USN-6618-1

See a problem?

Source

https://ubuntu.com/security/notices/USN-6618-1

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-6618-1.json

JSON Data

https://api.osv.dev/v1/vulns/USN-6618-1

Related

CVE-2023-44271
CVE-2023-50447
UBUNTU-CVE-2023-44271
UBUNTU-CVE-2023-50447

Published

2024-01-30T15:17:54.445907Z

Modified

2024-01-30T15:17:54.445907Z

Summary

pillow vulnerabilities

Details

It was discovered that Pillow incorrectly handled certain long text arguments. An attacker could possibly use this issue to cause Pillow to consume resources, leading to a denial of service. This issue only affected Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2023-44271)

Duarte Santos discovered that Pillow incorrectly handled the environment parameter to PIL.ImageMath.eval. An attacker could possibly use this issue to execute arbitrary code. (CVE-2023-50447)

References

Affected packages

Ubuntu:20.04:LTS / pillow

Package

Name: pillow
Purl: pkg:deb/ubuntu/pillow@7.0.0-4ubuntu0.8?arch=src?distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.0.0-4ubuntu0.8

Affected versions

6.*

6.1.0-1

6.1.0-1build1

6.2.1-2

7.*

7.0.0-4

7.0.0-4build1

7.0.0-4ubuntu0.1

7.0.0-4ubuntu0.2

7.0.0-4ubuntu0.3

7.0.0-4ubuntu0.4

7.0.0-4ubuntu0.5

7.0.0-4ubuntu0.6

7.0.0-4ubuntu0.7

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "python3-pil.imagetk-dbg": "7.0.0-4ubuntu0.8",
            "python3-pil-dbg": "7.0.0-4ubuntu0.8",
            "python-pil-doc": "7.0.0-4ubuntu0.8",
            "python3-pil": "7.0.0-4ubuntu0.8",
            "python3-pil.imagetk": "7.0.0-4ubuntu0.8"
        }
    ]
}

Ubuntu:22.04:LTS / pillow

Package

Name: pillow
Purl: pkg:deb/ubuntu/pillow@9.0.1-1ubuntu0.2?arch=src?distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.0.1-1ubuntu0.2

Affected versions

8.*

8.1.2+dfsg-0.3

9.*

9.0.0-1

9.0.1-1

9.0.1-1build1

9.0.1-1ubuntu0.1

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "python3-pil.imagetk-dbgsym": "9.0.1-1ubuntu0.2",
            "python3-pil.imagetk": "9.0.1-1ubuntu0.2",
            "python-pil-doc": "9.0.1-1ubuntu0.2",
            "python3-pil": "9.0.1-1ubuntu0.2",
            "python3-pil-dbgsym": "9.0.1-1ubuntu0.2"
        }
    ]
}

Ubuntu:23.10 / pillow

Package

Name: pillow
Purl: pkg:deb/ubuntu/pillow@10.0.0-1ubuntu0.1?arch=src?distro=mantic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

10.0.0-1ubuntu0.1

Affected versions

9.*

9.4.0-1.1build1

9.5.0-1

10.*

10.0.0-1

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "python3-pil.imagetk-dbgsym": "10.0.0-1ubuntu0.1",
            "python3-pil.imagetk": "10.0.0-1ubuntu0.1",
            "python-pil-doc": "10.0.0-1ubuntu0.1",
            "python3-pil": "10.0.0-1ubuntu0.1",
            "python3-pil-dbgsym": "10.0.0-1ubuntu0.1"
        }
    ]
}