Mageia Linux Local Security Checks : Mageia: Security Advisory (MGASA-2021-0389)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.1.10.2021.0389

Categoría: Mageia Linux Local Security Checks

Título: Mageia: Security Advisory (MGASA-2021-0389)

Resumen: The remote host is missing an update for the 'python-pillow' package(s) announced via the MGASA-2021-0389 advisory.

Descripción: Summary:
The remote host is missing an update for the 'python-pillow' package(s) announced via the MGASA-2021-0389 advisory.

Vulnerability Insight:
Updated python-pillow packages fix security vulnerabilities:

An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds
read in J2kDecode, in j2ku_graya_la (CVE-2021-25287).

An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds
read in J2kDecode, in j2ku_gray_i (CVE-2021-25288).

An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.PsdImageFile
lacked a sanity check on the number of input layers relative to the size of
the data block. This could lead to a DoS on Image.open prior to Image.load
(CVE-2021-28675).

An issue was discovered in Pillow before 8.2.0. For FLI data, FliDecode did
not properly check that the block advance was non-zero, potentially leading
to an infinite loop on load (CVE-2021-28676).

An issue was discovered in Pillow before 8.2.0. For EPS data, the readline
implementation used in EPSImageFile has to deal with any combination of \r
and \n as line endings. It used an accidentally quadratic method of
accumulating lines while looking for a line ending. A malicious EPS file
could use this to perform a DoS of Pillow in the open phase, before an
image was accepted for opening (CVE-2021-28677).

An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin
did not properly check that reads (after jumping to file offsets) returned
data. This could lead to a DoS where the decoder could be run a large number
of times on empty data (CVE-2021-28678).

Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7
allow an attacker to pass controlled parameters directly into a convert
function to trigger a buffer overflow in Convert.c (CVE-2021-34552).

Affected Software/OS:
'python-pillow' package(s) on Mageia 8.

Solution:
Please install the updated package(s).

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2021-25287
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/
https://security.gentoo.org/glsa/202107-33
https://github.com/python-pillow/Pillow/pull/5377#issuecomment-833821470
https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode
Common Vulnerability Exposure (CVE) ID: CVE-2021-25288
Common Vulnerability Exposure (CVE) ID: CVE-2021-28675
https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28675-fix-dos-in-psdimageplugin
Common Vulnerability Exposure (CVE) ID: CVE-2021-28676
https://github.com/python-pillow/Pillow/commit/bb6c11fb889e6c11b0ee122b828132ee763b5856
https://github.com/python-pillow/Pillow/pull/5377
https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676-fix-fli-dos
https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html
Common Vulnerability Exposure (CVE) ID: CVE-2021-28677
https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28677-fix-eps-dos-on-open
Common Vulnerability Exposure (CVE) ID: CVE-2021-28678
https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos
Common Vulnerability Exposure (CVE) ID: CVE-2021-34552
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VUGBBT63VL7G4JNOEIPDJIOC34ZFBKNJ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7V6LCG525ARIX6LX5QRYNAWVDD2MD2SV/
https://security.gentoo.org/glsa/202211-10
https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow
https://pillow.readthedocs.io/en/stable/releasenotes/index.html

Copyright Copyright (C) 2022 Greenbone AG

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.1.10.2021.0389
Categoría:	Mageia Linux Local Security Checks
Título:	Mageia: Security Advisory (MGASA-2021-0389)
Resumen:	The remote host is missing an update for the 'python-pillow' package(s) announced via the MGASA-2021-0389 advisory.
Descripción:	Summary: The remote host is missing an update for the 'python-pillow' package(s) announced via the MGASA-2021-0389 advisory. Vulnerability Insight: Updated python-pillow packages fix security vulnerabilities: An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_graya_la (CVE-2021-25287). An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_gray_i (CVE-2021-25288). An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load (CVE-2021-28675). An issue was discovered in Pillow before 8.2.0. For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load (CVE-2021-28676). An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening (CVE-2021-28677). An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data (CVE-2021-28678). Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c (CVE-2021-34552). Affected Software/OS: 'python-pillow' package(s) on Mageia 8. Solution: Please install the updated package(s). CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2021-25287 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://security.gentoo.org/glsa/202107-33 https://github.com/python-pillow/Pillow/pull/5377#issuecomment-833821470 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode Common Vulnerability Exposure (CVE) ID: CVE-2021-25288 Common Vulnerability Exposure (CVE) ID: CVE-2021-28675 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28675-fix-dos-in-psdimageplugin Common Vulnerability Exposure (CVE) ID: CVE-2021-28676 https://github.com/python-pillow/Pillow/commit/bb6c11fb889e6c11b0ee122b828132ee763b5856 https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676-fix-fli-dos https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html Common Vulnerability Exposure (CVE) ID: CVE-2021-28677 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28677-fix-eps-dos-on-open Common Vulnerability Exposure (CVE) ID: CVE-2021-28678 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos Common Vulnerability Exposure (CVE) ID: CVE-2021-34552 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VUGBBT63VL7G4JNOEIPDJIOC34ZFBKNJ/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7V6LCG525ARIX6LX5QRYNAWVDD2MD2SV/ https://security.gentoo.org/glsa/202211-10 https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow https://pillow.readthedocs.io/en/stable/releasenotes/index.html
Copyright	Copyright (C) 2022 Greenbone AG