Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
archlinuxArchLinuxASA-202101-11
HistoryJan 12, 2021 - 12:00 a.m.

[ASA-202101-11] python-pillow: multiple issues

2021-01-1200:00:00
security.archlinux.org
122

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.002 Low

EPSS

Percentile

59.9%

JSON

Arch Linux Security Advisory ASA-202101-11

Severity: Medium
Date : 2021-01-12
CVE-ID : CVE-2020-35653 CVE-2020-35654 CVE-2020-35655
Package : python-pillow
Type : multiple issues
Remote : No
Link : https://security.archlinux.org/AVG-1438

Summary

The package python-pillow before version 8.1.0-1 is vulnerable to
multiple issues including arbitrary code execution, information
disclosure and denial of service.

Resolution

Upgrade to 8.1.0-1.

pacman -Syu “python-pillow>=8.1.0-1”

The problems have been fixed upstream in version 8.1.0.

Workaround

None.

Description

  • CVE-2020-35653 (information disclosure)

In python-pillow before 8.1.0, PcxDecode has a buffer over-read when
decoding a crafted PCX file because the user-supplied stride value is
trusted for buffer calculations.

  • CVE-2020-35654 (arbitrary code execution)

In python-pillow before 8.1.0, TiffDecode has a heap-based buffer
overflow when decoding crafted YCbCr files because of certain
interpretation conflicts with LibTIFF in RGBA mode.

  • CVE-2020-35655 (denial of service)

In python-pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-
read when decoding crafted SGI RLE image files because offsets and
length tables are mishandled.

Impact

A local malicious user might craft a malformed file to execute
arbitrary code, read from memory or crash the application.

References

https://pillow.readthedocs.io/en/stable/releasenotes/8.1.0.html#security
https://github.com/python-pillow/Pillow/pull/5174
https://github.com/python-pillow/Pillow/commit/2f409261eb1228e166868f8f0b5da5cda52e55bf
https://github.com/python-pillow/Pillow/pull/5175
https://github.com/python-pillow/Pillow/commit/eb8c1206d6b170d4e798a00db7432e023853da5c
https://github.com/python-pillow/Pillow/commit/45a62e91b1f72e79989a7919af97b062dc8dfaf4
https://github.com/python-pillow/Pillow/pull/5173
https://github.com/python-pillow/Pillow/commit/7e95c63fa7f503f185d3d9eb16b9cee1e54d1e46
https://github.com/python-pillow/Pillow/commit/9a2c9f722f78773e608d44710873437baf3f17d1
https://security.archlinux.org/CVE-2020-35653
https://security.archlinux.org/CVE-2020-35654
https://security.archlinux.org/CVE-2020-35655

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanypython-pillow< 8.1.0-1UNKNOWN

Related

nessus 33
fedora 8
gentoo 1
osv 21
ubuntu 2
prion 4
github 4
redhatcve 4
ubuntucve 4
alpinelinux 4
veracode 4
debiancve 4
cve 4
cnvd 1
f5 1
suse 1
debian 1
rocky 1
almalinux 1
redhat 2
amazon 1
rosalinux 1
nessus
nessus
GLSA-202101-08 : Pillow: Multiple vulnerabilities
2021-01-12 00:00:00
Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS : Pillow vulnerabilities (USN-4697-1)
2021-01-18 00:00:00
Fedora 32 : python-pillow (2021-880aa7bd27)
2021-01-25 00:00:00
fedora
fedora
[SECURITY] Fedora 32 Update: python-pillow-7.0.0-5.fc32
2021-01-24 01:23:46
[SECURITY] Fedora 33 Update: mingw-python-pillow-7.2.0-3.fc33
2021-01-21 01:47:28
[SECURITY] Fedora 33 Update: python-pillow-7.2.0-3.fc33
2021-01-21 01:47:29
gentoo
gentoo
Pillow: Multiple vulnerabilities
2021-01-11 00:00:00
osv
osv
pillow vulnerabilities
2021-01-18 17:22:28
CVE-2020-35655
2021-01-12 09:15:13
BIT-pillow-2020-35654
2024-03-06 11:06:24
ubuntu
ubuntu
Pillow vulnerabilities
2021-01-18 00:00:00
Pillow vulnerabilities
2021-01-20 00:00:00
prion
prion
Heap overflow
2021-01-12 09:15:00
Buffer overflow
2021-01-12 09:15:00
Buffer overflow
2021-01-12 09:15:00
github
github
Pillow Out-of-bounds Read
2021-03-18 19:55:34
Pillow Out-of-bounds Write
2021-03-18 19:55:27
Pillow Out-of-bounds Read
2021-03-18 19:55:41
redhatcve
redhatcve
CVE-2020-35653
2021-01-12 16:20:06
CVE-2020-35655
2021-01-12 16:20:06
CVE-2020-35654
2021-01-12 16:20:23
ubuntucve
ubuntucve
CVE-2020-35655
2021-01-12 00:00:00
CVE-2020-35654
2021-01-12 00:00:00
CVE-2020-35653
2021-01-12 00:00:00
alpinelinux
alpinelinux
CVE-2020-35655
2021-01-12 09:15:00
CVE-2020-35653
2021-01-12 09:15:00
CVE-2020-35654
2021-01-12 09:15:00
veracode
veracode
Denial Of Service (DoS)
2021-01-15 06:17:47
Denial Of Service (DoS)
2021-01-13 05:03:46
Denial Of Service (DoS)
2021-01-13 03:41:47
debiancve
debiancve
CVE-2020-35655
2021-01-12 09:15:00
CVE-2020-35653
2021-01-12 09:15:00
CVE-2020-35654
2021-01-12 09:15:00
cve
cve
CVE-2020-35655
2021-01-12 09:15:00
CVE-2020-35653
2021-01-12 09:15:00
CVE-2020-35654
2021-01-12 09:15:00
cnvd
cnvd
Pillow Buffer Overflow Vulnerability (CNVD-2021-54038)
2021-01-14 00:00:00
f5
f5
K14102355 : Python Pillow vulnerability CVE-2021-25289
2021-06-03 00:00:00
suse
suse
Security update for python-CairoSVG, python-Pillow (moderate)
2021-08-10 00:00:00
debian
debian
[SECURITY] [DLA 2716-1] pillow security update
2021-07-22 11:17:53
rocky
rocky
python-pillow security update
2021-11-09 08:24:34
almalinux
almalinux
Moderate: python-pillow security update
2021-11-09 08:24:34
redhat
redhat
(RHSA-2021:4149) Moderate: python-pillow security update
2021-11-09 08:24:34
(RHSA-2021:3917) Important: Red Hat Quay v3.6.0 security, bug fix and enhancement update
2021-10-19 12:05:33
amazon
amazon
Important: python-pillow
2023-06-05 16:39:00
rosalinux
rosalinux
Advisory ROSA-SA-2021-1957
2021-07-02 18:03:40

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.002 Low

EPSS

Percentile

59.9%

JSON
Related for ASA-202101-11
nessus33fedora8gentoo1osv21ubuntu2prion4github4redhatcve4ubuntucve4alpinelinux4veracode4debiancve4cve4cnvd1f51suse1debian1rocky1almalinux1redhat2amazon1rosalinux1