Sicherheit: Mehrere Probleme in Pillow

Lesezeichen hinzufügen

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============1848539036958021449==
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature";
boundary="I7kaSlunIBLWRD3gp1QBhLALKQo6T2Jlb"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--I7kaSlunIBLWRD3gp1QBhLALKQo6T2Jlb
Content-Type: multipart/mixed;
boundary="8tpIiAz5TYRNIXHf3ZjLZa1EXhTLkVb5H";
protected-headers="v1"
From: Marc Deslauriers <marc.deslauriers@canonical.com>
Reply-To: Ubuntu Security <security@ubuntu.com>
To: "ubuntu-security-announce@lists.ubuntu.com"
<ubuntu-security-announce@lists.ubuntu.com>
Message-ID: <c945d99c-e875-e627-82d7-97e37853c5e1@canonical.com>
Subject: [USN-5227-1] Pillow vulnerabilities

--8tpIiAz5TYRNIXHf3ZjLZa1EXhTLkVb5H
Content-Type: text/plain; charset=utf-8
Content-Language: en-C
Content-Transfer-Encoding: quoted-printable

==========================================================================
Ubuntu Security Notice USN-5227-1
January 13, 2022

pillow vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 21.10
- Ubuntu 21.04
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in Pillow.

Software Description:
- pillow: Python Imaging Library

Details:

It was discovered that Pillow incorrectly handled certain image files. If a
user or automated system were tricked into opening a specially-crafted
file, a remote attacker could cause Pillow to hang, resulting in a denial
of service. (CVE-2021-23437)

It was discovered that Pillow incorrectly handled certain image files. If a
user or automated system were tricked into opening a specially-crafted
file, a remote attacker could cause Pillow to crash, resulting in a denial
of service. This issue ony affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and
Ubuntu 21.04. (CVE-2021-34552)

It was discovered that Pillow incorrectly handled certain image files. If a
user or automated system were tricked into opening a specially-crafted
file, a remote attacker could cause Pillow to crash, resulting in a denial
of service, or possibly execute arbitrary code. (CVE-2022-22815)

It was discovered that Pillow incorrectly handled certain image files. If a
user or automated system were tricked into opening a specially-crafted
file, a remote attacker could cause Pillow to crash, resulting in a denial
of service. (CVE-2022-22816)

It was discovered that Pillow incorrectly handled certain image files. If a
user or automated system were tricked into opening a specially-crafted
file, a remote attacker could cause Pillow to crash, resulting in a denial
of service, or possibly execute arbitrary code. (CVE-2022-22817)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 21.10:
python3-pil 8.1.2+dfsg-0.3ubuntu0.1

Ubuntu 21.04:
python3-pil 8.1.2-1ubuntu0.2

Ubuntu 20.04 LTS:
python3-pil 7.0.0-4ubuntu0.5

Ubuntu 18.04 LTS:
python-pil 5.1.0-1ubuntu0.7
python3-pil 5.1.0-1ubuntu0.7

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5227-1
CVE-2021-23437, CVE-2021-34552, CVE-2022-22815, CVE-2022-22816,
CVE-2022-22817

Package Information:
https://launchpad.net/ubuntu/+source/pillow/8.1.2+dfsg-0.3ubuntu0.1
https://launchpad.net/ubuntu/+source/pillow/8.1.2-1ubuntu0.2
https://launchpad.net/ubuntu/+source/pillow/7.0.0-4ubuntu0.5
https://launchpad.net/ubuntu/+source/pillow/5.1.0-1ubuntu0.7

--8tpIiAz5TYRNIXHf3ZjLZa1EXhTLkVb5H--

--I7kaSlunIBLWRD3gp1QBhLALKQo6T2Jlb
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmHgN30ACgkQZWnYVadE
vpOLHg//f/ZuGSVy/+p/C2NKEJmQzwdXr1HIjADkdYSFRP+MVq1jOkbrMzALDq0X
fNjkqWfOtA1JN7jQvcAGwydZVxZE2i1JxRvjdtMuVKPAKzFlOnLURkLA/bUK63H+
pJbmeDTYwBZiwRzLkH9O1yAgT20gmDZmG65w6ENDeBRwcUn0cDwze4+sEachrv4X
kkzk1rQDaZo+bUFQq9S7pO68WMKnzNg2xod5fexBtfg+E2w1bkTalVUlzd+1eHlm
fGxNLjZm43YhR3zBiLcXv+zMgs97yplBHaEk2Htqk//kS2sr8wYb0M9OUCU/oqoI
/d6/oL5dHC9OFL6FKtLPzUsd96J930gApEk6xSDo03Mt+5dYZ/Cxq14Wb1o+UApT
OvsLWtJ9HakeL2s2u6wDXTnmZDvuRZ5lhcO3V8j5y8MbszO2BmpoRiZqkoKBnqVm
jDErQqJPX+BQNT1PeISdX2xTDwaMxEQnIGjj+3Ioi4Z5z31RboagV6zSCGMVrqEd
ISD+JXAPInvu34QRp8uERMdlmDueqkJSFdSh0yiM1gmgWatNE/M1poBCB36THhiu
s2Mh5R6nKu3B4VjkFHoPivSX4yujP6WAk2HmQakU7HFrn6uboN+sX/9ZXHH00W3g
NXQfeGwiRXk4tccyGGzBojaJcn8shfgPhNEN6iI+sthtuCjVfdk=
=Tez2
-----END PGP SIGNATURE-----

--I7kaSlunIBLWRD3gp1QBhLALKQo6T2Jlb--

--===============1848539036958021449==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

LS0gCnVidW50dS1zZWN1cml0eS1hbm5vdW5jZSBtYWlsaW5nIGxpc3QKdWJ1bnR1LXNlY3VyaXR5
LWFubm91bmNlQGxpc3RzLnVidW50dS5jb20KTW9kaWZ5IHNldHRpbmdzIG9yIHVuc3Vic2NyaWJl
IGF0OiBodHRwczovL2xpc3RzLnVidW50dS5jb20vbWFpbG1hbi9saXN0aW5mby91YnVudHUtc2Vj
dXJpdHktYW5ub3VuY2UK

--===============1848539036958021449==--