Red Hat Security Advisory 2021-4149-03 - The python-pillow packages contain a Python image processing library that provides extensive file format support, an efficient internal representation, and powerful image-processing capabilities. Issues addressed include buffer over-read, buffer overflow, denial of service, and out of bounds read vulnerabilities.
2805a8b0b24491d46cede2f8a3bbcc386153411f2026d13a54bf69003bb81442-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: python-pillow security update
Advisory ID: RHSA-2021:4149-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:4149
Issue date: 2021-11-09
CVE Names: CVE-2020-35653 CVE-2020-35655 CVE-2021-25287
CVE-2021-25288 CVE-2021-25290 CVE-2021-25292
CVE-2021-25293 CVE-2021-27921 CVE-2021-27922
CVE-2021-27923 CVE-2021-28675 CVE-2021-28676
CVE-2021-28677 CVE-2021-28678 CVE-2021-34552
====================================================================
1. Summary:
An update for python-pillow is now available for Red Hat Enterprise Linux
8.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64
3. Description:
The python-pillow packages contain a Python image processing library that
provides extensive file format support, an efficient internal
representation, and powerful image-processing capabilities.
Security Fix(es):
* python-pillow: Out-of-bounds read in J2K image reader (CVE-2021-25287)
* python-pillow: Out-of-bounds read in J2K image reader (CVE-2021-25288)
* python-pillow: Negative-offset memcpy in TIFF image reader
(CVE-2021-25290)
* python-pillow: Regular expression DoS in PDF format parser
(CVE-2021-25292)
* python-pillow: Out-of-bounds read in SGI RLE image reader
(CVE-2021-25293)
* python-pillow: Excessive memory allocation in BLP image reader
(CVE-2021-27921)
* python-pillow: Excessive memory allocation in ICNS image reader
(CVE-2021-27922)
* python-pillow: Excessive memory allocation in ICO image reader
(CVE-2021-27923)
* python-pillow: Excessive memory allocation in PSD image reader
(CVE-2021-28675)
* python-pillow: Infinite loop in FLI image reader (CVE-2021-28676)
* python-pillow: Excessive CPU use in EPS image reader (CVE-2021-28677)
* python-pillow: Excessive looping in BLP image reader (CVE-2021-28678)
* python-pillow: Buffer overflow in image convert function (CVE-2021-34552)
* python-pillow: Buffer over-read in PCX image reader (CVE-2020-35653)
* python-pillow: Buffer over-read in SGI RLE image reader (CVE-2020-35655)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 8.5 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1915420 - CVE-2020-35653 python-pillow: Buffer over-read in PCX image reader
1915432 - CVE-2020-35655 python-pillow: Buffer over-read in SGI RLE image reader
1934685 - CVE-2021-25290 python-pillow: Negative-offset memcpy in TIFF image reader
1934699 - CVE-2021-25292 python-pillow: Regular expression DoS in PDF format parser
1934705 - CVE-2021-25293 python-pillow: Out-of-bounds read in SGI RLE image reader
1935384 - CVE-2021-27921 python-pillow: Excessive memory allocation in BLP image reader
1935396 - CVE-2021-27922 python-pillow: Excessive memory allocation in ICNS image reader
1935401 - CVE-2021-27923 python-pillow: Excessive memory allocation in ICO image reader
1958226 - CVE-2021-25287 python-pillow: Out-of-bounds read in J2K image reader
1958231 - CVE-2021-25288 python-pillow: Out-of-bounds read in J2K image reader
1958240 - CVE-2021-28675 python-pillow: Excessive memory allocation in PSD image reader
1958252 - CVE-2021-28676 python-pillow: Infinite loop in FLI image reader
1958257 - CVE-2021-28677 python-pillow: Excessive CPU use in EPS image reader
1958263 - CVE-2021-28678 python-pillow: Excessive looping in BLP image reader
1982378 - CVE-2021-34552 python-pillow: Buffer overflow in image convert function
6. Package List:
Red Hat Enterprise Linux AppStream (v. 8):
Source:
python-pillow-5.1.1-16.el8.src.rpm
aarch64:
python-pillow-debuginfo-5.1.1-16.el8.aarch64.rpm
python-pillow-debugsource-5.1.1-16.el8.aarch64.rpm
python3-pillow-5.1.1-16.el8.aarch64.rpm
python3-pillow-debuginfo-5.1.1-16.el8.aarch64.rpm
python3-pillow-tk-debuginfo-5.1.1-16.el8.aarch64.rpm
ppc64le:
python-pillow-debuginfo-5.1.1-16.el8.ppc64le.rpm
python-pillow-debugsource-5.1.1-16.el8.ppc64le.rpm
python3-pillow-5.1.1-16.el8.ppc64le.rpm
python3-pillow-debuginfo-5.1.1-16.el8.ppc64le.rpm
python3-pillow-tk-debuginfo-5.1.1-16.el8.ppc64le.rpm
s390x:
python-pillow-debuginfo-5.1.1-16.el8.s390x.rpm
python-pillow-debugsource-5.1.1-16.el8.s390x.rpm
python3-pillow-5.1.1-16.el8.s390x.rpm
python3-pillow-debuginfo-5.1.1-16.el8.s390x.rpm
python3-pillow-tk-debuginfo-5.1.1-16.el8.s390x.rpm
x86_64:
python-pillow-debuginfo-5.1.1-16.el8.x86_64.rpm
python-pillow-debugsource-5.1.1-16.el8.x86_64.rpm
python3-pillow-5.1.1-16.el8.x86_64.rpm
python3-pillow-debuginfo-5.1.1-16.el8.x86_64.rpm
python3-pillow-tk-debuginfo-5.1.1-16.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-35653
https://access.redhat.com/security/cve/CVE-2020-35655
https://access.redhat.com/security/cve/CVE-2021-25287
https://access.redhat.com/security/cve/CVE-2021-25288
https://access.redhat.com/security/cve/CVE-2021-25290
https://access.redhat.com/security/cve/CVE-2021-25292
https://access.redhat.com/security/cve/CVE-2021-25293
https://access.redhat.com/security/cve/CVE-2021-27921
https://access.redhat.com/security/cve/CVE-2021-27922
https://access.redhat.com/security/cve/CVE-2021-27923
https://access.redhat.com/security/cve/CVE-2021-28675
https://access.redhat.com/security/cve/CVE-2021-28676
https://access.redhat.com/security/cve/CVE-2021-28677
https://access.redhat.com/security/cve/CVE-2021-28678
https://access.redhat.com/security/cve/CVE-2021-34552
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.5_release_notes/
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYYre0dzjgjWX9erEAQiAhhAApI82mheNFPjobrB/aHSe8KBsTnD3bR9Y
Zvmvxyt9JpOMDw1pPwoFna/h2HbNODs/2kHXu1Gxz7W/9O7Zg4vXH855lnDuRcUe
a4QRaTdwPmGVt+HxDQf6pjh1Enq6AxMaqL/Wot1M1qZDXDqz8yoiKvKYGckRx2L0
N7CwbUG8/RHOvJQHItcSb+/A25jLrunWisLPgAiR0eviu5A5YP+IZYm1yHv3lA33
sRkCsNt33EE/FBKLzgGFD27y3RxkW49L0ATbNcRpe44ILfwT5JcsuBmC1/2uHMOU
1oUOdNZRGjIc1/RoWpgMIM0TrmovjI0ZhakQQTiD7oArzZyYQu+cZMMuvpOed7VN
GJX98gqek/geRPF5X03U42nudCvScnR+pZzuheBWA7cE0aSAr8u0K7SIdvQFPIHC
AGzzkVj04+cZoPRmISP/RQOofVoidbkDDUGUg70apwsqW2IzdVLIhIoxzWOHSkqA
551MMvX94lJNe2+rkFO63U8SVaSdejTyby1TRObQSWDXOYcCuieQLEHVqKloWH9G
jKwIi0S6/uorAY6xTRhQu5ASGbLB7UGzrNlXWHqmKwBe/MRV9/n+E7nXxoHwAlpe
38Wsror5Hlzd+gWNtgJuO/tbPYJUZ60jkkYdgWzQDJniTUaT/jv9wR49xdWZcNsk
vxHDiboi/wA=v5hM
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed