This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --===============1848539036958021449== Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="I7kaSlunIBLWRD3gp1QBhLALKQo6T2Jlb"
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --I7kaSlunIBLWRD3gp1QBhLALKQo6T2Jlb Content-Type: multipart/mixed; boundary="8tpIiAz5TYRNIXHf3ZjLZa1EXhTLkVb5H"; protected-headers="v1" From: Marc Deslauriers <marc.deslauriers@canonical.com> Reply-To: Ubuntu Security <security@ubuntu.com> To: "ubuntu-security-announce@lists.ubuntu.com" <ubuntu-security-announce@lists.ubuntu.com> Message-ID: <c945d99c-e875-e627-82d7-97e37853c5e1@canonical.com> Subject: [USN-5227-1] Pillow vulnerabilities
--8tpIiAz5TYRNIXHf3ZjLZa1EXhTLkVb5H Content-Type: text/plain; charset=utf-8 Content-Language: en-C Content-Transfer-Encoding: quoted-printable
========================================================================== Ubuntu Security Notice USN-5227-1 January 13, 2022
pillow vulnerabilities ==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 21.10 - Ubuntu 21.04 - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in Pillow.
Software Description: - pillow: Python Imaging Library
Details:
It was discovered that Pillow incorrectly handled certain image files. If a user or automated system were tricked into opening a specially-crafted file, a remote attacker could cause Pillow to hang, resulting in a denial of service. (CVE-2021-23437)
It was discovered that Pillow incorrectly handled certain image files. If a user or automated system were tricked into opening a specially-crafted file, a remote attacker could cause Pillow to crash, resulting in a denial of service. This issue ony affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 21.04. (CVE-2021-34552)
It was discovered that Pillow incorrectly handled certain image files. If a user or automated system were tricked into opening a specially-crafted file, a remote attacker could cause Pillow to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2022-22815)
It was discovered that Pillow incorrectly handled certain image files. If a user or automated system were tricked into opening a specially-crafted file, a remote attacker could cause Pillow to crash, resulting in a denial of service. (CVE-2022-22816)
It was discovered that Pillow incorrectly handled certain image files. If a user or automated system were tricked into opening a specially-crafted file, a remote attacker could cause Pillow to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2022-22817)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 21.10: python3-pil 8.1.2+dfsg-0.3ubuntu0.1
Ubuntu 21.04: python3-pil 8.1.2-1ubuntu0.2
Ubuntu 20.04 LTS: python3-pil 7.0.0-4ubuntu0.5
Ubuntu 18.04 LTS: python-pil 5.1.0-1ubuntu0.7 python3-pil 5.1.0-1ubuntu0.7
In general, a standard system update will make all the necessary changes.
References: https://ubuntu.com/security/notices/USN-5227-1 CVE-2021-23437, CVE-2021-34552, CVE-2022-22815, CVE-2022-22816, CVE-2022-22817
Package Information: https://launchpad.net/ubuntu/+source/pillow/8.1.2+dfsg-0.3ubuntu0.1 https://launchpad.net/ubuntu/+source/pillow/8.1.2-1ubuntu0.2 https://launchpad.net/ubuntu/+source/pillow/7.0.0-4ubuntu0.5 https://launchpad.net/ubuntu/+source/pillow/5.1.0-1ubuntu0.7
--8tpIiAz5TYRNIXHf3ZjLZa1EXhTLkVb5H--
--I7kaSlunIBLWRD3gp1QBhLALKQo6T2Jlb Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature"
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmHgN30ACgkQZWnYVadE vpOLHg//f/ZuGSVy/+p/C2NKEJmQzwdXr1HIjADkdYSFRP+MVq1jOkbrMzALDq0X fNjkqWfOtA1JN7jQvcAGwydZVxZE2i1JxRvjdtMuVKPAKzFlOnLURkLA/bUK63H+ pJbmeDTYwBZiwRzLkH9O1yAgT20gmDZmG65w6ENDeBRwcUn0cDwze4+sEachrv4X kkzk1rQDaZo+bUFQq9S7pO68WMKnzNg2xod5fexBtfg+E2w1bkTalVUlzd+1eHlm fGxNLjZm43YhR3zBiLcXv+zMgs97yplBHaEk2Htqk//kS2sr8wYb0M9OUCU/oqoI /d6/oL5dHC9OFL6FKtLPzUsd96J930gApEk6xSDo03Mt+5dYZ/Cxq14Wb1o+UApT OvsLWtJ9HakeL2s2u6wDXTnmZDvuRZ5lhcO3V8j5y8MbszO2BmpoRiZqkoKBnqVm jDErQqJPX+BQNT1PeISdX2xTDwaMxEQnIGjj+3Ioi4Z5z31RboagV6zSCGMVrqEd ISD+JXAPInvu34QRp8uERMdlmDueqkJSFdSh0yiM1gmgWatNE/M1poBCB36THhiu s2Mh5R6nKu3B4VjkFHoPivSX4yujP6WAk2HmQakU7HFrn6uboN+sX/9ZXHH00W3g NXQfeGwiRXk4tccyGGzBojaJcn8shfgPhNEN6iI+sthtuCjVfdk= =Tez2 -----END PGP SIGNATURE-----
--I7kaSlunIBLWRD3gp1QBhLALKQo6T2Jlb--
--===============1848539036958021449== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline
LS0gCnVidW50dS1zZWN1cml0eS1hbm5vdW5jZSBtYWlsaW5nIGxpc3QKdWJ1bnR1LXNlY3VyaXR5 LWFubm91bmNlQGxpc3RzLnVidW50dS5jb20KTW9kaWZ5IHNldHRpbmdzIG9yIHVuc3Vic2NyaWJl IGF0OiBodHRwczovL2xpc3RzLnVidW50dS5jb20vbWFpbG1hbi9saXN0aW5mby91YnVudHUtc2Vj dXJpdHktYW5ub3VuY2UK
--===============1848539036958021449==--
|