Amazon Linux 2 Security Advisory: ALAS-2020-1542
Advisory Release Date: 2020-10-22 18:36 Pacific
Advisory Updated Date: 2020-10-22 22:34 Pacific
Severity:
Medium
Issue Overview:
An out-of-bounds read was discovered in python-pillow in the way it decodes FLI images. An application that uses python-pillow to load untrusted images may be vulnerable to this flaw, which can allow an attacker to read the memory of the application they should be not allowed to read. (CVE-2020-5313)
Affected Packages:
python-pillow
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update python-pillow to update your system.
New Packages:
aarch64:
python-pillow-2.0.0-21.gitd1c6db8.amzn2.0.1.aarch64
python-pillow-devel-2.0.0-21.gitd1c6db8.amzn2.0.1.aarch64
python-pillow-doc-2.0.0-21.gitd1c6db8.amzn2.0.1.aarch64
python-pillow-sane-2.0.0-21.gitd1c6db8.amzn2.0.1.aarch64
python-pillow-tk-2.0.0-21.gitd1c6db8.amzn2.0.1.aarch64
python-pillow-debuginfo-2.0.0-21.gitd1c6db8.amzn2.0.1.aarch64
i686:
python-pillow-2.0.0-21.gitd1c6db8.amzn2.0.1.i686
python-pillow-devel-2.0.0-21.gitd1c6db8.amzn2.0.1.i686
python-pillow-doc-2.0.0-21.gitd1c6db8.amzn2.0.1.i686
python-pillow-sane-2.0.0-21.gitd1c6db8.amzn2.0.1.i686
python-pillow-tk-2.0.0-21.gitd1c6db8.amzn2.0.1.i686
python-pillow-debuginfo-2.0.0-21.gitd1c6db8.amzn2.0.1.i686
src:
python-pillow-2.0.0-21.gitd1c6db8.amzn2.0.1.src
x86_64:
python-pillow-2.0.0-21.gitd1c6db8.amzn2.0.1.x86_64
python-pillow-devel-2.0.0-21.gitd1c6db8.amzn2.0.1.x86_64
python-pillow-doc-2.0.0-21.gitd1c6db8.amzn2.0.1.x86_64
python-pillow-sane-2.0.0-21.gitd1c6db8.amzn2.0.1.x86_64
python-pillow-tk-2.0.0-21.gitd1c6db8.amzn2.0.1.x86_64
python-pillow-debuginfo-2.0.0-21.gitd1c6db8.amzn2.0.1.x86_64