Sicherheit: Mehrere Probleme in Pillow

Lesezeichen hinzufügen

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============8601606612436956369==
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature";
boundary="LZPf5dTUZ1e74M0kaMIHLWaqbLfLpuxcS"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--LZPf5dTUZ1e74M0kaMIHLWaqbLfLpuxcS
Content-Type: multipart/mixed;
boundary="wD0cFF45twG8P5jw12PTK3wIeuzSNEsPi";
protected-headers="v1"
From: Marc Deslauriers <marc.deslauriers@canonical.com>
Reply-To: Ubuntu Security <security@ubuntu.com>
To: "ubuntu-security-announce@lists.ubuntu.com"
<ubuntu-security-announce@lists.ubuntu.com>
Message-ID: <0bad754b-a4ec-a5e0-739f-0e3e44f74600@canonical.com>
Subject: [USN-4963-1] Pillow vulnerabilities

--wD0cFF45twG8P5jw12PTK3wIeuzSNEsPi
Content-Type: text/plain; charset=utf-8
Content-Language: en-C
Content-Transfer-Encoding: quoted-printable

==========================================================================
Ubuntu Security Notice USN-4963-1
May 19, 2021

pillow vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 21.04
- Ubuntu 20.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Pillow could be made to crash or hang if it opened a specially crafted
file.

Software Description:
- pillow: Python Imaging Library

Details:

It was discovered that Pillow incorrectly handled certain image files. If a
user or automated system were tricked into opening a specially-crafted
file, a remote attacker could cause Pillow to crash or hand, resulting in a
denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 21.04:
python3-pil 8.1.2-1ubuntu0.1

Ubuntu 20.10:
python3-pil 7.2.0-1ubuntu0.3

Ubuntu 20.04 LTS:
python3-pil 7.0.0-4ubuntu0.4

Ubuntu 18.04 LTS:
python-pil 5.1.0-1ubuntu0.6
python3-pil 5.1.0-1ubuntu0.6

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-4963-1
CVE-2021-25287, CVE-2021-25288, CVE-2021-28675, CVE-2021-28676,
CVE-2021-28677, CVE-2021-28678

Package Information:
https://launchpad.net/ubuntu/+source/pillow/8.1.2-1ubuntu0.1
https://launchpad.net/ubuntu/+source/pillow/7.2.0-1ubuntu0.3
https://launchpad.net/ubuntu/+source/pillow/7.0.0-4ubuntu0.4
https://launchpad.net/ubuntu/+source/pillow/5.1.0-1ubuntu0.6

--wD0cFF45twG8P5jw12PTK3wIeuzSNEsPi--

--LZPf5dTUZ1e74M0kaMIHLWaqbLfLpuxcS
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmClMrkACgkQZWnYVadE
vpNM4w/+PU/48CuzplbjOS47tC1XV58XFu2z6iB7YLsxPVcQ7pv/imti4l8KAt0A
Os10Okm+gewLNGP8ZJzoM72Z9/F0oc8Wicr3t0OI0FikoAgx02bnkbrEsVx5SeKO
RxIQQXeLPWir1pmEbqMgVeJSY8LBuNPu+R34XOQkXatQenIIjT+C3WY+3LKQFW7O
S3hcl2tNtkIL6RKZnAoGNyN1COMMHgtZ1UuE0kAtW63E/mfz8mXfO4nt8J8kGmAR
KEc3zyl/VPwlbRla3axwy+pvqGnW4PHbB0qxBB1jU/ji7yi5PeckQkv4tKxx6EvE
bc9xnr2m3UZMthqrwaD/MLojFvW/Pd728j9pSvxk8NXNHco0XV8U/Z0qhHCXlbFo
Cwp2YAzRrl3BUvnq7aWgpiF2dERzZodt12MJUXLf79XkGPeCIvqfJecs4r5NZpi1
n4JiFea8DACMLDBKBtdyVz8pUK40uAQFteumkAKTi9hDry5FBvdv2/xg6kYzD43z
/i00ZkHTlAHP6I+LlgpUgv/pwRpsti0u7DEMGFMO8lna9dth7fvRMI5PhOGuaA2g
v35cxWjEkVXH3yUOo5R8Yk5tSJNVxgKKS8NudBvTC2lCMAmvPY86SD5zbW3dxuUd
zDzdrCkd8GI2CqUZbheYWqSydXWCX7CpemS4J8Eu3MhD/twTeRY=
=x+JD
-----END PGP SIGNATURE-----

--LZPf5dTUZ1e74M0kaMIHLWaqbLfLpuxcS--

--===============8601606612436956369==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

LS0gCnVidW50dS1zZWN1cml0eS1hbm5vdW5jZSBtYWlsaW5nIGxpc3QKdWJ1bnR1LXNlY3VyaXR5
LWFubm91bmNlQGxpc3RzLnVidW50dS5jb20KTW9kaWZ5IHNldHRpbmdzIG9yIHVuc3Vic2NyaWJl
IGF0OiBodHRwczovL2xpc3RzLnVidW50dS5jb20vbWFpbG1hbi9saXN0aW5mby91YnVudHUtc2Vj
dXJpdHktYW5ub3VuY2UK

--===============8601606612436956369==--