-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.0887
USN-4763-1: Pillow vulnerabilities
12 March 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Pillow
Publisher: Ubuntu
Operating System: Ubuntu
UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-27923 CVE-2021-27922 CVE-2021-27921
CVE-2021-25293 CVE-2021-25292 CVE-2021-25291
CVE-2021-25290 CVE-2021-25289
Original Bulletin:
https://ubuntu.com/security/notices/USN-4763-1
Comment: This advisory references vulnerabilities in products which run on
platforms other than Ubuntu. It is recommended that administrators
running Pillow check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
USN-4763-1: Pillow vulnerabilities
11 March 2021
Several security issues were fixed in Pillow.
Releases
o Ubuntu 20.10
o Ubuntu 20.04 LTS
o Ubuntu 18.04 LTS
o Ubuntu 16.04 LTS
Packages
o pillow - Python Imaging Library
Details
It was discovered that Pillow incorrectly handled certain Tiff image files.
If a user or automated system were tricked into opening a specially-crafted
Tiff file, a remote attacker could cause Pillow to crash, resulting in a
denial of service, or possibly execute arbitrary code. This issue only
affected Ubuntu 20.04 LTS and Ubuntu 20.10. ( CVE-2021-25289 ,
CVE-2021-25291 )
It was discovered that Pillow incorrectly handled certain Tiff image files.
If a user or automated system were tricked into opening a specially-crafted
Tiff file, a remote attacker could cause Pillow to crash, resulting in a
denial of service, or possibly execute arbitrary code. ( CVE-2021-25290 )
It was discovered that Pillow incorrectly handled certain PDF files. If a
user or automated system were tricked into opening a specially-crafted
PDF file, a remote attacker could cause Pillow to hang, resulting in a
denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04
LTS, and Ubuntu 20.10. ( CVE-2021-25292 )
It was discovered that Pillow incorrectly handled certain SGI image files.
If a user or automated system were tricked into opening a specially-crafted
SGI file, a remote attacker could possibly cause Pillow to crash,
resulting in a denial of service. This issue only affected Ubuntu 18.04
LTS, Ubuntu 20.04 LTS, and Ubuntu 20.10. ( CVE-2021-25293 )
Jiayi Lin, Luke Shaffer, Xinran Xie, and Akshay Ajayan discovered that
Pillow incorrectly handled certain BLP files. If a user or automated system
were tricked into opening a specially-crafted BLP file, a remote attacker
could possibly cause Pillow to consume resources, resulting in a denial of
service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and
Ubuntu 20.10. ( CVE-2021-27921 )
Jiayi Lin, Luke Shaffer, Xinran Xie, and Akshay Ajayan discovered that
Pillow incorrectly handled certain ICNS files. If a user or automated
system were tricked into opening a specially-crafted ICNS file, a remote
attacker could possibly cause Pillow to consume resources, resulting in a
denial of service. ( CVE-2021-27922 )
Jiayi Lin, Luke Shaffer, Xinran Xie, and Akshay Ajayan discovered that
Pillow incorrectly handled certain ICO files. If a user or automated
system were tricked into opening a specially-crafted ICO file, a remote
attacker could possibly cause Pillow to consume resources, resulting in a
denial of service. ( CVE-2021-27922 )
Update instructions
The problem can be corrected by updating your system to the following package
versions:
Ubuntu 20.10
o python3-pil - 7.2.0-1ubuntu0.2
Ubuntu 20.04
o python3-pil - 7.0.0-4ubuntu0.3
Ubuntu 18.04
o python3-pil - 5.1.0-1ubuntu0.5
o python-pil - 5.1.0-1ubuntu0.5
Ubuntu 16.04
o python3-pil - 3.1.2-0ubuntu1.6
o python-pil - 3.1.2-0ubuntu1.6
In general, a standard system update will make all the necessary changes.
References
o CVE-2021-27922
o CVE-2021-25291
o CVE-2021-27921
o CVE-2021-25293
o CVE-2021-27923
o CVE-2021-25290
o CVE-2021-25292
o CVE-2021-25289
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYEqvJeNLKJtyKPYoAQjSkg//SAbV6eEt/sjsJjUV7fpEVCCRFMGpDsU/
id0aMORu7P+NVivkWtBNa0Phn4p7A2ylO/XOHjefOzKFb+rm7C77qSP90a4iwtsd
1Y5NhPOS0B5ZZA7HTuMUN2xrmE4jnDJVTKE45h0Lr+HXWcajbugHkLLQ4z8+ku0w
BO73D+jwgYN/jjx4spymdf7f0w2HBdQnnf4XBAae5u/7WnJ89Zx0+72TBGFkJhbo
1LvPvNdjKmHAkpKOlDuquC4zhjYc1nwLNuDoRc+NRPR7QGhXcerfRKFU7HtUp7A+
+dX6+B4E7lRNoLyne0lcs/xz+TpVH8+pTtzm3Ewvcj3d0FUuUoGJV76YLay9igH6
7N6QcdxtDE/2BwX3uIYUT2G0vHhkxqs1EHtNy/C9oW8dTrOES2FUfSWt9ZdyC9uK
vwCAR9WgSMDaz7p/KGs8Rev+VG2EOkRaI3+ABzXbj9Nrzl3l7Ex0ZHFCAomYb03W
xZVTFpL4Q8MktmqFAFmFOCwF/huRNsFAxROccQUhzjopMq4yt310PF6QPDFEgehj
8R0KH5IjPoTXX/bMnbopBXNKD/vU5+YLi+5nHKf7K7YE+GtMrH0aakIzeqqjNkAl
0nmwyzpkKLVT5zUSH5Nzjwkky8ngFCMc/KKIWnU9Rw89fP1coQS4iHAdcFr2d3oK
/PakbrCYhD0=
=DaiP
-----END PGP SIGNATURE-----
The post ESB-2021.0887 – [Win][UNIX/Linux][Ubuntu] Pillow: Multiple vulnerabilities appeared first on Malware Devil.
https://malwaredevil.com/2021/03/12/esb-2021-0887-winunix-linuxubuntu-pillow-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-0887-winunix-linuxubuntu-pillow-multiple-vulnerabilities
No comments:
Post a Comment