Test Kennung:	1.3.6.1.4.1.25623.1.1.2.2020.1473
Kategorie:	Huawei EulerOS Local Security Checks
Titel:	Huawei EulerOS: Security Advisory for python-pillow (EulerOS-SA-2020-1473)
Zusammenfassung:	The remote host is missing an update for the Huawei EulerOS 'python-pillow' package(s) announced via the EulerOS-SA-2020-1473 advisory.
Beschreibung:	Summary: The remote host is missing an update for the Huawei EulerOS 'python-pillow' package(s) announced via the EulerOS-SA-2020-1473 advisory. Vulnerability Insight: Pillow before 3.3.2 allows context-dependent attackers to obtain sensitive information by using the 'crafted image file' approach, related to an 'Integer Overflow' issue affecting the Image.core.map_buffer in map.c component.(CVE-2016-9189) Buffer overflow in the ImagingPcdDecode function in PcdDecode.c in Pillow before 3.1.1 and Python Imaging Library (PIL) 1.1.7 and earlier allows remote attackers to cause a denial of service (crash) via a crafted PhotoCD file.(CVE-2016-2533) Buffer overflow in the ImagingFliDecode function in libImaging/FliDecode.c in Pillow before 3.1.1 allows remote attackers to cause a denial of service (crash) via a crafted FLI file.(CVE-2016-0775) Buffer overflow in the ImagingLibTiffDecode function in libImaging/TiffDecode.c in Pillow before 3.1.1 allows remote attackers to overwrite memory via a crafted TIFF file.(CVE-2016-0740) Integer overflow in the ImagingResampleHorizontal function in libImaging/Resample.c in Pillow before 3.1.1 allows remote attackers to have unspecified impact via negative values of the new size, which triggers a heap-based buffer overflow.(CVE-2016-4009) PIL/IcnsImagePlugin.py in Python Imaging Library (PIL) and Pillow before 2.3.2 and 2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted block size.(CVE-2014-3589) Python Image Library (PIL) 1.1.7 and earlier and Pillow 2.3 might allow remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors related to CVE-2014-1932, possibly JpegImagePlugin.py.(CVE-2014-3007) The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes it easier for local users to conduct symlink attacks by listing the processes.(CVE-2014-1933) The (1) load_djpeg function in JpegImagePlugin.py, (2) Ghostscript function in EpsImagePlugin.py, (3) load function in IptcImagePlugin.py, and (4) _copy function in Image.py in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 do not properly create temporary files, which allow local users to overwrite arbitrary files and obtain sensitive information via a symlink attack on the temporary file.(CVE-2014-1932) An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image.(CVE-2019-16865) libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow.(CVE-2020-5313) Affected Software/OS: 'python-pillow' package(s) on Huawei EulerOS Virtualization 3.0.2.2. Solution: Please install the updated package(s). CVSS Score: 10.0 CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Querverweis:	Common Vulnerability Exposure (CVE) ID: CVE-2014-1932 BugTraq ID: 65511 http://www.securityfocus.com/bid/65511 https://security.gentoo.org/glsa/201612-52 http://www.openwall.com/lists/oss-security/2014/02/11/1 SuSE Security Announcement: openSUSE-SU-2014:0591 (Google Search) http://lists.opensuse.org/opensuse-updates/2014-05/msg00002.html http://www.ubuntu.com/usn/USN-2168-1 Common Vulnerability Exposure (CVE) ID: CVE-2014-1933 BugTraq ID: 65513 http://www.securityfocus.com/bid/65513 http://www.openwall.com/lists/oss-security/2014/02/10/15 Common Vulnerability Exposure (CVE) ID: CVE-2014-3007 http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-1932.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737059 Common Vulnerability Exposure (CVE) ID: CVE-2014-3589 Debian Security Information: DSA-3009 (Google Search) http://www.debian.org/security/2014/dsa-3009 http://secunia.com/advisories/59825 SuSE Security Announcement: openSUSE-SU-2015:0798 (Google Search) http://lists.opensuse.org/opensuse-updates/2015-04/msg00056.html Common Vulnerability Exposure (CVE) ID: CVE-2016-0740 Debian Security Information: DSA-3499 (Google Search) http://www.debian.org/security/2016/dsa-3499 Common Vulnerability Exposure (CVE) ID: CVE-2016-0775 Common Vulnerability Exposure (CVE) ID: CVE-2016-2533 http://www.openwall.com/lists/oss-security/2016/02/02/5 http://www.openwall.com/lists/oss-security/2016/02/22/2 Common Vulnerability Exposure (CVE) ID: CVE-2016-4009 BugTraq ID: 86064 http://www.securityfocus.com/bid/86064 Common Vulnerability Exposure (CVE) ID: CVE-2016-9189 BugTraq ID: 94234 http://www.securityfocus.com/bid/94234 Debian Security Information: DSA-3710 (Google Search) http://www.debian.org/security/2016/dsa-3710 Common Vulnerability Exposure (CVE) ID: CVE-2020-5313 Debian Security Information: DSA-4631 (Google Search) https://www.debian.org/security/2020/dsa-4631 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3DUMIBUYGJRAVJCTFUWBRLVQKOUTVX5P/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MMU3WT2X64GS5WHDPKKC2WZA7UIIQ3A/ https://github.com/python-pillow/Pillow/commit/a09acd0decd8a87ccce939d5ff65dab59e7d365b https://pillow.readthedocs.io/en/stable/releasenotes/6.2.2.html https://usn.ubuntu.com/4272-1/
Copyright	Copyright (C) 2020 Greenbone Networks GmbH

Dies ist nur einer von 99761 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus. Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.