ELA-1059-1 pillow security update

multiple vulnerabilities

Version2.6.1-2+deb8u9 (jessie), 4.0.0-4+deb9u5 (stretch)
Related CVEs CVE-2021-23437 CVE-2022-22817 CVE-2023-44271 CVE-2023-50447

Multiple vulnerabilities were discovered in the Python Imaging Library (PIL), an image processing library for Python.


It was discovered that the getrgb function was vulnerable to a regular expression denial-of-service attack.


A fix for this CVE was announced in advisories DLA-2893-1 and ELA-546-1. It was discovered that this fix was incomplete. This update completes the fix.


It was discovered that an overlong text length argument passed to an ImageDraw instance could cause uncontrollable memory allocation and denial-of-service.


It was discovered that PIL.ImageMath.eval could permit arbitrary code execution via the environment parameter (see also CVE-2022-22817, which concerned the expression parameter).

For Debian 8 jessie, these problems have been fixed in version 2.6.1-2+deb8u9.

For Debian 9 stretch, these problems have been fixed in version 4.0.0-4+deb9u5.

We recommend that you upgrade your pillow packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.