SUSE-SU-2020:2057-1

Source
https://www.suse.com/support/update/announcement/2020/suse-su-20202057-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2020:2057-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2020:2057-1
Related
Published
2020-07-27T20:26:47Z
Modified
2020-07-27T20:26:47Z
Summary
Security update for python-Pillow
Details

This update for python-Pillow fixes the following issues:

  • Add 0019-FLI-overflow-error-fix-and-testcase.patch
    • Fixes CVE-2016-0775, bsc#965582
  • Add 0020-Fix-OOB-reads-in-FLI-decoding.patch
    • Fixes CVE-2020-10177, bsc#1173413
  • Add 0021-Fix-bounds-overflow-in-JPEG-2000-decoding.patch
    • Fixes CVE-2020-10994, bsc#1173418
  • Add 0022-Fix-bounds-overflow-in-PCX-decoding.patch
    • Fixes CVE-2020-10378, bsc#1173416
  • Add 0008-Corrected-negative-seeks.patch
    • Fixes part of CVE-2019-16865, bsc#1153191
  • Add 0009-Make-Image.crop-an-immediate-operation.patch
    • Fixes https://github.com/python-pillow/Pillow/issues/1077
    • Used by 0012-Added-decompression-bomb-checks.patch
  • Add 0010-Crop-decompression.patch
    • Used by 0012-Added-decompression-bomb-checks.patch
  • Add 0011-Added-DecompressionBombError.patch
    • Used by 0012-Added-decompression-bomb-checks.patch
  • Add 0012-Added-decompression-bomb-checks.patch
    • Fixes part of CVE-2019-16865, bsc#1153191
  • Add 0013-Raise-error-if-dimension-is-a-string.patch
    • Fixes part of CVE-2019-16865, bsc#1153191
  • Add 0014-Catch-buffer-overruns.patch
    • Fixes part of CVE-2019-16865, bsc#1153191
  • Add 0015-Catch-PCX-P-mode-buffer-overrun.patch
    • Fixes CVE-2020-5312, bsc#1160152
  • Add 0016-Ensure-previous-FLI-frame-is-loaded.patch
    • Fixes https://github.com/python-pillow/Pillow/issues/2649
    • Uncovers CVE-2020-5313, bsc#1160153
  • Add 0017-Catch-FLI-buffer-overrun.patch
    • Fixes CVE-2020-5313, bsc#1160153
  • Add 018-Invalid-number-of-bands-in-FPX-image.patch
    • Fixes CVE-2019-19911, bsc#1160192
References

Affected packages

SUSE:Enterprise Storage 5 / python-Pillow

Package

Name
python-Pillow
Purl
purl:rpm/suse/python-Pillow&distro=SUSE%20Enterprise%20Storage%205

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.8.1-3.9.1

Ecosystem specific

{
    "binaries": [
        {
            "python-Pillow": "2.8.1-3.9.1"
        }
    ]
}