Ubuntu alert USN-8135-1 (pillow)
| From: | noreply+usn-bot@canonical.com | |
| To: | ubuntu-security-announce@lists.ubuntu.com | |
| Subject: | [USN-8135-1] Pillow vulnerabilities | |
| Date: | Tue, 31 Mar 2026 10:46:11 +0000 | |
| Message-ID: | <E1w7Wbr-0006M7-4n@lists.ubuntu.com> |
========================================================================== Ubuntu Security Notice USN-8135-1 March 31, 2026 pillow vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: Several security issues were fixed in Pillow. Software Description: - pillow: Python Imaging Library Details: It was discovered that Pillow did not correctly handle reading J2K files, which could lead to an out-of-bounds read vulnerability. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2021-25287, CVE-2021-25288) It was discovered that Pillow did not correctly handle certain integer arithmetic, which could lead to a buffer overflow. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2021-25290) It was discovered that Pillow did not correctly perform bounds checking for certain operations. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2021-28675, CVE-2021-28676, CVE-2021-28677) It was discovered that Pillow did not correctly handle certain memory operations. An attacker could possibly use this issue to cause a denial of service. (CVE-2023-44271) It was discovered that Pillow did not correctly sanitize certain inputs. An attacker could possibly use this issue to execute arbitrary code. (CVE-2023-50447) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS python-pil 5.1.0-1ubuntu0.8+esm2 Available with Ubuntu Pro python3-pil 5.1.0-1ubuntu0.8+esm2 Available with Ubuntu Pro Ubuntu 16.04 LTS python-pil 3.1.2-0ubuntu1.6+esm3 Available with Ubuntu Pro python3-pil 3.1.2-0ubuntu1.6+esm3 Available with Ubuntu Pro Ubuntu 14.04 LTS python-pil 2.3.0-1ubuntu3.4+esm5 Available with Ubuntu Pro python3-pil 2.3.0-1ubuntu3.4+esm5 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8135-1 CVE-2021-25287, CVE-2021-25288, CVE-2021-25290, CVE-2021-28675, CVE-2021-28676, CVE-2021-28677, CVE-2023-44271, CVE-2023-50447
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmnLoxQACgkQcpJm3tlz hgHMaRAAzW5wGJIXHDKdCFxN6o1AIRpisztvHjxfrr7FV+5CeikdbM8EkalYfpyy +4QrmKApfsXRjCtl5W0Ld8G9pYqVzhc+QR+AOy6ifDSiV/UehyVqoz5eyRCt6fwz ZTfFQdf822LbtPM2+iX4S/4wyUnt2Mj84HN3lz8g4IG6y00sJjiDF/7EPQkP+jn5 ehwIpN3beCppVVzzLdZXw3StDX21ou7N/2bSTGv53Srf1IqH0MBVFn6ll0dXhdg2 n49Yy3cO6dbuQJsPjh4rSnhCmPIb/UdrMbpVbl89OYfWHfN2KZ3taw8SkMn+O31q 4xhpLTe4TZ7oIsa8zEeH1QNF/7IrVdLkRQystCZyTF6Y7hjopqi8QLcO6BRYWHi/ uvLUEC3xaYD/zz/eXOhSz+l7L1cBPGj+InCwVsLbyp11iKPTU699QJKZGPyDHavW URsmOfqvy9zevTTasRxnHVcZ1GDM9K3dKMLh5HHi+YGnylkhT/NHBw2LeeDxNi5G E5Qkz06pzcRH9ZIfNkbW3jgculZjnbCDyJMg7nqIpf5wQAPLvX7OEU9YZo/bdbA5 r6cqkM7Re8s9ZUQX8hgEQpFuK2oDo5tGfQSxASEdQkWOChu1Lx3+u4kWixAadayh /YE36g+G/r3k969p0QGVEUJWxOSF9x0ZMlnwS80G+DpQgWdVBRo= =I5oJ -----END PGP SIGNATURE-----