ASA-202101-11 log generated external raw

[ASA-202101-11] python-pillow: multiple issues
Arch Linux Security Advisory ASA-202101-11 ========================================== Severity: Medium Date : 2021-01-12 CVE-ID : CVE-2020-35653 CVE-2020-35654 CVE-2020-35655 Package : python-pillow Type : multiple issues Remote : No Link : Summary ======= The package python-pillow before version 8.1.0-1 is vulnerable to multiple issues including arbitrary code execution, information disclosure and denial of service. Resolution ========== Upgrade to 8.1.0-1. # pacman -Syu "python-pillow>=8.1.0-1" The problems have been fixed upstream in version 8.1.0. Workaround ========== None. Description =========== - CVE-2020-35653 (information disclosure) In python-pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations. - CVE-2020-35654 (arbitrary code execution) In python-pillow before 8.1.0, TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. - CVE-2020-35655 (denial of service) In python-pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over- read when decoding crafted SGI RLE image files because offsets and length tables are mishandled. Impact ====== A local malicious user might craft a malformed file to execute arbitrary code, read from memory or crash the application. References ==========