Arch Linux Security Advisory ASA-202107-26 ========================================== Severity: Medium Date : 2021-07-14 CVE-ID : CVE-2021-34552 Package : python-pillow Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-2150 Summary ======= The package python-pillow before version 8.3.0-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 8.3.0-1. # pacman -Syu "python-pillow>=8.3.0-1" The problem has been fixed upstream in version 8.3.0. Workaround ========== None. Description =========== Pillow through 8.2.0 allows an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c. Impact ====== Converting a crafted image file could lead to arbitrary code execution. References ========== https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow https://github.com/python-pillow/Pillow/pull/5567 https://github.com/python-pillow/Pillow/commit/518ee3722a99d7f7d890db82a20bd81c1c0327fb https://security.archlinux.org/CVE-2021-34552