user/py3-pillow: multiple vulnerabilities
| Bugzilla ID | 320 |
| Alias(es) | CVE-2020-10177, CVE-2020-10378, CVE-2020-10379, CVE-2020-10994, CVE-2020-11538 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-07-03 15:39:10 -0500 |
| Modified | 2020-07-03 15:39:10 -0500 |
| Status | UNCONFIRMED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| Package(s) | user/py3-pillow |
Description
CVE-2020-10177: https://nvd.nist.gov/vuln/detail/CVE-2020-10177
Pillow before 6.2.3 and 7.x before 7.0.1 has multiple out-of-bounds
reads in libImaging/FliDecode.c.
Fixed in >= 6.2.3 & 7.1.0
https://github.com/python-pillow/Pillow/pull/4503
CVE-2020-10378: https://nvd.nist.gov/vuln/detail/CVE-2020-10378
In libImaging/PcxDecode.c in Pillow before 6.2.3 and 7.x before 7.0.1,
an out-of-bounds read can occur when reading PCX files where
state->shuffle is instructed to read beyond state->buffer.
Fixed in >= 6.2.3 & 7.1.0
https://github.com/python-pillow/Pillow/pull/4538
CVE-2020-10379: https://nvd.nist.gov/vuln/detail/CVE-2020-10379
In Pillow before 6.2.3 and 7.x before 7.0.1, there are two Buffer
Overflows in libImaging/TiffDecode.c.
Fixed in >= 6.2.3 & 7.1.0
https://github.com/python-pillow/Pillow/pull/4538
CVE-2020-10994: https://nvd.nist.gov/vuln/detail/CVE-2020-10994
In libImaging/Jpeg2KDecode.c in Pillow before 7.0.0, there are
multiple out-of-bounds reads via a crafted JP2 file.
Fixed in >= 7.1.0
https://github.com/python-pillow/Pillow/pull/4505
CVE-2020-11538: https://nvd.nist.gov/vuln/detail/CVE-2020-11538
In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of
out-of-bounds reads exist in the parsing of SGI image files, a
different issue than CVE-2020-5311.
Fixed in >= 7.1.0
https://github.com/python-pillow/Pillow/pull/4504