Bugs - Vulnerabilities in Pillow 6.2.2

[alfellati]

• Arbitrary Code Execution: 9.8 Rated Critical Vulnerability Threat with EPS of 0.28% (68th percentile).
• Out-of-bounds Read: 7.5 Rated High Vulnerability Threat with EPS of 0.35% (72nd percentile) and a low attack complexity.
• Regular Expression Denial of Service (ReDoS): 7.5 Rated High Vulnerability Threat with EPS of 0.46% (75th percentile).

General Fix: Upgrade Pillow to version 9.0.0 or higher.

Pillow is a PIL (Python Imaging Library) fork.

1. Arbitrary Code Execution:

Affected versions of this package are vulnerable to Arbitrary Code Execution via PIL.ImageMath.eval which allows evaluation of arbitrary expressions, such as ones that use the Python exec method.

How to fix?
Upgrade Pillow to version 9.0.0 or higher.

2. Out-of-bounds Read:

Affected versions of this package are vulnerable to Out-of-bounds Read. A out-of-bounds read in exists in J2kDecode in j2ku_gray_i.

How to fix?
Upgrade Pillow to version 8.2.0 or higher.

3. Regular Expression Denial of Service (ReDoS):

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function.

How to fix?
Upgrade Pillow to version 8.3.2 or higher.