CVE-2016-9190 Remote code execution through crafted file in pillow < 3.3.2
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pillow (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
See https:/
I could not find signs of any backport of a fix in the changelog, currently at 3.1.2-0ubuntu1:
https:/
This particular vuln is fixed in pillow 3.3.2, however, there is a bunch of other CVEs filed against pillow < 3.4.x, see the bottom of this report.
IIUC there are two strategies available for creating an update through the security releases channel: 1) backporting the specific fixes, or 2) simply bumping the package to a version in which these vulnerabilities are fixed.
For strategy 2 (probably the cheapest one in terms of effort), I had a look at the Pillow changelog to see whether there are any backwards incompatible API changes which would prevent a simple bump. It appears there are:
Backwards incompatible API changes:
https:/
https:/
The latter might not be much of an issue, but the first one may break software that's counting on the pre-3.3.0 behaviour. Hope this helps!
CVE list (per the Gentoo Linux security advisory): https:/