<div class="container">
<h1>Security update for python-Pillow</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2024:1673-1</td>
</tr>
<tr>
<th>Rating:</th>
<td>critical</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1180833">bsc#1180833</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1183101">bsc#1183101</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1183102">bsc#1183102</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1183103">bsc#1183103</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1183105">bsc#1183105</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1183107">bsc#1183107</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1183108">bsc#1183108</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1183110">bsc#1183110</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1188574">bsc#1188574</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1190229">bsc#1190229</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1194551">bsc#1194551</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1194552">bsc#1194552</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2020-35654.html">CVE-2020-35654</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2021-23437.html">CVE-2021-23437</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2021-25289.html">CVE-2021-25289</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2021-25290.html">CVE-2021-25290</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2021-25292.html">CVE-2021-25292</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2021-25293.html">CVE-2021-25293</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2021-27921.html">CVE-2021-27921</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2021-27922.html">CVE-2021-27922</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2021-27923.html">CVE-2021-27923</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2021-34552.html">CVE-2021-34552</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2022-22815.html">CVE-2022-22815</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2022-22816.html">CVE-2022-22816</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2020-35654</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">8.8</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2020-35654</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">8.8</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2021-23437</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2021-23437</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2021-25289</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">9.8</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2021-25289</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">8.8</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2021-25290</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2021-25290</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2021-25292</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2021-25292</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">6.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2021-25293</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2021-25293</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2021-27921</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2021-27921</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2021-27922</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2021-27922</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2021-27923</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2021-27923</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2021-34552</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2021-34552</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">9.8</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2022-22815</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">3.3</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2022-22815</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">6.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2022-22816</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">3.3</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2022-22816</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">6.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">openSUSE Leap 15.3</li>
<li class="list-group-item">openSUSE Leap 15.5</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves 12 vulnerabilities can now be installed.</p>
<h2>Description:</h2>
<p>This update for python-Pillow fixes the following issues:</p>
<ul>
<li>Fixed ImagePath.Path array handling (bsc#1194552, CVE-2022-22815, bsc#1194551, CVE-2022-22816)</li>
<li>Use snprintf instead of sprintf (bsc#1188574, CVE-2021-34552)</li>
<li>Fix Memory DOS in Icns, Ico and Blp Image Plugins. (bsc#1183110, CVE-2021-27921, bsc#1183108, CVE-2021-27922, bsc#1183107, CVE-2021-27923)</li>
<li>Fix OOB read in SgiRleDecode.c (bsc#1183102, CVE-2021-25293)</li>
<li>Use more specific regex chars to prevent ReDoS (bsc#1183101, CVE-2021-25292)</li>
<li>Fix negative size read in TiffDecode.c (bsc#1183105, CVE-2021-25290)</li>
<li>Raise ValueError if color specifier is too long (bsc#1190229, CVE-2021-23437)</li>
<li>Incorrect error code checking in TiffDecode.c (bsc#1183103, CVE-2021-25289)</li>
<li>OOB Write in TiffDecode.c (bsc#1180833, CVE-2020-35654)</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
openSUSE Leap 15.3
<br/>
<code>zypper in -t patch SUSE-2024-1673=1</code>
</li>
<li class="list-group-item">
openSUSE Leap 15.5
<br/>
<code>zypper in -t patch openSUSE-SLE-15.5-2024-1673=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64 i586)
<ul>
<li>python-Pillow-debugsource-7.2.0-150300.3.15.1</li>
<li>python3-Pillow-tk-7.2.0-150300.3.15.1</li>
<li>python-Pillow-debuginfo-7.2.0-150300.3.15.1</li>
<li>python3-Pillow-7.2.0-150300.3.15.1</li>
<li>python3-Pillow-debuginfo-7.2.0-150300.3.15.1</li>
<li>python3-Pillow-tk-debuginfo-7.2.0-150300.3.15.1</li>
</ul>
</li>
<li>
openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
<ul>
<li>python-Pillow-debugsource-7.2.0-150300.3.15.1</li>
<li>python3-Pillow-tk-7.2.0-150300.3.15.1</li>
<li>python-Pillow-debuginfo-7.2.0-150300.3.15.1</li>
<li>python3-Pillow-7.2.0-150300.3.15.1</li>
<li>python3-Pillow-debuginfo-7.2.0-150300.3.15.1</li>
<li>python3-Pillow-tk-debuginfo-7.2.0-150300.3.15.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2020-35654.html">https://www.suse.com/security/cve/CVE-2020-35654.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2021-23437.html">https://www.suse.com/security/cve/CVE-2021-23437.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2021-25289.html">https://www.suse.com/security/cve/CVE-2021-25289.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2021-25290.html">https://www.suse.com/security/cve/CVE-2021-25290.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2021-25292.html">https://www.suse.com/security/cve/CVE-2021-25292.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2021-25293.html">https://www.suse.com/security/cve/CVE-2021-25293.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2021-27921.html">https://www.suse.com/security/cve/CVE-2021-27921.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2021-27922.html">https://www.suse.com/security/cve/CVE-2021-27922.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2021-27923.html">https://www.suse.com/security/cve/CVE-2021-27923.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2021-34552.html">https://www.suse.com/security/cve/CVE-2021-34552.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2022-22815.html">https://www.suse.com/security/cve/CVE-2022-22815.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2022-22816.html">https://www.suse.com/security/cve/CVE-2022-22816.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1180833">https://bugzilla.suse.com/show_bug.cgi?id=1180833</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1183101">https://bugzilla.suse.com/show_bug.cgi?id=1183101</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1183102">https://bugzilla.suse.com/show_bug.cgi?id=1183102</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1183103">https://bugzilla.suse.com/show_bug.cgi?id=1183103</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1183105">https://bugzilla.suse.com/show_bug.cgi?id=1183105</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1183107">https://bugzilla.suse.com/show_bug.cgi?id=1183107</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1183108">https://bugzilla.suse.com/show_bug.cgi?id=1183108</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1183110">https://bugzilla.suse.com/show_bug.cgi?id=1183110</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1188574">https://bugzilla.suse.com/show_bug.cgi?id=1188574</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1190229">https://bugzilla.suse.com/show_bug.cgi?id=1190229</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1194551">https://bugzilla.suse.com/show_bug.cgi?id=1194551</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1194552">https://bugzilla.suse.com/show_bug.cgi?id=1194552</a>
</li>
</ul>
</div>