In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.
CVE: (none) => CVE-2020-35655
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35655 https://ubuntu.com/security/CVE-2020-35655 https://bugzilla.redhat.com/show_bug.cgi?id=1915432
Whiteboard: (none) => MGA7TOOSummary: python-pillow security issue CVE-2020-35655 => python-pillow new security issue CVE-2020-35655Status comment: (none) => Fixed upstream in 8.1.0
Freeze push asked for cauldron
CC: (none) => mageia
Checked not a duplicate. Various maintainers for this SRPM, so assigning it globally.
Assignee: bugsquad => pkg-bugs
python-pillow-8.1.0-1.mga8 uploaded for Cauldron.
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)
Ubuntu has issued an advisory for this on January 18: https://ubuntu.com/security/notices/USN-4697-1
Summary: python-pillow new security issue CVE-2020-35655 => python-pillow new security issue CVE-2020-3565[3-5]Severity: normal => major
Fedora has issued an advisory for this today (January 21): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4VRCCSORJBMRUY5NGYWMCKVE5VO5JOO5/
CC: (none) => luigiwalser
Depends on: (none) => 29002
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/
Resolution: (none) => OLDStatus: NEW => RESOLVED