USN-6744-1: Pillow vulnerability
22 April 2024
Pillow could be made to crash or run programs as an administrator if it opened a specially crafted file.
Releases
Packages
- pillow - Python Imaging Library
Details
Hugo van Kemenade discovered that Pillow was not properly performing
bounds checks when processing an ICC file, which could lead to a buffer
overflow. If a user or automated system were tricked into processing a
specially crafted ICC file, an attacker could possibly use this issue
to cause a denial of service or execute arbitrary code.
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 23.10
Ubuntu 22.04
Ubuntu 20.04
Ubuntu 18.04
-
python-pil
-
5.1.0-1ubuntu0.8+esm1
Available with Ubuntu Pro
-
python3-pil
-
5.1.0-1ubuntu0.8+esm1
Available with Ubuntu Pro
Ubuntu 16.04
-
python-pil
-
3.1.2-0ubuntu1.6+esm2
Available with Ubuntu Pro
-
python3-pil
-
3.1.2-0ubuntu1.6+esm2
Available with Ubuntu Pro
Ubuntu 14.04
-
python-pil
-
2.3.0-1ubuntu3.4+esm4
Available with Ubuntu Pro
-
python3-pil
-
2.3.0-1ubuntu3.4+esm4
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References
Related notices
- USN-6744-2: python-pil, pillow-python2, python-pil.imagetk
- USN-6744-3: python3-pil.imagetk, python-pil-doc, pillow, python3-pil