—

PYSEC-2016-9

Details

Pillow before 3.3.2 allows context-dependent attackers to execute arbitrary code by using the "crafted image file" approach, related to an "Insecure Sign Extension" issue affecting the ImagingNew in Storage.c component.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / pillow

Introduced in: 0 Fixed in: 3.3.2

Fix pip install --upgrade 'pillow>=3.3.2'

References

http://pillow.readthedocs.io/en/3.4.x/releasenotes/3.3.2.html [WEB]
https://github.com/python-pillow/Pillow/issues/2105 [REPORT]
https://github.com/python-pillow/Pillow/pull/2146/commits/5d8a0be45aad78c5a22c8d099118ee26ef8144af [WEB]
http://www.securityfocus.com/bid/94234 [WEB]
http://www.debian.org/security/2016/dsa-3710 [ADVISORY]
https://security.gentoo.org/glsa/201612-52 [ADVISORY]
https://github.com/advisories/GHSA-w4vg-rf63-f3j3 [ADVISORY]