python-pillow-5.1.1-18.el8

エラータID: AXSA:2022-3080:02

Release date: 
Wednesday, February 23, 2022 - 00:51
Subject: 
python-pillow-5.1.1-18.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

The python-pillow packages contain a Python image processing library that provides extensive file format support, an efficient internal representation, and powerful image-processing capabilities.

Security Fix(es):

* python-pillow: PIL.ImageMath.eval allows evaluation of arbitrary expressions (CVE-2022-22817)
* python-pillow: buffer over-read during initialization of ImagePath.Path in path_getbbox() in path.c (CVE-2022-22816)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2022-22816
path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path.
CVE-2022-22817
PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method.

Solution: 

Update packages.

CVEs: 
CVE-2022-22816
path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path.
CVE-2022-22817
PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method.
Additional Info: 

N/A

Download: 

SRPMS
  1. python-pillow-5.1.1-18.el8.src.rpm
    MD5: dd050ef5c949668438554e7fec64f79e
    SHA-256: b8ed4b31a678170367dc93d0d7d099673198b5e6026d655aba7dbe9176464f20
    Size: 13.52 MB

Asianux Server 8 for x86_64
  1. python3-pillow-5.1.1-18.el8.x86_64.rpm
    MD5: f6a85099ed253025f50a2fcb5d751cdb
    SHA-256: 31cfab791d4d414a5345e59512ebc6b3013ca8d7d312befc330be212526c0f17
    Size: 631.21 kB