2020-35653", url: "https://bugzilla.suse.com/1180834", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 8.1, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", version: "3.1", }, products: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-06-10T08:49:07Z", details: "important", }, ], title: "CVE-2020-35653", }, { cve: "CVE-2020-35655", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-35655", }, ], notes: [ { category: "general", text: "In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-35655", url: "https://www.suse.com/security/cve/CVE-2020-35655", }, { category: "external", summary: "SUSE Bug 1180832 for CVE-2020-35655", url: "https://bugzilla.suse.com/1180832", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 8.1, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", version: "3.1", }, products: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-06-10T08:49:07Z", details: "important", }, ], title: "CVE-2020-35655", }, { cve: "CVE-2021-25287", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-25287", }, ], notes: [ { category: "general", text: "An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_graya_la.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-25287", url: "https://www.suse.com/security/cve/CVE-2021-25287", }, { category: "external", summary: "SUSE Bug 1185805 for CVE-2021-25287", url: "https://bugzilla.suse.com/1185805", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 8.2, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", version: "3.1", }, products: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-06-10T08:49:07Z", details: "important", }, ], title: "CVE-2021-25287", }, { cve: "CVE-2021-25288", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-25288", }, ], notes: [ { category: "general", text: "An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_gray_i.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-25288", url: "https://www.suse.com/security/cve/CVE-2021-25288", }, { category: "external", summary: "SUSE Bug 1185803 for CVE-2021-25288", url: "https://bugzilla.suse.com/1185803", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-06-10T08:49:07Z", details: "important", }, ], title: "CVE-2021-25288", }, { cve: "CVE-2021-25290", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-25290", }, ], notes: [ { category: "general", text: "An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is a negative-offset memcpy with an invalid size.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-25290", url: "https://www.suse.com/security/cve/CVE-2021-25290", }, { category: "external", summary: "SUSE Bug 1183105 for CVE-2021-25290", url: "https://bugzilla.suse.com/1183105", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-06-10T08:49:07Z", details: "important", }, ], title: "CVE-2021-25290", }, { cve: "CVE-2021-25292", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-25292", }, ], notes: [ { category: "general", text: "An issue was discovered in Pillow before 8.1.1. The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-25292", url: "https://www.suse.com/security/cve/CVE-2021-25292", }, { category: "external", summary: "SUSE Bug 1183101 for CVE-2021-25292", url: "https://bugzilla.suse.com/1183101", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-06-10T08:49:07Z", details: "important", }, ], title: "CVE-2021-25292", }, { cve: "CVE-2021-25293", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-25293", }, ], notes: [ { category: "general", text: "An issue was discovered in Pillow before 8.1.1. There is an out-of-bounds read in SGIRleDecode.c.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-25293", url: "https://www.suse.com/security/cve/CVE-2021-25293", }, { category: "external", summary: "SUSE Bug 1183102 for CVE-2021-25293", url: "https://bugzilla.suse.com/1183102", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-06-10T08:49:07Z", details: "important", }, ], title: "CVE-2021-25293", }, { cve: "CVE-2021-27921", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-27921", }, ], notes: [ { category: "general", text: "Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-27921", url: "https://www.suse.com/security/cve/CVE-2021-27921", }, { category: "external", summary: "SUSE Bug 1183110 for CVE-2021-27921", url: "https://bugzilla.suse.com/1183110", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-06-10T08:49:07Z", details: "important", }, ], title: "CVE-2021-27921", }, { cve: "CVE-2021-27922", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-27922", }, ], notes: [ { category: "general", text: "Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-27922", url: "https://www.suse.com/security/cve/CVE-2021-27922", }, { category: "external", summary: "SUSE Bug 1183108 for CVE-2021-27922", url: "https://bugzilla.suse.com/1183108", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-06-10T08:49:07Z", details: "important", }, ], title: "CVE-2021-27922", }, { cve: "CVE-2021-27923", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-27923", }, ], notes: [ { category: "general", text: "Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-27923", url: "https://www.suse.com/security/cve/CVE-2021-27923", }, { category: "external", summary: "SUSE Bug 1183107 for CVE-2021-27923", url: "https://bugzilla.suse.com/1183107", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-06-10T08:49:07Z", details: "important", }, ], title: "CVE-2021-27923", }, { cve: "CVE-2021-28675", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-28675", }, ], notes: [ { category: "general", text: "An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-28675", url: "https://www.suse.com/security/cve/CVE-2021-28675", }, { category: "external", summary: "SUSE Bug 1185804 for CVE-2021-28675", url: "https://bugzilla.suse.com/1185804", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-06-10T08:49:07Z", details: "important", }, ], title: "CVE-2021-28675", }, { cve: "CVE-2021-28676", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-28676", }, ], notes: [ { category: "general", text: "An issue was discovered in Pillow before 8.2.0. For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-28676", url: "https://www.suse.com/security/cve/CVE-2021-28676", }, { category: "external", summary: "SUSE Bug 1185786 for CVE-2021-28676", url: "https://bugzilla.suse.com/1185786", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-06-10T08:49:07Z", details: "important", }, ], title: "CVE-2021-28676", }, { cve: "CVE-2021-28677", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-28677", }, ], notes: [ { category: "general", text: "An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \\r and \\n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-28677", url: "https://www.suse.com/security/cve/CVE-2021-28677", }, { category: "external", summary: "SUSE Bug 1185785 for CVE-2021-28677", url: "https://bugzilla.suse.com/1185785", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-06-10T08:49:07Z", details: "important", }, ], title: "CVE-2021-28677", }, { cve: "CVE-2021-28678", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-28678", }, ], notes: [ { category: "general", text: "An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-28678", url: "https://www.suse.com/security/cve/CVE-2021-28678", }, { category: "external", summary: "SUSE Bug 1185784 for CVE-2021-28678", url: "https://bugzilla.suse.com/1185784", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "SUSE OpenStack Cloud 9:python-Pillow-5.2.0-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:python-Pillow-5.2.0-3.8.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-06-10T08:49:07Z", details: "important", }, ], title: "CVE-2021-28678", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.