Security update for python-Pillow SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:1607-1 Final 1 1 2024-05-10T16:35:22Z current 2024-05-10T16:35:22Z 2024-05-10T16:35:22Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-Pillow This update for python-Pillow fixes the following issues: - CVE-2021-25287: out-of-bounds read in J2kDecode in j2ku_graya_la (bsc#1185805) - CVE-2021-25288: out-of-bounds read in J2kDecode in j2ku_gray_i (bsc#1185803) - CVE-2021-28675: DoS in PsdImagePlugin (bsc#1185804) - CVE-2021-28676: infinite loop in FliDecode.c can lead to DoS (bsc#1185786) - CVE-2021-28677: DoS in the open phase via a malicious EPS file (bsc#1185785) - CVE-2021-28678: improper check in BlpImagePlugin can lead to DoS (bsc#1185784) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-1607,openSUSE-SLE-15.5-2024-1607 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20241607-1/ Link for SUSE-SU-2024:1607-1 https://lists.suse.com/pipermail/sle-updates/2024-May/035237.html E-Mail link for SUSE-SU-2024:1607-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1185784 SUSE Bug 1185784 https://bugzilla.suse.com/1185785 SUSE Bug 1185785 https://bugzilla.suse.com/1185786 SUSE Bug 1185786 https://bugzilla.suse.com/1185803 SUSE Bug 1185803 https://bugzilla.suse.com/1185804 SUSE Bug 1185804 https://bugzilla.suse.com/1185805 SUSE Bug 1185805 https://www.suse.com/security/cve/CVE-2021-25287/ SUSE CVE CVE-2021-25287 page https://www.suse.com/security/cve/CVE-2021-25288/ SUSE CVE CVE-2021-25288 page https://www.suse.com/security/cve/CVE-2021-28675/ SUSE CVE CVE-2021-28675 page https://www.suse.com/security/cve/CVE-2021-28676/ SUSE CVE CVE-2021-28676 page https://www.suse.com/security/cve/CVE-2021-28677/ SUSE CVE CVE-2021-28677 page https://www.suse.com/security/cve/CVE-2021-28678/ SUSE CVE CVE-2021-28678 page openSUSE Leap 15.5 python3-Pillow-7.2.0-150300.3.12.1 python3-Pillow-tk-7.2.0-150300.3.12.1 python3-Pillow-7.2.0-150300.3.12.1 as a component of openSUSE Leap 15.5 python3-Pillow-tk-7.2.0-150300.3.12.1 as a component of openSUSE Leap 15.5 An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_graya_la. CVE-2021-25287 openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1 openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1 important 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241607-1/ https://www.suse.com/security/cve/CVE-2021-25287.html CVE-2021-25287 https://bugzilla.suse.com/1185805 SUSE Bug 1185805 An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_gray_i. CVE-2021-25288 openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1 openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1 important 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241607-1/ https://www.suse.com/security/cve/CVE-2021-25288.html CVE-2021-25288 https://bugzilla.suse.com/1185803 SUSE Bug 1185803 An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load. CVE-2021-28675 openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1 openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241607-1/ https://www.suse.com/security/cve/CVE-2021-28675.html CVE-2021-28675 https://bugzilla.suse.com/1185804 SUSE Bug 1185804 An issue was discovered in Pillow before 8.2.0. For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load. CVE-2021-28676 openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1 openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241607-1/ https://www.suse.com/security/cve/CVE-2021-28676.html CVE-2021-28676 https://bugzilla.suse.com/1185786 SUSE Bug 1185786 An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening. CVE-2021-28677 openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1 openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241607-1/ https://www.suse.com/security/cve/CVE-2021-28677.html CVE-2021-28677 https://bugzilla.suse.com/1185785 SUSE Bug 1185785 An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data. CVE-2021-28678 openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1 openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241607-1/ https://www.suse.com/security/cve/CVE-2021-28678.html CVE-2021-28678 https://bugzilla.suse.com/1185784 SUSE Bug 1185784