Security update for python-Pillow SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:1673-1 Final 1 1 2024-05-17T07:30:17Z current 2024-05-17T07:30:17Z 2024-05-17T07:30:17Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-Pillow This update for python-Pillow fixes the following issues: - Fixed ImagePath.Path array handling (bsc#1194552, CVE-2022-22815, bsc#1194551, CVE-2022-22816) - Use snprintf instead of sprintf (bsc#1188574, CVE-2021-34552) - Fix Memory DOS in Icns, Ico and Blp Image Plugins. (bsc#1183110, CVE-2021-27921, bsc#1183108, CVE-2021-27922, bsc#1183107, CVE-2021-27923) - Fix OOB read in SgiRleDecode.c (bsc#1183102, CVE-2021-25293) - Use more specific regex chars to prevent ReDoS (bsc#1183101, CVE-2021-25292) - Fix negative size read in TiffDecode.c (bsc#1183105, CVE-2021-25290) - Raise ValueError if color specifier is too long (bsc#1190229, CVE-2021-23437) - Incorrect error code checking in TiffDecode.c (bsc#1183103, CVE-2021-25289) - OOB Write in TiffDecode.c (bsc#1180833, CVE-2020-35654) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-1673,openSUSE-SLE-15.5-2024-1673 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20241673-1/ Link for SUSE-SU-2024:1673-1 https://lists.suse.com/pipermail/sle-security-updates/2024-May/018541.html E-Mail link for SUSE-SU-2024:1673-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1180833 SUSE Bug 1180833 https://bugzilla.suse.com/1183101 SUSE Bug 1183101 https://bugzilla.suse.com/1183102 SUSE Bug 1183102 https://bugzilla.suse.com/1183103 SUSE Bug 1183103 https://bugzilla.suse.com/1183105 SUSE Bug 1183105 https://bugzilla.suse.com/1183107 SUSE Bug 1183107 https://bugzilla.suse.com/1183108 SUSE Bug 1183108 https://bugzilla.suse.com/1183110 SUSE Bug 1183110 https://bugzilla.suse.com/1188574 SUSE Bug 1188574 https://bugzilla.suse.com/1190229 SUSE Bug 1190229 https://bugzilla.suse.com/1194551 SUSE Bug 1194551 https://bugzilla.suse.com/1194552 SUSE Bug 1194552 https://www.suse.com/security/cve/CVE-2020-35654/ SUSE CVE CVE-2020-35654 page https://www.suse.com/security/cve/CVE-2021-23437/ SUSE CVE CVE-2021-23437 page https://www.suse.com/security/cve/CVE-2021-25289/ SUSE CVE CVE-2021-25289 page https://www.suse.com/security/cve/CVE-2021-25290/ SUSE CVE CVE-2021-25290 page https://www.suse.com/security/cve/CVE-2021-25292/ SUSE CVE CVE-2021-25292 page https://www.suse.com/security/cve/CVE-2021-25293/ SUSE CVE CVE-2021-25293 page https://www.suse.com/security/cve/CVE-2021-27921/ SUSE CVE CVE-2021-27921 page https://www.suse.com/security/cve/CVE-2021-27922/ SUSE CVE CVE-2021-27922 page https://www.suse.com/security/cve/CVE-2021-27923/ SUSE CVE CVE-2021-27923 page https://www.suse.com/security/cve/CVE-2021-34552/ SUSE CVE CVE-2021-34552 page https://www.suse.com/security/cve/CVE-2022-22815/ SUSE CVE CVE-2022-22815 page https://www.suse.com/security/cve/CVE-2022-22816/ SUSE CVE CVE-2022-22816 page openSUSE Leap 15.5 python3-Pillow-7.2.0-150300.3.15.1 python3-Pillow-tk-7.2.0-150300.3.15.1 python3-Pillow-7.2.0-150300.3.15.1 as a component of openSUSE Leap 15.5 python3-Pillow-tk-7.2.0-150300.3.15.1 as a component of openSUSE Leap 15.5 In Pillow before 8.1.0, TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. CVE-2020-35654 openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.15.1 openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.15.1 critical 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241673-1/ https://www.suse.com/security/cve/CVE-2020-35654.html CVE-2020-35654 https://bugzilla.suse.com/1180833 SUSE Bug 1180833 https://bugzilla.suse.com/1183103 SUSE Bug 1183103 The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. CVE-2021-23437 openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.15.1 openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.15.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241673-1/ https://www.suse.com/security/cve/CVE-2021-23437.html CVE-2021-23437 https://bugzilla.suse.com/1190229 SUSE Bug 1190229 An issue was discovered in Pillow before 8.1.1. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654. CVE-2021-25289 openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.15.1 openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.15.1 critical 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241673-1/ https://www.suse.com/security/cve/CVE-2021-25289.html CVE-2021-25289 https://bugzilla.suse.com/1183103 SUSE Bug 1183103 An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is a negative-offset memcpy with an invalid size. CVE-2021-25290 openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.15.1 openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.15.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241673-1/ https://www.suse.com/security/cve/CVE-2021-25290.html CVE-2021-25290 https://bugzilla.suse.com/1183105 SUSE Bug 1183105 An issue was discovered in Pillow before 8.1.1. The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex. CVE-2021-25292 openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.15.1 openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.15.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241673-1/ https://www.suse.com/security/cve/CVE-2021-25292.html CVE-2021-25292 https://bugzilla.suse.com/1183101 SUSE Bug 1183101 An issue was discovered in Pillow before 8.1.1. There is an out-of-bounds read in SGIRleDecode.c. CVE-2021-25293 openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.15.1 openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.15.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241673-1/ https://www.suse.com/security/cve/CVE-2021-25293.html CVE-2021-25293 https://bugzilla.suse.com/1183102 SUSE Bug 1183102 Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large. CVE-2021-27921 openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.15.1 openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.15.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241673-1/ https://www.suse.com/security/cve/CVE-2021-27921.html CVE-2021-27921 https://bugzilla.suse.com/1183110 SUSE Bug 1183110 Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large. CVE-2021-27922 openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.15.1 openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.15.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241673-1/ https://www.suse.com/security/cve/CVE-2021-27922.html CVE-2021-27922 https://bugzilla.suse.com/1183108 SUSE Bug 1183108 Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large. CVE-2021-27923 openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.15.1 openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.15.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241673-1/ https://www.suse.com/security/cve/CVE-2021-27923.html CVE-2021-27923 https://bugzilla.suse.com/1183107 SUSE Bug 1183107 Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c. CVE-2021-34552 openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.15.1 openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.15.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241673-1/ https://www.suse.com/security/cve/CVE-2021-34552.html CVE-2021-34552 https://bugzilla.suse.com/1188574 SUSE Bug 1188574 path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. CVE-2022-22815 openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.15.1 openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.15.1 low 6.4 AV:N/AC:L/Au:N/C:N/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241673-1/ https://www.suse.com/security/cve/CVE-2022-22815.html CVE-2022-22815 https://bugzilla.suse.com/1194552 SUSE Bug 1194552 path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. CVE-2022-22816 openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.15.1 openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.15.1 low 6.4 AV:N/AC:L/Au:N/C:N/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241673-1/ https://www.suse.com/security/cve/CVE-2022-22816.html CVE-2022-22816 https://bugzilla.suse.com/1194551 SUSE Bug 1194551