{"id":"MGASA-2020-0434","summary":"Updated python-pillow packages fix security vulnerabilities","details":"Pillow before 6.2.3 and 7.x before 7.0.1 has multiple out-of-bounds reads in\nlibImaging/FliDecode.c (CVE-2020-10177).\n\nIn libImaging/PcxDecode.c in Pillow before 6.2.3 and 7.x before 7.0.1, an\nout-of-bounds read can occur when reading PCX files where state-\u003eshuffle is\ninstructed to read beyond state-\u003ebuffer (CVE-2020-10378).\n\nAn out-of-bounds read flaw was found in python-pillow in the way JP2 images are\nparsed. An application that uses python-pillow to decode untrusted images may\nbe vulnerable to this issue. This flaw allows an attacker to read data. The\nhighest threat from this vulnerability is to confidentiality (CVE-2020-10994).\n\nAn out-of-bounds read/write flaw was found in python-pillow, in the way SGI RLE\nimages are decoded. An application that uses python-pillow to decode untrusted\nimages may be vulnerable. This flaw allows an attacker to crash the application\nor potentially execute code on the system. The highest threat from this\nvulnerability is to data confidentiality and integrity as well as system\navailability (CVE-2020-11538).\n\nAlso, python-pillow is now built with OpenJPEG2000 image support.\n","modified":"2026-01-31T13:07:59.113757Z","published":"2020-11-23T19:51:37Z","related":["CVE-2020-10177","CVE-2020-10378","CVE-2020-10994","CVE-2020-11538"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2020-0434.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=26919"},{"type":"REPORT","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HOKHNWV2VS5GESY7IBD237E7C6T3I427/"}],"affected":[{"package":{"name":"python-pillow","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/python-pillow?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.4.1-1.3.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2020-0434.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}