Pillow: Multiple vulnerabilities — GLSA 201612-52

Multiple vulnerabilities have been found in Pillow, the worst of which may allow execution of arbitrary code.

Affected packages

dev-python/pillow on all architectures
Affected versions < 3.4.2
Unaffected versions >= 3.4.2

Background

The friendly PIL fork.

Description

Multiple vulnerabilities have been discovered in Pillow. Please review the CVE identifiers referenced below for details.

Impact

A local attacker could perform symlink attacks to overwrite arbitrary files with the privileges of the user running the application, or obtain sensitive information.

A remote attackers could execute arbitrary code with the privileges of the process, or cause a Denial of Service condition.

Workaround

There is no known workaround at this time.

Resolution

All Pillow users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-python/pillow-3.4.2"
 

References

Release date
December 31, 2016

Latest revision
December 31, 2016: 1

Severity
normal

Exploitable
local, remote

Bugzilla entries