SUSE-SU-2024:1673-1: critical: Security update for python-Pillow

17 May 2024

      # Security update for python-Pillow

Announcement ID: SUSE-SU-2024:1673-1  
Rating: critical  
References:

  * bsc#1180833
  * bsc#1183101
  * bsc#1183102
  * bsc#1183103
  * bsc#1183105
  * bsc#1183107
  * bsc#1183108
  * bsc#1183110
  * bsc#1188574
  * bsc#1190229
  * bsc#1194551
  * bsc#1194552

Cross-References:

  * CVE-2020-35654
  * CVE-2021-23437
  * CVE-2021-25289
  * CVE-2021-25290
  * CVE-2021-25292
  * CVE-2021-25293
  * CVE-2021-27921
  * CVE-2021-27922
  * CVE-2021-27923
  * CVE-2021-34552
  * CVE-2022-22815
  * CVE-2022-22816

CVSS scores:

  * CVE-2020-35654 ( SUSE ):  8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  * CVE-2020-35654 ( NVD ):  8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  * CVE-2021-23437 ( SUSE ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2021-23437 ( NVD ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2021-25289 ( SUSE ):  9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  * CVE-2021-25289 ( NVD ):  8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  * CVE-2021-25290 ( SUSE ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2021-25290 ( NVD ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2021-25292 ( SUSE ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2021-25292 ( NVD ):  6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  * CVE-2021-25293 ( SUSE ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2021-25293 ( NVD ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2021-27921 ( SUSE ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2021-27921 ( NVD ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2021-27922 ( SUSE ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2021-27922 ( NVD ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2021-27923 ( SUSE ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2021-27923 ( NVD ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2021-34552 ( SUSE ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2021-34552 ( NVD ):  9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  * CVE-2022-22815 ( SUSE ):  3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
  * CVE-2022-22815 ( NVD ):  6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
  * CVE-2022-22816 ( SUSE ):  3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
  * CVE-2022-22816 ( NVD ):  6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Affected Products:

  * openSUSE Leap 15.3
  * openSUSE Leap 15.5

An update that solves 12 vulnerabilities can now be installed.

## Description:

This update for python-Pillow fixes the following issues:

  * Fixed ImagePath.Path array handling (bsc#1194552, CVE-2022-22815,
    bsc#1194551, CVE-2022-22816)
  * Use snprintf instead of sprintf (bsc#1188574, CVE-2021-34552)
  * Fix Memory DOS in Icns, Ico and Blp Image Plugins. (bsc#1183110,
    CVE-2021-27921, bsc#1183108, CVE-2021-27922, bsc#1183107, CVE-2021-27923)
  * Fix OOB read in SgiRleDecode.c (bsc#1183102, CVE-2021-25293)
  * Use more specific regex chars to prevent ReDoS (bsc#1183101, CVE-2021-25292)
  * Fix negative size read in TiffDecode.c (bsc#1183105, CVE-2021-25290)
  * Raise ValueError if color specifier is too long (bsc#1190229,
    CVE-2021-23437)
  * Incorrect error code checking in TiffDecode.c (bsc#1183103, CVE-2021-25289)
  * OOB Write in TiffDecode.c (bsc#1180833, CVE-2020-35654)

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * openSUSE Leap 15.3  
    zypper in -t patch SUSE-2024-1673=1

  * openSUSE Leap 15.5  
    zypper in -t patch openSUSE-SLE-15.5-2024-1673=1

## Package List:

  * openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64 i586)
    * python-Pillow-debugsource-7.2.0-150300.3.15.1
    * python3-Pillow-tk-7.2.0-150300.3.15.1
    * python-Pillow-debuginfo-7.2.0-150300.3.15.1
    * python3-Pillow-7.2.0-150300.3.15.1
    * python3-Pillow-debuginfo-7.2.0-150300.3.15.1
    * python3-Pillow-tk-debuginfo-7.2.0-150300.3.15.1
  * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
    * python-Pillow-debugsource-7.2.0-150300.3.15.1
    * python3-Pillow-tk-7.2.0-150300.3.15.1
    * python-Pillow-debuginfo-7.2.0-150300.3.15.1
    * python3-Pillow-7.2.0-150300.3.15.1
    * python3-Pillow-debuginfo-7.2.0-150300.3.15.1
    * python3-Pillow-tk-debuginfo-7.2.0-150300.3.15.1

## References:

  * https://www.suse.com/security/cve/CVE-2020-35654.html
  * https://www.suse.com/security/cve/CVE-2021-23437.html
  * https://www.suse.com/security/cve/CVE-2021-25289.html
  * https://www.suse.com/security/cve/CVE-2021-25290.html
  * https://www.suse.com/security/cve/CVE-2021-25292.html
  * https://www.suse.com/security/cve/CVE-2021-25293.html
  * https://www.suse.com/security/cve/CVE-2021-27921.html
  * https://www.suse.com/security/cve/CVE-2021-27922.html
  * https://www.suse.com/security/cve/CVE-2021-27923.html
  * https://www.suse.com/security/cve/CVE-2021-34552.html
  * https://www.suse.com/security/cve/CVE-2022-22815.html
  * https://www.suse.com/security/cve/CVE-2022-22816.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1180833
  * https://bugzilla.suse.com/show_bug.cgi?id=1183101
  * https://bugzilla.suse.com/show_bug.cgi?id=1183102
  * https://bugzilla.suse.com/show_bug.cgi?id=1183103
  * https://bugzilla.suse.com/show_bug.cgi?id=1183105
  * https://bugzilla.suse.com/show_bug.cgi?id=1183107
  * https://bugzilla.suse.com/show_bug.cgi?id=1183108
  * https://bugzilla.suse.com/show_bug.cgi?id=1183110
  * https://bugzilla.suse.com/show_bug.cgi?id=1188574
  * https://bugzilla.suse.com/show_bug.cgi?id=1190229
  * https://bugzilla.suse.com/show_bug.cgi?id=1194551
  * https://bugzilla.suse.com/show_bug.cgi?id=1194552

OPENSUSE-SECURITY-UPDATES

tags

participants (1)