UbuntuUpdates.org

Package "python3-pil"

Name: python3-pil

Description:

Python Imaging Library (Python3)
Latest version: 10.0.0-1ubuntu0.2
Release: mantic (23.10)
Level: updates
Repository: main
Head package: pillow
Homepage: http://python-pillow.github.io/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "python3-pil"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "python3-pil" in Mantic

Repository Area Version
base main 10.0.0-1
security main 10.0.0-1ubuntu0.2

Changelog

Version: 10.0.0-1ubuntu0.2 2024-04-22 12:07:21 UTC

  pillow (10.0.0-1ubuntu0.2) mantic-security; urgency=medium

  * SECURITY UPDATE: Buffer overflow in imagingcms.c
    - debian/patches/CVE-2024-28219.patch: Use strncpy
    to avoid buffer overflow
    - CVE-2024-28219

 -- Nick Galanis <email address hidden> Mon, 15 Apr 2024 14:52:02 +0100
Source diff to previous version
CVE-2024-28219 In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy.

Version: 10.0.0-1ubuntu0.1 2024-01-31 09:09:48 UTC

  pillow (10.0.0-1ubuntu0.1) mantic-security; urgency=medium

  * SECURITY UPDATE: PIL.ImageMath.eval Arbitrary Code Execution
    - debian/patches/CVE-2023-50447-1.patch: don't allow __ or builtins in
      env dictionarys for ImageMath.eval in src/PIL/ImageMath.py.
    - debian/patches/CVE-2023-50447-2.patch: allow ops in
      Tests/test_imagemath.py, src/PIL/ImageMath.py.
    - debian/patches/CVE-2023-50447-3.patch: include further builtins in
      Tests/test_imagemath.py, src/PIL/ImageMath.py.
    - CVE-2023-50447

 -- Marc Deslauriers <email address hidden> Thu, 25 Jan 2024 10:02:07 -0500
CVE-2023-50447 Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817


About   -   Send Feedback to @ubuntu_updates