Insecure temporary files (CVE-2014-1932, CVE-2014-1933) Shell code injection (CVE-2014-3007)
Denial of service in handling PNG images (CVE-2014-9601)
All of the issues above have been classified as "Minor issue" in Debian.
The issue classified as minor issues. Removing target milestone.
A new issue: * Execution of arbitrary code due to buffer overflow in FliDecode.c (CVE-2016-0775)
Upstream Debian package version 1.1.7-4+deb7u2 fixes these issues: * Execution of arbitrary code due to buffer overflow in FliDecode.c (CVE-2016-0775) * Remote denial of service (crash) via a crafted PhotoCD file due to buffer overflow in the ImagingPcdDecode function in PcdDecode.c (CVE-2016-2533)
Upstream Debian package version 1.1.7-4+deb7u3 fixes: * Pillow before 3.3.2 allows context-dependent attackers to obtain sensitive information by using the "crafted image file" approach, related to an "Integer Overflow" issue affecting the Image.core.map_buffer in map.c component. (CVE-2016-9189) * Pillow before 3.3.2 allows context-dependent attackers to execute arbitrary code by using the "crafted image file" approach, related to an "Insecure Sign Extension" issue affecting the ImagingNew in Storage.c component. (CVE-2016-9190)
Advisory: python-imaging.yaml
OK: *** 1.1.7-4.15.201611102035 0 500 http://omar.knut.univention.de/build2/ ucs_4.1-0-errata4.1-4/amd64/ Packages OK: YAML OK: zgrep -C1 -e CVE-2016-0775 -e CVE-2016-2533 -e CVE-2016-9189 -e CVE-2016-9190 /usr/share/doc/python-imaging/changelog.Debian.gz OK: build dpkg-source: Information: python-imaging_1.1.7-4+deb7u3.diff.gz wird angewandt OK: functionality >>> from PIL import Image >>> Image.open(open('/usr/share/univention-management-console-frontend/js/dijit/themes/umc/images/background-tile.png')) <PIL.PngImagePlugin.PngImageFile image mode=RGBA size=100x100 at 0x7F7C00BE1998>
<http://errata.software-univention.de/ucs/4.1/337.html>