Ubuntu Security Notice 4272-1 - It was discovered that Pillow incorrectly handled certain images. An attacker could possibly use this issue to cause a denial of service. It was discovered that Pillow incorrectly handled certain images. An attacker could possibly use this issue to execute arbitrary code. It was discovered that Pillow incorrectly handled certain TIFF images. An attacker could possibly use this issue to cause a crash. This issue only affected Ubuntu 19.10. Various other issues were also addressed.
a2d877c631b714e8902eee8ea0e5823efaabf23295ff8d2d0460d5627d440e10
=========================================================================
Ubuntu Security Notice USN-4272-1
February 06, 2020
pillow vulnerabilities
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 19.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 ESM
Summary:
Several security issues were fixed in Pillow.
Software Description:
- pillow: Python Imaging Library
Details:
It was discovered that Pillow incorrectly handled certain images.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2019-16865, CVE-2019-19911)
It was discovered that Pillow incorrectly handled certain images.
An attacker could possibly use this issue to execute arbitrary code.
(CVE-2020-5312)
It was discovered that Pillow incorrectly handled certain TIFF images.
An attacker could possibly use this issue to cause a crash. This issue
only affected Ubuntu 19.10. (CVE-2020-5310)
It was discovered that Pillow incorrectly handled certain SGI images.
An attacker could possibly use this issue to execute arbitrary code or
cause a crash. This issue only affected Ubuntu 18.04 and Ubuntu 19.10.
(CVE-2020-5311)
It was discovered that Pillow incorrectly handled certain PCX images.
An attackter could possibly use this issue to execute arbitrary code or
cause a crash. (CVE-2020-5312)
It was discovered that Pillow incorrectly handled certain Flip images.
An attacker could possibly use this issue to execute arbitrary code or
cause a crash. (CVE-2020-5313)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 19.10:
python-pil 6.1.0-1ubuntu0.2
python3-pil 6.1.0-1ubuntu0.2
Ubuntu 18.04 LTS:
python-pil 5.1.0-1ubuntu0.2
python3-pil 5.1.0-1ubuntu0.2
Ubuntu 16.04 LTS:
python-imaging 3.1.2-0ubuntu1.3
python-pil 3.1.2-0ubuntu1.3
python3-pil 3.1.2-0ubuntu1.3
Ubuntu 14.04 ESM:
python-imaging 2.3.0-1ubuntu3.4+esm1
python-pil 2.3.0-1ubuntu3.4+esm1
python3-imaging 2.3.0-1ubuntu3.4+esm1
python3-pil 2.3.0-1ubuntu3.4+esm1
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4272-1
CVE-2019-16865, CVE-2019-19911, CVE-2020-5310, CVE-2020-5311,
CVE-2020-5312, CVE-2020-5313
Package Information:
https://launchpad.net/ubuntu/+source/pillow/6.1.0-1ubuntu0.2
https://launchpad.net/ubuntu/+source/pillow/5.1.0-1ubuntu0.2
https://launchpad.net/ubuntu/+source/pillow/3.1.2-0ubuntu1.3