| Package | pillow |
|---|---|
| Version | 5.4.1-2+deb10u7 (buster) |
| Related CVEs | CVE-2021-25293 CVE-2021-28675 CVE-2021-28676 CVE-2022-24303 |
Multiple vulnerabilties have been found in pillow, an image processing library for Python with potential effects of denial of service due to resource exhaustion or infinite loop.
CVE-2021-25293
There is an out-of-bounds read in SGIRleDecode.c.
CVE-2021-28675
PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load.
CVE-2021-28676
For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load.
CVE-2022-24303
Allows attackers to delete files because spaces in temporary pathnames are mishandled.
For Debian 10 buster, these problems have been fixed in version 5.4.1-2+deb10u7.
We recommend that you upgrade your pillow packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.