{"affected":[{"ecosystem_specific":{"binaries":[{"python-Pillow":"5.2.0-3.8.1"}]},"package":{"ecosystem":"SUSE:OpenStack Cloud 9","name":"python-Pillow","purl":"pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%209"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"5.2.0-3.8.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"python-Pillow":"5.2.0-3.8.1"}]},"package":{"ecosystem":"SUSE:OpenStack Cloud Crowbar 9","name":"python-Pillow","purl":"pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"5.2.0-3.8.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for python-Pillow fixes the following issues:\n\n- CVE-2020-35655: Fixed a buffer over-read when decoding crafted SGI RLE image files (bsc#1180832).\n- CVE-2021-25293: Fixed an out-of-bounds read in SGIRleDecode.c (bsc#1183102).\n- CVE-2021-25290: Fixed a negative-offset memcpy with an invalid size in TiffDecode.c (bsc#1183105).\n- CVE-2021-25292: Fixed a backtracking regex in PDF parser could be used as a DOS attack (bsc#1183101).\n- CVE-2021-27921,CVE-2021-27922,CVE-2021-27923: Fixed improper reported size of a contained image (bsc#1183110,bsc#1183108,bsc#1183107)\n- CVE-2020-35653: Fixed buffer over-read in PcxDecode when decoding a crafted PCX file (bsc#1180834).\n- CVE-2021-25287: Fixed out-of-bounds read in J2kDecode in j2ku_graya_la (bsc#1185805).\n- CVE-2021-25288: Fixed out-of-bounds read in J2kDecode in j2ku_gray_i (bsc#1185803).\n- CVE-2021-28675: Fixed DoS in PsdImagePlugin (bsc#1185804).\n- CVE-2021-28678: Fixed improper check in BlpImagePlugin (bsc#1185784).\n- CVE-2021-28677: Fixed DoS in the open phase via a malicious EPS file (bsc#1185785).\n- CVE-2021-28676: Fixed infinite loop in FliDecode.c (bsc#1185786).\n","id":"SUSE-SU-2021:1938-1","modified":"2021-06-10T08:49:07Z","published":"2021-06-10T08:49:07Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2021/suse-su-20211938-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1180832"},{"type":"REPORT","url":"https://bugzilla.suse.com/1180834"},{"type":"REPORT","url":"https://bugzilla.suse.com/1183101"},{"type":"REPORT","url":"https://bugzilla.suse.com/1183102"},{"type":"REPORT","url":"https://bugzilla.suse.com/1183105"},{"type":"REPORT","url":"https://bugzilla.suse.com/1183107"},{"type":"REPORT","url":"https://bugzilla.suse.com/1183108"},{"type":"REPORT","url":"https://bugzilla.suse.com/1183110"},{"type":"REPORT","url":"https://bugzilla.suse.com/1185784"},{"type":"REPORT","url":"https://bugzilla.suse.com/1185785"},{"type":"REPORT","url":"https://bugzilla.suse.com/1185786"},{"type":"REPORT","url":"https://bugzilla.suse.com/1185803"},{"type":"REPORT","url":"https://bugzilla.suse.com/1185804"},{"type":"REPORT","url":"https://bugzilla.suse.com/1185805"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2020-35653"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2020-35655"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-25287"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-25288"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-25290"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-25292"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-25293"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-27921"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-27922"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-27923"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-28675"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-28676"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-28677"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-28678"}],"related":["CVE-2020-35653","CVE-2020-35655","CVE-2021-25287","CVE-2021-25288","CVE-2021-25290","CVE-2021-25292","CVE-2021-25293","CVE-2021-27921","CVE-2021-27922","CVE-2021-27923","CVE-2021-28675","CVE-2021-28676","CVE-2021-28677","CVE-2021-28678"],"summary":"Security update for python-Pillow","upstream":["CVE-2020-35653","CVE-2020-35655","CVE-2021-25287","CVE-2021-25288","CVE-2021-25290","CVE-2021-25292","CVE-2021-25293","CVE-2021-27921","CVE-2021-27922","CVE-2021-27923","CVE-2021-28675","CVE-2021-28676","CVE-2021-28677","CVE-2021-28678"]}