Detections
Analytics

FreeBSD : Pillow -- Multiple vulnerabilities (0700e76c-3eb0-11ea-8478-3085a9a95629)

critical Nessus Plugin ID 133243

Language:

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

Pillow developers report :

This release addresses several security problems, as well as addressing CVE-2019-19911.

CVE-2019-19911 is regarding FPX images. If an image reports that it has a large number of bands, a large amount of resources will be used when trying to process the image. This is fixed by limiting the number of bands to those usable by Pillow.

Buffer overruns were found when processing an SGI, PCX or FLI image.
Checks have been added to prevent this.

Overflow checks have been added when calculating the size of a memory block to be reallocated in the processing of a TIFF image.

Solution

Update the affected packages.

See Also

https://pillow.readthedocs.io/en/stable/releasenotes/6.2.2.html

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=243336

http://www.nessus.org/u?70144fbb

Plugin Details

Severity: Critical

ID: 133243

File Name: freebsd_pkg_0700e76c3eb011ea84783085a9a95629.nasl

Version: 1.3

Type: local

Published: 1/27/2020

Updated: 7/14/2020

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2020-5312

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:py27-pillow, p-cpe:/a:freebsd:freebsd:py35-pillow, p-cpe:/a:freebsd:freebsd:py36-pillow, p-cpe:/a:freebsd:freebsd:py37-pillow, p-cpe:/a:freebsd:freebsd:py38-pillow, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Ease: No known exploits are available

Patch Publication Date: 1/24/2020

Vulnerability Publication Date: 12/19/2019

Reference Information

CVE: CVE-2019-19911, CVE-2020-5310, CVE-2020-5311, CVE-2020-5312, CVE-2020-5313