Package "pillow"
| Name: |
pillow
|
Description: |
This package is just an umbrella for a group of other packages,
it has no description.
Description samples from packages in group:
- Python Imaging Library - ImageTk Module (Python3)
|
| Latest version: |
11.3.0-1ubuntu1.3 |
| Release: |
questing (25.10) |
| Level: |
updates |
| Repository: |
universe |
Links
Other versions of "pillow" in Questing
Packages in group
Deleted packages are displayed in grey.
Changelog
|
pillow (11.3.0-1ubuntu1.3) questing-security; urgency=medium
* SECURITY UPDATE: integer overflow via large font advances
- debian/patches/CVE-2026-42308.patch: Use long for glyph position in
src/_imagingft.c.
- CVE-2026-42308
* SECURITY UPDATE:heap buffer overflow via recursive nested lists
- debian/patches/CVE-2026-42309.patch: Reject non-numeric elements inside
list coords in Tests/test_imagepath.py, src/path.c.
- CVE-2026-42309
* SECURITY UPDATE: DoS via malicious PDF
- debian/patches/CVE-2026-42310.patch: Raise an error if the trailer chain
loops back on itself in src/PIL/PdfParser.py.
- CVE-2026-42310
* SECURITY UPDATE: DoS or code exec via malicious PSD file
- debian/patches/CVE-2026-42311-pre1.patch: Simplify `setimage()` by always
passing extents in src/PIL/Image.py, src/decode.c, src/encode.c.
- debian/patches/CVE-2026-42311-pre2.patch: Simplify setimage() in
src/PIL/ImageFile.py.
- debian/patches/CVE-2026-42311-pre3.patch: Allow None extents in C setimage
in Tests/test_imagefile.py, src/decode.c, src/encode.c.
- debian/patches/CVE-2026-42311-1.patch: Avoid overflow by not adding
extents together in src/decode.c, src/encode.c.
- debian/patches/CVE-2026-42311-2.patch: Copy offset check from C into
Python in Tests/test_imagefile.py, src/PIL/ImageFile.py.
- CVE-2026-42311
-- Marc Deslauriers <email address hidden> Thu, 04 Jun 2026 13:05:33 -0400
|
| Source diff to previous version |
| CVE-2026-42308 |
Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track |
| CVE-2026-42309 |
Pillow is a Python imaging library. From version 11.2.1 to before version 12.2.0, passing nested lists as coordinates to APIs that accept coordinates |
| CVE-2026-42310 |
Pillow is a Python imaging library. From version 4.2.0 to before version 12.2.0, an attacker can supply a malicious PDF that causes the process to ha |
| CVE-2026-42311 |
Pillow is a Python imaging library. From version 10.3.0 to before version 12.2.0, processing a malicious PSD file could lead to memory corruption, po |
|
|
pillow (11.3.0-1ubuntu1.2) questing-security; urgency=medium
* SECURITY UPDATE: unbounded memory consumption via FITS image
- debian/patches/CVE-2026-40192.patch: only read as much data from
gzip-decompressed data as necessary in src/PIL/FitsImagePlugin.py.
- CVE-2026-40192
-- Marc Deslauriers <email address hidden> Tue, 21 Apr 2026 07:54:05 -0400
|
| Source diff to previous version |
| CVE-2026-40192 |
Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, |
|
|
pillow (11.3.0-1ubuntu1.1) questing-security; urgency=medium
* SECURITY UPDATE: OOB write via PSD image
- debian/patches/CVE-2026-25990.patch: fix OOB Write with invalid tile
extents in Tests/test_imagefile.py, src/decode.c, src/encode.c.
- CVE-2026-25990
-- Marc Deslauriers <email address hidden> Fri, 13 Feb 2026 08:40:02 -0500
|
| CVE-2026-25990 |
Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, n out-of-bounds write may be triggered when loading a specially crafted PSD image. |
|
About
-
Send Feedback to @ubuntu_updates
