A flaw was found in python-pillow. This flaw allows an attacker to pass controlled parameters directly into a convert function, triggering a buffer overflow in the “convert()” or “ImagingConvertTransparent()” functions in Convert.c. The highest threat to this vulnerability is to system availability. In Red Hat Quay, a vulnerable version of python-pillow is shipped with quay-registry-container, however the invoice generation feature which uses python-pillow is disabled by default. Therefore impact has been rated Moderate.

Mitigation

To mitigate this flaw on Red Hat Quay, keep the invoice generation feature disabled, as it is by default.

Red Hat Satellite 6.9 customers can apply following hotfix to eliminate the vulnerability warnings.

• Download python2-daemon-2.1.2-7.1.HFRHBZ1998199.el7sat.noarch.rpm from <https://bugzilla.redhat.com/attachment.cgi?id=1819471&gt;
• Stop services:

satellite-maintain service stop

• Upgrade python2-daemon and remove affected package

rpm -Uvh python2-daemon-2.1.2-7.1.HFRHBZ1998199.el7sat.noarch.rpm

yum remove python-pillow

• Restart services:

satellite-maintain service start

Satellite 6.10 future release is also fixing this.