python-pillow-2.0.0-23.gitd1c6db8.el7

エラータID: AXSA:2022-3076:01

Release date: 
Tuesday, February 22, 2022 - 16:54
Subject: 
python-pillow-2.0.0-23.gitd1c6db8.el7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

The python-pillow packages contain a Python image processing library that provides extensive file format support, an efficient internal representation, and powerful image-processing capabilities.

Security Fix(es):

* python-pillow: PIL.ImageMath.eval allows evaluation of arbitrary expressions (CVE-2022-22817)
* python-pillow: buffer over-read during initialization of ImagePath.Path in path_getbbox() in path.c (CVE-2022-22816)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2022-22816
path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path.
CVE-2022-22817
PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method.

Solution: 

Update packages.

CVEs: 
CVE-2022-22816
path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path.
CVE-2022-22817
PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method.
Additional Info: 

N/A

Download: 

SRPMS
  1. python-pillow-2.0.0-23.gitd1c6db8.el7.src.rpm
    MD5: 4e9f864e14eb7321d61af278e7d183cd
    SHA-256: 7e7351adc1074df93d9258fd5352959de04dcc1ab08da92c63a02af4fff9607b
    Size: 1.23 MB

Asianux Server 7 for x86_64
  1. python-pillow-2.0.0-23.gitd1c6db8.el7.x86_64.rpm
    MD5: cdbec3bdd9bccd049547a5e8e0ff3be3
    SHA-256: a7a93940a5a0911a81dc4dcccf186d0549891a36ed91b866577cfffb252a1981
    Size: 438.44 kB