CVE-2020-35654 log

Source
Severity Medium
Remote No
Type Arbitrary code execution
Description
In python-pillow before 8.1.0, TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode.
Group Package Affected Fixed Severity Status Ticket
AVG-1439 python2-pillow 6.2.1-3 Medium Vulnerable
AVG-1438 python-pillow 8.0.1-3 8.1.0-1 Medium Fixed
Date Advisory Group Package Severity Description
12 Jan 2021 ASA-202101-11 AVG-1438 python-pillow Medium multiple issues
References
https://pillow.readthedocs.io/en/stable/releasenotes/8.1.0.html#security
https://github.com/python-pillow/Pillow/pull/5175
https://github.com/python-pillow/Pillow/commit/eb8c1206d6b170d4e798a00db7432e023853da5c
https://github.com/python-pillow/Pillow/commit/45a62e91b1f72e79989a7919af97b062dc8dfaf4