Bugzilla – Bug 1180833
VUL-0: CVE-2020-35654: python-Pillow: TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files
Last modified: 2024-06-13 12:36:33 UTC
CVE-2020-35654 In Pillow before 8.1.0, TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-35654 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35654 https://pillow.readthedocs.io/en/stable/releasenotes/index.html
This is an autogenerated message for OBS integration: This bug (1180833) was mentioned in https://build.opensuse.org/request/show/866355 Factory / python-Pillow
This does not affect any SOC version as we have Pillow <= 5.2.0 and the problem only exists since 6.0.0. See https://github.com/python-pillow/Pillow/pull/5175
factory is fixed, no other codestreams are affected as per comment 2
This is an autogenerated message for OBS integration: This bug (1180833) was mentioned in https://build.opensuse.org/request/show/907748 15.2 / python-CairoSVG+python-Pillow
openSUSE-SU-2021:1134-1: An update that fixes 13 vulnerabilities is now available. Category: security (moderate) Bug References: 1180832,1180833,1180834,1181281 CVE References: CVE-2020-15999,CVE-2020-35653,CVE-2020-35654,CVE-2020-35655,CVE-2021-25289,CVE-2021-25290,CVE-2021-25291,CVE-2021-25292,CVE-2021-25293,CVE-2021-27921,CVE-2021-27922,CVE-2021-27923,CVE-2021-34552 JIRA References: Sources used: openSUSE Leap 15.2 (src): python-CairoSVG-2.5.1-lp152.2.3.1, python-Pillow-8.3.1-lp152.5.3.1
This is an autogenerated message for OBS integration: This bug (1180833) was mentioned in https://build.opensuse.org/request/show/953150 Backports:SLE-15-SP3 / python-Pillow
SUSE-SU-2024:1673-1: An update that solves 12 vulnerabilities can now be installed. Category: security (critical) Bug References: 1180833, 1183101, 1183102, 1183103, 1183105, 1183107, 1183108, 1183110, 1188574, 1190229, 1194551, 1194552 CVE References: CVE-2020-35654, CVE-2021-23437, CVE-2021-25289, CVE-2021-25290, CVE-2021-25292, CVE-2021-25293, CVE-2021-27921, CVE-2021-27922, CVE-2021-27923, CVE-2021-34552, CVE-2022-22815, CVE-2022-22816 Maintenance Incident: [SUSE:Maintenance:33871](https://smelt.suse.de/incident/33871/) Sources used: openSUSE Leap 15.3 (src): python-Pillow-7.2.0-150300.3.15.1 openSUSE Leap 15.5 (src): python-Pillow-7.2.0-150300.3.15.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
All done, closing.
SUSE-SU-2024:1673-2: An update that solves 12 vulnerabilities can now be installed. Category: security (critical) Bug References: 1180833, 1183101, 1183102, 1183103, 1183105, 1183107, 1183108, 1183110, 1188574, 1190229, 1194551, 1194552 CVE References: CVE-2020-35654, CVE-2021-23437, CVE-2021-25289, CVE-2021-25290, CVE-2021-25292, CVE-2021-25293, CVE-2021-27921, CVE-2021-27922, CVE-2021-27923, CVE-2021-34552, CVE-2022-22815, CVE-2022-22816 Maintenance Incident: [SUSE:Maintenance:33871](https://smelt.suse.de/incident/33871/) Sources used: SUSE Package Hub 15 15-SP6 (src): python-Pillow-7.2.0-150300.3.15.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.