[SECURITY] [DLA 422-1] python-imaging security update

2016-02-2114:05:06

lists.debian.org

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

7.3 High

AI Score

Confidence

High

0.013 Low

EPSS

Percentile

85.9%

JSON

Package : python-imaging
Version : 1.1.7-2+deb6u2
CVE ID : CVE-2016-0775
Debian Bug : 813909

Two buffer overflows were discovered in python-imaging, a Python
library for loading and manipulating image files, which may lead to
the execution of arbitrary code.

CVE-2016-0775
Buffer overflow in FliDecode.c

The second buffer overflow was in PcdDecode.c. A CVE identifier has
not been assigned yet.

For Debian 6 "Squeeze", these problems have been fixed in version
1.1.7-2+deb6u2.

We recommend that you upgrade your python-imaging packages.

OSVersionArchitecturePackageVersionFilename
Debian8armhfpython3-pil< 2.6.1-2+deb8u2python3-pil_2.6.1-2+deb8u2_armhf.deb
Debian7mipselpython-imaging-dbg< 1.1.7-4+deb7u2python-imaging-dbg_1.1.7-4+deb7u2_mipsel.deb
Debian7mipselpython-imaging-sane< 1.1.7-4+deb7u2python-imaging-sane_1.1.7-4+deb7u2_mipsel.deb
Debian8kfreebsd-amd64python-sane< 2.6.1-2+deb8u2python-sane_2.6.1-2+deb8u2_kfreebsd-amd64.deb
Debian8ppc64elpython-pil.imagetk-dbg< 2.6.1-2+deb8u2python-pil.imagetk-dbg_2.6.1-2+deb8u2_ppc64el.deb
Debian8kfreebsd-amd64python3-pil.imagetk< 2.6.1-2+deb8u2python3-pil.imagetk_2.6.1-2+deb8u2_kfreebsd-amd64.deb
Debian8armhfpython-pil.imagetk-dbg< 2.6.1-2+deb8u2python-pil.imagetk-dbg_2.6.1-2+deb8u2_armhf.deb
Debian7powerpcpython-imaging-sane< 1.1.7-4+deb7u2python-imaging-sane_1.1.7-4+deb7u2_powerpc.deb
Debian8armelpython3-pil< 2.6.1-2+deb8u2python3-pil_2.6.1-2+deb8u2_armel.deb
Debian8amd64python-pil.imagetk< 2.6.1-2+deb8u2python-pil.imagetk_2.6.1-2+deb8u2_amd64.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	armhf	python3-pil	< 2.6.1-2+deb8u2	python3-pil_2.6.1-2+deb8u2_armhf.deb
Debian	7	mipsel	python-imaging-dbg	< 1.1.7-4+deb7u2	python-imaging-dbg_1.1.7-4+deb7u2_mipsel.deb
Debian	7	mipsel	python-imaging-sane	< 1.1.7-4+deb7u2	python-imaging-sane_1.1.7-4+deb7u2_mipsel.deb
Debian	8	kfreebsd-amd64	python-sane	< 2.6.1-2+deb8u2	python-sane_2.6.1-2+deb8u2_kfreebsd-amd64.deb
Debian	8	ppc64el	python-pil.imagetk-dbg	< 2.6.1-2+deb8u2	python-pil.imagetk-dbg_2.6.1-2+deb8u2_ppc64el.deb
Debian	8	kfreebsd-amd64	python3-pil.imagetk	< 2.6.1-2+deb8u2	python3-pil.imagetk_2.6.1-2+deb8u2_kfreebsd-amd64.deb
Debian	8	armhf	python-pil.imagetk-dbg	< 2.6.1-2+deb8u2	python-pil.imagetk-dbg_2.6.1-2+deb8u2_armhf.deb
Debian	7	powerpc	python-imaging-sane	< 1.1.7-4+deb7u2	python-imaging-sane_1.1.7-4+deb7u2_powerpc.deb
Debian	8	armel	python3-pil	< 2.6.1-2+deb8u2	python3-pil_2.6.1-2+deb8u2_armel.deb
Debian	8	amd64	python-pil.imagetk	< 2.6.1-2+deb8u2	python-pil.imagetk_2.6.1-2+deb8u2_amd64.deb