FEDORA-2021-a8ddc1ce70

FEDORA-2021-880aa7bd27

https://pillow.readthedocs.io/en/stable/releasenotes/index.html

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2021:4149 advisory.

  - python-pillow: Buffer over-read in PCX image reader (CVE-2020-35653)

  - python-pillow: Buffer over-read in SGI RLE image reader (CVE-2020-35655)

  - python-pillow: Out-of-bounds read in J2K image reader (CVE-2021-25287, CVE-2021-25288)

  - python-pillow: Negative-offset memcpy in TIFF image reader (CVE-2021-25290)

  - python-pillow: Regular expression DoS in PDF format parser (CVE-2021-25292)

  - python-pillow: Out-of-bounds read in SGI RLE image reader (CVE-2021-25293)

  - python-pillow: Excessive memory allocation in BLP image reader (CVE-2021-27921)

  - python-pillow: Excessive memory allocation in ICNS image reader (CVE-2021-27922)

  - python-pillow: Excessive memory allocation in ICO image reader (CVE-2021-27923)

  - python-pillow: Excessive memory allocation in PSD image reader (CVE-2021-28675)

  - python-pillow: Infinite loop in FLI image reader (CVE-2021-28676)

  - python-pillow: Excessive CPU use in EPS image reader (CVE-2021-28677)

  - python-pillow: Excessive looping in BLP image reader (CVE-2021-28678)

  - python-pillow: Buffer overflow in image convert function (CVE-2021-34552)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the CESA-2021:4149 advisory.

  - python-pillow: Buffer over-read in PCX image reader (CVE-2020-35653)

  - python-pillow: Buffer over-read in SGI RLE image reader (CVE-2020-35655)

  - python-pillow: Out-of-bounds read in J2K image reader (CVE-2021-25287, CVE-2021-25288)

  - python-pillow: Negative-offset memcpy in TIFF image reader (CVE-2021-25290)

  - python-pillow: Regular expression DoS in PDF format parser (CVE-2021-25292)

  - python-pillow: Out-of-bounds read in SGI RLE image reader (CVE-2021-25293)

  - python-pillow: Excessive memory allocation in BLP image reader (CVE-2021-27921)

  - python-pillow: Excessive memory allocation in ICNS image reader (CVE-2021-27922)

  - python-pillow: Excessive memory allocation in ICO image reader (CVE-2021-27923)

  - python-pillow: Excessive memory allocation in PSD image reader (CVE-2021-28675)

  - python-pillow: Infinite loop in FLI image reader (CVE-2021-28676)

  - python-pillow: Excessive CPU use in EPS image reader (CVE-2021-28677)

  - python-pillow: Excessive looping in BLP image reader (CVE-2021-28678)

  - python-pillow: Buffer overflow in image convert function (CVE-2021-34552)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the python-pillow packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image     files because offsets and length tables are mishandled. (CVE-2020-35655)

  - An issue was discovered in Pillow before 8.1.1. The PDF parser allows a regular expression DoS (ReDoS)     attack via a crafted PDF file because of a catastrophic backtracking regex. (CVE-2021-25292)

  - An issue was discovered in Pillow before 8.1.1. There is an out-of-bounds read in SGIRleDecode.c.
    (CVE-2021-25293)

  - Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass     controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c.
    (CVE-2021-34552)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:1134-1 advisory.

  - Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to     potentially exploit heap corruption via a crafted HTML page. (CVE-2020-15999)

  - In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the     user-supplied stride value is trusted for buffer calculations. (CVE-2020-35653)

  - In Pillow before 8.1.0, TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files     because of certain interpretation conflicts with LibTIFF in RGBA mode. (CVE-2020-35654)

  - In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image     files because offsets and length tables are mishandled. (CVE-2020-35655)

  - An issue was discovered in Pillow before 8.1.1. TiffDecode has a heap-based buffer overflow when decoding     crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this     issue exists because of an incomplete fix for CVE-2020-35654. (CVE-2021-25289)

  - An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is a negative-offset memcpy with an     invalid size. (CVE-2021-25290)

  - An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is an out-of-bounds read in     TiffreadRGBATile via invalid tile boundaries. (CVE-2021-25291)

  - An issue was discovered in Pillow before 8.1.1. The PDF parser allows a regular expression DoS (ReDoS)     attack via a crafted PDF file because of a catastrophic backtracking regex. (CVE-2021-25292)

  - An issue was discovered in Pillow before 8.1.1. There is an out-of-bounds read in SGIRleDecode.c.
    (CVE-2021-25293)

  - Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the     reported size of a contained image is not properly checked for a BLP container, and thus an attempted     memory allocation can be very large. (CVE-2021-27921)

  - Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the     reported size of a contained image is not properly checked for an ICNS container, and thus an attempted     memory allocation can be very large. (CVE-2021-27922)

  - Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the     reported size of a contained image is not properly checked for an ICO container, and thus an attempted     memory allocation can be very large. (CVE-2021-27923)

  - Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass     controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c.
    (CVE-2021-34552)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the python-pillow package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Pillow before 8.1.1 allows attackers to cause a denial     of service (memory consumption) because the reported     size of a contained image is not properly checked for a     BLP container, and thus an attempted memory allocation     can be very large.(CVE-2021-27921)

  - Pillow before 8.1.1 allows attackers to cause a denial     of service (memory consumption) because the reported     size of a contained image is not properly checked for     an ICNS container, and thus an attempted memory     allocation can be very large.(CVE-2021-27922)

  - Pillow before 8.1.1 allows attackers to cause a denial     of service (memory consumption) because the reported     size of a contained image is not properly checked for     an ICO container, and thus an attempted memory     allocation can be very large.(CVE-2021-27923)

  - In Pillow before 8.1.0, SGIRleDecode has a 4-byte     buffer over-read when decoding crafted SGI RLE image     files because offsets and length tables are     mishandled.(CVE-2020-35655)

  - An issue was discovered in Pillow before 8.2.0.
    PSDImagePlugin.PsdImageFile lacked a sanity check on     the number of input layers relative to the size of the     data block. This could lead to a DoS on Image.open     prior to Image.load.(CVE-2021-28675)

  - An issue was discovered in Pillow before 8.2.0. For FLI     data, FliDecode did not properly check that the block     advance was non-zero, potentially leading to an     infinite loop on load.(CVE-2021-28676)

  - An issue was discovered in Pillow before 8.2.0. For EPS     data, the readline implementation used in EPSImageFile     has to deal with any combination of \r and \n as line     endings. It used an accidentally quadratic method of     accumulating lines while looking for a line ending. A     malicious EPS file could use this to perform a DoS of     Pillow in the open phase, before an image was accepted     for opening.(CVE-2021-28677)

  - An issue was discovered in Pillow before 8.2.0. For BLP     data, BlpImagePlugin did not properly check that reads     (after jumping to file offsets) returned data. This     could lead to a DoS where the decoder could be run a     large number of times on empty data.(CVE-2021-28678)

  - An issue was discovered in Pillow before 8.2.0. There     is an out-of-bounds read in J2kDecode, in     j2ku_graya_la.(CVE-2021-25287)

  - An issue was discovered in Pillow before 8.2.0. There     is an out-of-bounds read in J2kDecode, in     j2ku_gray_i.(CVE-2021-25288)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the python-pillow package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - Pillow before 8.1.1 allows attackers to cause a denial     of service (memory consumption) because the reported     size of a contained image is not properly checked for     an ICO container, and thus an attempted memory     allocation can be very large. (CVE-2021-27923)

  - Pillow before 8.1.1 allows attackers to cause a denial     of service (memory consumption) because the reported     size of a contained image is not properly checked for     an ICNS container, and thus an attempted memory     allocation can be very large. (CVE-2021-27922)

  - Pillow before 8.1.1 allows attackers to cause a denial     of service (memory consumption) because the reported     size of a contained image is not properly checked for a     BLP container, and thus an attempted memory allocation     can be very large. (CVE-2021-27921)

  - In Pillow before 8.1.0, SGIRleDecode has a 4-byte     buffer over-read when decoding crafted SGI RLE image     files because offsets and length tables are     mishandled.(CVE-2020-35655)

  - An issue was discovered in Pillow before 8.2.0. For EPS     data, the readline implementation used in EPSImageFile     has to deal with any combination of \r and \n as line     endings. It used an accidentally quadratic method of     accumulating lines while looking for a line ending. A     malicious EPS file could use this to perform a DoS of     Pillow in the open phase, before an image was accepted     for opening.(CVE-2021-28677)

  - An issue was discovered in Pillow before 8.2.0. For FLI     data, FliDecode did not properly check that the block     advance was non-zero, potentially leading to an     infinite loop on load.(CVE-2021-28676)

  - An issue was discovered in Pillow before 8.2.0. There     is an out-of-bounds read in J2kDecode, in     j2ku_graya_la.(CVE-2021-25287)

  - An issue was discovered in Pillow before 8.2.0. For BLP     data, BlpImagePlugin did not properly check that reads     (after jumping to file offsets) returned data. This     could lead to a DoS where the decoder could be run a     large number of times on empty data.(CVE-2021-28678)

  - An issue was discovered in Pillow before 8.2.0. There     is an out-of-bounds read in J2kDecode, in     j2ku_gray_i.(CVE-2021-25288)

  - An issue was discovered in Pillow before 8.2.0.
    PSDImagePlugin.PsdImageFile lacked a sanity check on     the number of input layers relative to the size of the     data block. This could lead to a DoS on Image.open     prior to Image.load.(CVE-2021-28675)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Fedora 32 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2021-880aa7bd27 advisory.

  - In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the     user-supplied stride value is trusted for buffer calculations. (CVE-2020-35653)

  - In Pillow before 8.1.0, TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files     because of certain interpretation conflicts with LibTIFF in RGBA mode. (CVE-2020-35654)

  - In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image     files because offsets and length tables are mishandled. (CVE-2020-35655)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 33 host has packages installed that are affected by multiple vulnerabilities as referenced in the FEDORA-2021-a8ddc1ce70 advisory.

  - In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the     user-supplied stride value is trusted for buffer calculations. (CVE-2020-35653)

  - In Pillow before 8.1.0, TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files     because of certain interpretation conflicts with LibTIFF in RGBA mode. (CVE-2020-35654)

  - In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image     files because offsets and length tables are mishandled. (CVE-2020-35655)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4697-1 advisory.

  - In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the     user-supplied stride value is trusted for buffer calculations. (CVE-2020-35653)

  - In Pillow before 8.1.0, TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files     because of certain interpretation conflicts with LibTIFF in RGBA mode. (CVE-2020-35654)

  - In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image     files because offsets and length tables are mishandled. (CVE-2020-35655)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202101-08 (Pillow: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Pillow. Please review       the CVE identifiers referenced below for details.
  Impact :

    Please review the referenced CVE identifiers for details.
  Workaround :

    There is no known workaround at this time.

ID	Name	Product	Family	Severity
155178	RHEL 8 : python-pillow (RHSA-2021:4149)	Nessus	Red Hat Local Security Checks	critical
155033	CentOS 8 : python-pillow (CESA-2021:4149)	Nessus	CentOS Local Security Checks	critical
153604	EulerOS 2.0 SP8 : python-pillow (EulerOS-SA-2021-2481)	Nessus	Huawei Local Security Checks	critical
152473	openSUSE 15 Security Update : python-CairoSVG, python-Pillow (openSUSE-SU-2021:1134-1)	Nessus	SuSE Local Security Checks	critical
152314	EulerOS 2.0 SP9 : python-pillow (EulerOS-SA-2021-2253)	Nessus	Huawei Local Security Checks	critical
152285	EulerOS 2.0 SP9 : python-pillow (EulerOS-SA-2021-2279)	Nessus	Huawei Local Security Checks	critical
151567	EulerOS Virtualization 2.9.0 : python-pillow (EulerOS-SA-2021-2209)	Nessus	Huawei Local Security Checks	critical
151547	EulerOS Virtualization 2.9.1 : python-pillow (EulerOS-SA-2021-2187)	Nessus	Huawei Local Security Checks	critical
145337	Fedora 32 : python-pillow (2021-880aa7bd27)	Nessus	Fedora Local Security Checks	high
145235	Fedora 33 : mingw-python-pillow / python-pillow (2021-a8ddc1ce70)	Nessus	Fedora Local Security Checks	high
145048	Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 : Pillow vulnerabilities (USN-4697-1)	Nessus	Ubuntu Local Security Checks	high
144867	GLSA-202101-08 : Pillow: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high

CVE-2020-35655

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

critical

high

high

high

high