python36-Pillow-8.3.2-1.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11209 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z python36-Pillow-8.3.2-1.2 on GA media These are all security issues fixed in the python36-Pillow-8.3.2-1.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11209 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:11209 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2014-3589/ SUSE CVE CVE-2014-3589 page https://www.suse.com/security/cve/CVE-2014-3598/ SUSE CVE CVE-2014-3598 page https://www.suse.com/security/cve/CVE-2016-0740/ SUSE CVE CVE-2016-0740 page https://www.suse.com/security/cve/CVE-2016-0775/ SUSE CVE CVE-2016-0775 page https://www.suse.com/security/cve/CVE-2016-3076/ SUSE CVE CVE-2016-3076 page https://www.suse.com/security/cve/CVE-2020-15999/ SUSE CVE CVE-2020-15999 page https://www.suse.com/security/cve/CVE-2020-35653/ SUSE CVE CVE-2020-35653 page https://www.suse.com/security/cve/CVE-2020-35654/ SUSE CVE CVE-2020-35654 page https://www.suse.com/security/cve/CVE-2020-35655/ SUSE CVE CVE-2020-35655 page https://www.suse.com/security/cve/CVE-2021-23437/ SUSE CVE CVE-2021-23437 page https://www.suse.com/security/cve/CVE-2021-25289/ SUSE CVE CVE-2021-25289 page https://www.suse.com/security/cve/CVE-2021-25290/ SUSE CVE CVE-2021-25290 page https://www.suse.com/security/cve/CVE-2021-25291/ SUSE CVE CVE-2021-25291 page https://www.suse.com/security/cve/CVE-2021-25292/ SUSE CVE CVE-2021-25292 page https://www.suse.com/security/cve/CVE-2021-25293/ SUSE CVE CVE-2021-25293 page https://www.suse.com/security/cve/CVE-2021-27921/ SUSE CVE CVE-2021-27921 page https://www.suse.com/security/cve/CVE-2021-34552/ SUSE CVE CVE-2021-34552 page openSUSE Tumbleweed python36-Pillow-8.3.2-1.2 python36-Pillow-tk-8.3.2-1.2 python38-Pillow-8.3.2-1.2 python38-Pillow-tk-8.3.2-1.2 python39-Pillow-8.3.2-1.2 python39-Pillow-tk-8.3.2-1.2 python36-Pillow-8.3.2-1.2 as a component of openSUSE Tumbleweed python36-Pillow-tk-8.3.2-1.2 as a component of openSUSE Tumbleweed python38-Pillow-8.3.2-1.2 as a component of openSUSE Tumbleweed python38-Pillow-tk-8.3.2-1.2 as a component of openSUSE Tumbleweed python39-Pillow-8.3.2-1.2 as a component of openSUSE Tumbleweed python39-Pillow-tk-8.3.2-1.2 as a component of openSUSE Tumbleweed PIL/IcnsImagePlugin.py in Python Imaging Library (PIL) and Pillow before 2.3.2 and 2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted block size. CVE-2014-3589 openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2 openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2 openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-3589.html CVE-2014-3589 https://bugzilla.suse.com/921566 SUSE Bug 921566 The Jpeg2KImagePlugin plugin in Pillow before 2.5.3 allows remote attackers to cause a denial of service via a crafted image. CVE-2014-3598 openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2 openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2 openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-3598.html CVE-2014-3598 https://bugzilla.suse.com/921566 SUSE Bug 921566 Buffer overflow in the ImagingLibTiffDecode function in libImaging/TiffDecode.c in Pillow before 3.1.1 allows remote attackers to overwrite memory via a crafted TIFF file. CVE-2016-0740 openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2 openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2 openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-0740.html CVE-2016-0740 https://bugzilla.suse.com/965579 SUSE Bug 965579 https://bugzilla.suse.com/965582 SUSE Bug 965582 Buffer overflow in the ImagingFliDecode function in libImaging/FliDecode.c in Pillow before 3.1.1 allows remote attackers to cause a denial of service (crash) via a crafted FLI file. CVE-2016-0775 openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2 openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2 openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-0775.html CVE-2016-0775 https://bugzilla.suse.com/965579 SUSE Bug 965579 https://bugzilla.suse.com/965582 SUSE Bug 965582 Heap-based buffer overflow in the j2k_encode_entry function in Pillow 2.5.0 through 3.1.1 allows remote attackers to cause a denial of service (memory corruption) via a crafted Jpeg2000 file. CVE-2016-3076 openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2 openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2 openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-3076.html CVE-2016-3076 https://bugzilla.suse.com/973786 SUSE Bug 973786 Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2020-15999 openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2 openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2 openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-15999.html CVE-2020-15999 https://bugzilla.suse.com/1177914 SUSE Bug 1177914 https://bugzilla.suse.com/1177936 SUSE Bug 1177936 https://bugzilla.suse.com/1178824 SUSE Bug 1178824 https://bugzilla.suse.com/1178894 SUSE Bug 1178894 In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations. CVE-2020-35653 openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2 openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2 openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-35653.html CVE-2020-35653 https://bugzilla.suse.com/1180834 SUSE Bug 1180834 In Pillow before 8.1.0, TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. CVE-2020-35654 openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2 openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2 openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-35654.html CVE-2020-35654 https://bugzilla.suse.com/1180833 SUSE Bug 1180833 https://bugzilla.suse.com/1183103 SUSE Bug 1183103 In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled. CVE-2020-35655 openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2 openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2 openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-35655.html CVE-2020-35655 https://bugzilla.suse.com/1180832 SUSE Bug 1180832 The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. CVE-2021-23437 openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2 openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2 openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-23437.html CVE-2021-23437 https://bugzilla.suse.com/1190229 SUSE Bug 1190229 An issue was discovered in Pillow before 8.1.1. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654. CVE-2021-25289 openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2 openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2 openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-25289.html CVE-2021-25289 https://bugzilla.suse.com/1183103 SUSE Bug 1183103 An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is a negative-offset memcpy with an invalid size. CVE-2021-25290 openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2 openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2 openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-25290.html CVE-2021-25290 https://bugzilla.suse.com/1183105 SUSE Bug 1183105 An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is an out-of-bounds read in TiffreadRGBATile via invalid tile boundaries. CVE-2021-25291 openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2 openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2 openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-25291.html CVE-2021-25291 https://bugzilla.suse.com/1183106 SUSE Bug 1183106 An issue was discovered in Pillow before 8.1.1. The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex. CVE-2021-25292 openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2 openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2 openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-25292.html CVE-2021-25292 https://bugzilla.suse.com/1183101 SUSE Bug 1183101 An issue was discovered in Pillow before 8.1.1. There is an out-of-bounds read in SGIRleDecode.c. CVE-2021-25293 openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2 openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2 openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-25293.html CVE-2021-25293 https://bugzilla.suse.com/1183102 SUSE Bug 1183102 Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large. CVE-2021-27921 openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2 openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2 openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-27921.html CVE-2021-27921 https://bugzilla.suse.com/1183110 SUSE Bug 1183110 Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c. CVE-2021-34552 openSUSE Tumbleweed:python36-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python36-Pillow-tk-8.3.2-1.2 openSUSE Tumbleweed:python38-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python38-Pillow-tk-8.3.2-1.2 openSUSE Tumbleweed:python39-Pillow-8.3.2-1.2 openSUSE Tumbleweed:python39-Pillow-tk-8.3.2-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-34552.html CVE-2021-34552 https://bugzilla.suse.com/1188574 SUSE Bug 1188574