Package "python3-pil-dbg"
Name: |
python3-pil-dbg
|
Description: |
Python Imaging Library (Python3 debug extension)
|
Latest version: |
7.0.0-4ubuntu0.9 |
Release: |
focal (20.04) |
Level: |
updates |
Repository: |
main |
Head package: |
pillow |
Homepage: |
http://python-pillow.github.io/ |
Links
Download "python3-pil-dbg"
Other versions of "python3-pil-dbg" in Focal
Changelog
pillow (7.0.0-4ubuntu0.9) focal-security; urgency=medium
* SECURITY UPDATE: Buffer overflow in imagingcms.c
- debian/patches/CVE-2024-28219.patch: Use strncpy
to avoid buffer overflow
- CVE-2024-28219
-- Nick Galanis <email address hidden> Fri, 12 Apr 2024 15:21:40 +0100
|
Source diff to previous version |
CVE-2024-28219 |
In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy. |
|
pillow (7.0.0-4ubuntu0.8) focal-security; urgency=medium
* SECURITY UPDATE: DoS in ImageFont via large textlength
- debian/patches/CVE-2023-44271.patch: added a maximum string length in
Tests/test_imagefont.py, docs/reference/ImageFont.rst,
src/PIL/ImageFont.py.
- CVE-2023-44271
* SECURITY UPDATE: PIL.ImageMath.eval Arbitrary Code Execution
- debian/patches/CVE-2023-50447-1.patch: don't allow __ or builtins in
env dictionarys for ImageMath.eval in src/PIL/ImageMath.py.
- debian/patches/CVE-2023-50447-2.patch: allow ops in
Tests/test_imagemath.py, src/PIL/ImageMath.py.
- debian/patches/CVE-2023-50447-3.patch: include further builtins in
Tests/test_imagemath.py, src/PIL/ImageMath.py.
- CVE-2023-50447
-- Marc Deslauriers <email address hidden> Thu, 25 Jan 2024 12:48:42 -0500
|
Source diff to previous version |
CVE-2023-44271 |
An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially |
CVE-2023-50447 |
Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 |
|
pillow (7.0.0-4ubuntu0.7) focal-security; urgency=medium
* SECURITY UPDATE: arbitrary file deletion
- debian/patches/CVE-2022-24303.patch: No longer remove temporary images
manually in src/PIL/ImageShow.py.
- CVE-2022-24303
* SECURITY UPDATE: gif decompression bomb issue
- debian/patches/CVE-2022-45198.patch: Added GIF decompression bomb check
in src/PIL/GifImagePlugin.py.
- CVE-2022-45198
-- Fabian Toepfer <email address hidden> Mon, 12 Dec 2022 21:23:40 +0100
|
Source diff to previous version |
CVE-2022-24303 |
Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. |
CVE-2022-45198 |
Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). |
|
pillow (7.0.0-4ubuntu0.6) focal-security; urgency=medium
* SECURITY UPDATE: incomplete fix for CVE-2022-22817
- debian/patches/CVE-2022-22817-2.patch: restrict builtins within
lambdas for ImageMath.eval in Tests/test_imagemath.py,
src/PIL/ImageMath.py.
- CVE-2022-22817
-- Marc Deslauriers <email address hidden> Thu, 20 Oct 2022 11:28:59 -0400
|
Source diff to previous version |
CVE-2022-22817 |
PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. |
|
pillow (7.0.0-4ubuntu0.5) focal-security; urgency=medium
* SECURITY UPDATE: regular expression DoS
- debian/patches/CVE-2021-23437.patch: raise ValueError if color
specifier is too long in Tests/test_imagecolor.py,
src/PIL/ImageColor.py.
- CVE-2021-23437
* SECURITY UPDATE: Dos via buffer overflow
- debian/patches/CVE-2021-34552.patch: limit sprintf modes to 10
characters in src/libImaging/Convert.c.
- CVE-2021-34552
* SECURITY UPDATE: improper initialization
- debian/patches/CVE-2022-22815.patch: initialize coordinates to zero
in src/path.c.
- CVE-2022-22815
* SECURITY UPDATE: buffer over-read during initialization
- debian/patches/CVE-2022-22816.patch: handle case where path count is
zero in src/path.c.
- CVE-2022-22816
* SECURITY UPDATE: evaluation of arbitrary expressions
- debian/patches/CVE-2022-22817.patch: restrict builtins for
ImageMath.eval in Tests/test_imagemath.py, src/PIL/ImageMath.py.
- CVE-2022-22817
-- Marc Deslauriers <email address hidden> Wed, 12 Jan 2022 13:05:20 -0500
|
CVE-2021-23437 |
The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. |
CVE-2021-34552 |
Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert funct |
CVE-2022-22815 |
path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. |
CVE-2022-22816 |
path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. |
CVE-2022-22817 |
PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. |
|
About
-
Send Feedback to @ubuntu_updates