Amazon Linux 2023 Security Advisory: ALAS2023-2024-582
Advisory Released Date: 2024-04-02
Advisory Updated Date: 2024-04-02
Severity:
Medium
References:
FAQs regarding Amazon Linux ALAS/CVE Severity
FAQs regarding Amazon Linux ALAS/CVE Severity
Issue Overview:
Affected versions of this package are vulnerable to Denial of Service (DoS) when using arbitrary strings as text input and the number of characters passed into PIL.ImageFont.ImageFont.getmask() is over a certain limit. This can lead to a system crash.
Affected versions of this package are vulnerable to Denial of Service (DoS) if the size of individual glyphs extends beyond the bitmap image, when using PIL.ImageFont.ImageFont function. Exploiting this vulnerability could lead to a system crash.
Affected Packages:
python-pillow
Issue Correction:
Run dnf update python-pillow --releasever 2023.4.20240401 or dnf update --advisory ALAS2023-2024-582 --releasever 2023.4.20240401 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation
New Packages:
aarch64:
python-pillow-debuginfo-9.4.0-2.amzn2023.0.5.aarch64
python3-pillow-tk-debuginfo-9.4.0-2.amzn2023.0.5.aarch64
python3-pillow-tk-9.4.0-2.amzn2023.0.5.aarch64
python3-pillow-devel-9.4.0-2.amzn2023.0.5.aarch64
python-pillow-debugsource-9.4.0-2.amzn2023.0.5.aarch64
python3-pillow-debuginfo-9.4.0-2.amzn2023.0.5.aarch64
python3-pillow-9.4.0-2.amzn2023.0.5.aarch64
src:
python-pillow-9.4.0-2.amzn2023.0.5.src
x86_64:
python-pillow-debuginfo-9.4.0-2.amzn2023.0.5.x86_64
python3-pillow-devel-9.4.0-2.amzn2023.0.5.x86_64
python3-pillow-tk-9.4.0-2.amzn2023.0.5.x86_64
python3-pillow-tk-debuginfo-9.4.0-2.amzn2023.0.5.x86_64
python3-pillow-debuginfo-9.4.0-2.amzn2023.0.5.x86_64
python-pillow-debugsource-9.4.0-2.amzn2023.0.5.x86_64
python3-pillow-9.4.0-2.amzn2023.0.5.x86_64