Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.0206.2
USN-4697-1: Pillow vulnerabilities
21 January 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Pillow
Publisher: Ubuntu
Operating System: Ubuntu
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2020-35655 CVE-2020-35654 CVE-2020-35653
Original Bulletin:
https://ubuntu.com/security/notices/USN-4697-1
https://ubuntu.com/security/notices/USN-4697-2
Comment: This bulletin contains two (2) Ubuntu security advisories.
This advisory references vulnerabilities in products which run on
platforms other than Ubuntu. It is recommended that administrators
running Pillow check for an updated version of the software for
their operating system.
Revision History: January 21 2021: Vendor released corresponding update for Ubuntu 14.04 ESM USN-4697-2
January 19 2021: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
USN-4697-1: Pillow vulnerabilities
18 January 2021
Pillow could be made to crash or run programs as your login if it opened a
specially crafted file.
Releases
o Ubuntu 20.10
o Ubuntu 20.04 LTS
o Ubuntu 18.04 LTS
o Ubuntu 16.04 LTS
Packages
o pillow - Python Imaging Library
Details
It was discovered that Pillow incorrectly handled certain PCX image files.
If a user or automated system were tricked into opening a specially-crafted
PCX file, a remote attacker could possibly cause Pillow to crash,
resulting in a denial of service. (CVE-2020-35653)
It was discovered that Pillow incorrectly handled certain Tiff image files.
If a user or automated system were tricked into opening a specially-crafted
Tiff file, a remote attacker could cause Pillow to crash, resulting in a
denial of service, or possibly execute arbitrary code. This issue only
affected Ubuntu 20.04 LTS and Ubuntu 20.10. (CVE-2020-35654)
It was discovered that Pillow incorrectly handled certain SGI image files.
If a user or automated system were tricked into opening a specially-crafted
SGI file, a remote attacker could possibly cause Pillow to crash,
resulting in a denial of service. This issue only affected Ubuntu 18.04
LTS, Ubuntu 20.04 LTS, and Ubuntu 20.10. (CVE-2020-35655)
Update instructions
The problem can be corrected by updating your system to the following package
versions:
Ubuntu 20.10
o python3-pil - 7.2.0-1ubuntu0.1
Ubuntu 20.04
o python3-pil - 7.0.0-4ubuntu0.2
Ubuntu 18.04
o python-pil - 5.1.0-1ubuntu0.4
o python3-pil - 5.1.0-1ubuntu0.4
Ubuntu 16.04
o python-pil - 3.1.2-0ubuntu1.5
o python3-pil - 3.1.2-0ubuntu1.5
In general, a standard system update will make all the necessary changes.
References
o CVE-2020-35655
o CVE-2020-35654
o CVE-2020-35653
- -------------------------------------------------------------------------------
USN-4697-2: Pillow vulnerabilities
20 January 2021
Pillow could be made to crash or run programs as your login if it opened a
specially crafted file.
Releases
o Ubuntu 14.04 ESM
Packages
o pillow - Python Imaging Library
Details
USN-4697-1 fixed several vulnerabilities in Pillow. This update provides
the corresponding update for Ubuntu 14.04 ESM.
Original advisory details:
It was discovered that Pillow incorrectly handled certain PCX image files.
If a user or automated system were tricked into opening a specially-crafted
PCX file, a remote attacker could possibly cause Pillow to crash,
resulting in a denial of service. ( CVE-2020-35653 )
It was discovered that Pillow incorrectly handled certain image files. If
a user or automated system were tricked into opening a specially-crafted
image file, a remote attacker could possibly cause Pillow to crash,
resulting in a denial of service. ( CVE-2020-10177 )
Update instructions
The problem can be corrected by updating your system to the following package
versions:
Ubuntu 14.04
o python-pil - 2.3.0-1ubuntu3.4+esm2
o python3-pil - 2.3.0-1ubuntu3.4+esm2
In general, a standard system update will make all the necessary changes.
References
o CVE-2020-10177
o CVE-2020-35653
Related notices
o USN-4430-1 : python3-pil, python-pil, pillow
o USN-4697-1 : python3-pil, python-pil, pillow
o USN-4430-2 : python3-pil, pillow
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYAkFNONLKJtyKPYoAQgHUw/9EjMRgcB8DboTXVS/9PRSEwamUZKwKZHB
pXLvZMCkMo7EUgVHaeS0TDE7DRBQC4uDrkGM0H6jKcGlAzDahhkvo0+L9bsrQoTa
1BteQDyVttCHTCmAPp36x/a+BSD4Whk0ZYLRVJj06ihdMY8pmUkGc8VX+0HM0fxX
OTrjgbJ8xTMhmorFSnHIq5Lz1QzgE9/rpZKufY9lvp2Oa4YKBDXTdOr4Dw+lTmaE
2CdbJihlVqyDbwWE3kHu77i7/In4uaFzeEJh2lQpsA1mIUGUiBDwGhMZyJq8Aj1N
25MPKW0lW27j1mUQgJB1EAjxZyWEskouxYP3hyIP2Q9akNbXiWtP4sFJwMb3LjDd
jrjpLgCl37RCVTdJIyLOxNQYHqzJpsTFOQQLvHqLB9R8r6zIC44+VeeqvlxJF65j
hFARPkQ1QoUxmfuMG5jkVSdcMotPZCP2me65zWjHYsdwUZ2V5dGWELFgzHcRXBHR
bdIHdA5YS84UZCw1NEjf2znmksaoQabcXxW5FCoSIf1o5WRHsAgish3PpMrGx4II
0gLzzWGXULhgsyzYFPiVnuIfDPrYloRDaI/5MXZraPq1jsb7pAMH9wnMUB/B08P3
vUqSqmT24vou+cVnEPq+9Mm9pODs02DwNZAHUkG7pO3DAZxqil5jT40684sup9w6
XXHsqNRvC2I=
=0tnQ
-----END PGP SIGNATURE-----