UbuntuUpdates.org

Package "pillow"

Name: pillow

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • Examples for the Python Imaging Library
  • Python Imaging Library (Python3)

Latest version: 9.0.1-1ubuntu0.2
Release: jammy (22.04)
Level: security
Repository: main

Links



Other versions of "pillow" in Jammy

Repository Area Version
base main 9.0.1-1build1
base universe 9.0.1-1build1
security universe 9.0.1-1ubuntu0.2
updates main 9.0.1-1ubuntu0.2
updates universe 9.0.1-1ubuntu0.2

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 9.0.1-1ubuntu0.2 2024-01-30 17:08:24 UTC

  pillow (9.0.1-1ubuntu0.2) jammy-security; urgency=medium

  * SECURITY UPDATE: DoS in ImageFont via large textlength
    - debian/patches/CVE-2023-44271.patch: added a maximum string length in
      Tests/test_imagefont.py, docs/reference/ImageFont.rst,
      src/PIL/ImageFont.py.
    - CVE-2023-44271
  * SECURITY UPDATE: PIL.ImageMath.eval Arbitrary Code Execution
    - debian/patches/CVE-2023-50447-1.patch: don't allow __ or builtins in
      env dictionarys for ImageMath.eval in src/PIL/ImageMath.py.
    - debian/patches/CVE-2023-50447-2.patch: allow ops in
      Tests/test_imagemath.py, src/PIL/ImageMath.py.
    - debian/patches/CVE-2023-50447-3.patch: include further builtins in
      Tests/test_imagemath.py, src/PIL/ImageMath.py.
    - CVE-2023-50447

 -- Marc Deslauriers <email address hidden> Thu, 25 Jan 2024 10:10:10 -0500

Source diff to previous version
CVE-2023-44271 An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially
CVE-2023-50447 Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817

Version: 9.0.1-1ubuntu0.1 2022-12-13 14:07:30 UTC

  pillow (9.0.1-1ubuntu0.1) jammy-security; urgency=medium

  * SECURITY UPDATE: gif decompression bomb issue
    - debian/patches/CVE-2022-45198.patch: Added GIF decompression bomb check
      in src/PIL/GifImagePlugin.py.
    - CVE-2022-45198

 -- Fabian Toepfer <email address hidden> Mon, 12 Dec 2022 20:51:28 +0100

CVE-2022-45198 Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification).



About   -   Send Feedback to @ubuntu_updates