Package "pillow"

Name: pillow


This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • Examples for the Python Imaging Library
  • Python Imaging Library (Python3)
  • Python Imaging Library (Python3 debug extension)
  • Python Imaging Library - ImageTk Module (Python3)

Latest version: 8.1.2-1ubuntu0.2
Release: hirsute (21.04)
Level: updates
Repository: main


Other versions of "pillow" in Hirsute

Repository Area Version
base main 8.1.2-1
security main 8.1.2-1ubuntu0.2

Packages in group

Deleted packages are displayed in grey.


Version: 8.1.2-1ubuntu0.2 2022-01-13 16:06:32 UTC

  pillow (8.1.2-1ubuntu0.2) hirsute-security; urgency=medium

  * SECURITY UPDATE: regular expression DoS
    - debian/patches/CVE-2021-23437.patch: raise ValueError if color
      specifier is too long in Tests/test_imagecolor.py,
    - CVE-2021-23437
  * SECURITY UPDATE: Dos via buffer overflow
    - debian/patches/CVE-2021-34552.patch: limit sprintf modes to 10
      characters in src/libImaging/Convert.c.
    - CVE-2021-34552
  * SECURITY UPDATE: improper initialization
    - debian/patches/CVE-2022-22815.patch: initialize coordinates to zero
      in Tests/test_imagepath.py, src/path.c.
    - CVE-2022-22815
  * SECURITY UPDATE: buffer over-read during initialization
    - debian/patches/CVE-2022-22816.patch: handle case where path count is
      zero in Tests/test_imagepath.py, src/path.c.
    - CVE-2022-22816
  * SECURITY UPDATE: evaluation of arbitrary expressions
    - debian/patches/CVE-2022-22817.patch: restrict builtins for
      ImageMath.eval in Tests/test_imagemath.py, src/PIL/ImageMath.py.
    - CVE-2022-22817

 -- Marc Deslauriers <email address hidden> Wed, 12 Jan 2022 12:54:47 -0500

Source diff to previous version
CVE-2021-23437 The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function.
CVE-2021-34552 Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert funct
CVE-2022-22815 path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path.
CVE-2022-22816 path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path.
CVE-2022-22817 PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method.

Version: 8.1.2-1ubuntu0.1 2021-05-19 17:06:27 UTC

  pillow (8.1.2-1ubuntu0.1) hirsute-security; urgency=medium

  * SECURITY UPDATE: OOB read in Jpeg2KDecode
    - debian/patches/CVE-2021-25287_8.patch: handle different widths for
      each band in src/libImaging/Jpeg2KDecode.c.
    - CVE-2021-25287
    - CVE-2021-25288
  * SECURITY UPDATE: DOS in PsdImagePlugin
    - debian/patches/CVE-2021-28675.patch: sanity check the number of
      input layers in Tests/test_decompression_bomb.py,
      Tests/test_file_apng.py, Tests/test_file_blp.py,
      Tests/test_file_tiff.py, src/PIL/ImageFile.py,
    - CVE-2021-28675
    - debian/patches/CVE-2021-28676.patch: check the block advance in
    - CVE-2021-28676
    - debian/patches/CVE-2021-28677.patch: properly handle line endings in
    - CVE-2021-28677
    - debian/patches/CVE-2021-28678.patch: check that reads return data in
    - CVE-2021-28678

 -- Marc Deslauriers <email address hidden> Tue, 18 May 2021 07:09:08 -0400

About   -   Send Feedback to @ubuntu_updates