FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Pillow -- Multiple vulnerabilities

Affected packages
py27-pillow < 6.2.2
py35-pillow < 6.2.2
py36-pillow < 6.2.2
py37-pillow < 6.2.2
py38-pillow < 6.2.2

Details

VuXML ID 0700e76c-3eb0-11ea-8478-3085a9a95629
Discovery 2019-12-19
Entry 2020-01-24

Pillow developers report:

This release addresses several security problems, as well as addressing CVE-2019-19911.

CVE-2019-19911 is regarding FPX images. If an image reports that it has a large number of bands, a large amount of resources will be used when trying to process the image. This is fixed by limiting the number of bands to those usable by Pillow.

Buffer overruns were found when processing an SGI, PCX or FLI image. Checks have been added to prevent this.

Overflow checks have been added when calculating the size of a memory block to be reallocated in the processing of a TIFF image.

[source]

References

CVE Name CVE-2019-19911
CVE Name CVE-2020-5310
CVE Name CVE-2020-5311
CVE Name CVE-2020-5312
CVE Name CVE-2020-5313
FreeBSD PR ports/243336
URL https://pillow.readthedocs.io/en/stable/releasenotes/6.2.2.html

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.