UbuntuUpdates.org

Package "python3-pil"

Name: python3-pil

Description:

Python Imaging Library (Python3)
Latest version: 9.0.1-1ubuntu0.3
Release: jammy (22.04)
Level: updates
Repository: main
Head package: pillow
Homepage: http://python-pillow.github.io/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "python3-pil"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "python3-pil" in Jammy

Repository Area Version
base main 9.0.1-1build1
security main 9.0.1-1ubuntu0.3

Changelog

Version: 9.0.1-1ubuntu0.3 2024-04-22 12:07:19 UTC

  pillow (9.0.1-1ubuntu0.3) jammy-security; urgency=medium

  * SECURITY UPDATE: Buffer overflow in imagingcms.c
    - debian/patches/CVE-2024-28219.patch: Use strncpy
    to avoid buffer overflow
    - CVE-2024-28219

 -- Nick Galanis <email address hidden> Mon, 15 Apr 2024 13:00:29 +0100
Source diff to previous version
CVE-2024-28219 In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy.

Version: 9.0.1-1ubuntu0.2 2024-01-30 23:07:09 UTC

  pillow (9.0.1-1ubuntu0.2) jammy-security; urgency=medium

  * SECURITY UPDATE: DoS in ImageFont via large textlength
    - debian/patches/CVE-2023-44271.patch: added a maximum string length in
      Tests/test_imagefont.py, docs/reference/ImageFont.rst,
      src/PIL/ImageFont.py.
    - CVE-2023-44271
  * SECURITY UPDATE: PIL.ImageMath.eval Arbitrary Code Execution
    - debian/patches/CVE-2023-50447-1.patch: don't allow __ or builtins in
      env dictionarys for ImageMath.eval in src/PIL/ImageMath.py.
    - debian/patches/CVE-2023-50447-2.patch: allow ops in
      Tests/test_imagemath.py, src/PIL/ImageMath.py.
    - debian/patches/CVE-2023-50447-3.patch: include further builtins in
      Tests/test_imagemath.py, src/PIL/ImageMath.py.
    - CVE-2023-50447

 -- Marc Deslauriers <email address hidden> Thu, 25 Jan 2024 10:10:10 -0500
Source diff to previous version
CVE-2023-44271 An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially
CVE-2023-50447 Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817

Version: 9.0.1-1ubuntu0.1 2022-12-13 15:06:39 UTC

  pillow (9.0.1-1ubuntu0.1) jammy-security; urgency=medium

  * SECURITY UPDATE: gif decompression bomb issue
    - debian/patches/CVE-2022-45198.patch: Added GIF decompression bomb check
      in src/PIL/GifImagePlugin.py.
    - CVE-2022-45198

 -- Fabian Toepfer <email address hidden> Mon, 12 Dec 2022 20:51:28 +0100
CVE-2022-45198 Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification).


About   -   Send Feedback to @ubuntu_updates