CVE-2022-22816 Path.c has a buffer over-read during initialization of ImagePath.Path.

CVE-2022-22816 Path.c has a buffer over-read during initialization of ImagePath.Path.

This issue occurred when calling path_getbbox with a path that was a very long or very wide image. Reported by Andrew Price of Google. Version: Unspecified. OS: Debian Linux. Day of Publication: 21st Feb 2018. If you have a very long or very wide image and try to import it, Pillow in version before 9.0.0 will have a buffer over-read. This will cause the program to crash and produce a crash report. Reported by Andrew Price of Google. Version: Unspecified. OS: Linux. Day of Publication: 21st Feb 2018. It is possible that other applications that import certain very long or very wide images may have a similar issue. You can check if you are vulnerable to this issue by importing an image with a very long or very wide path. If you are on a Debian or Ubuntu-based system, you can install the latest stable version of Pillow by running the following command: apt-get install pillow IMPORTANT: If you are running an older version of Pillow than 9.0.0, upgrading to version 9.0.0 is the only solution.

CVE-2022-22814

This issue occurred when calling path_getbbox with a path that was a very long or very wide image. Reported by Jie Yu of Google. Version: Unspecified. OS: Linux. Day of Publication: 21st Feb 2018. If you have a very long or very wide image and try to import it, Pillow in version before 9.0.0 will have a buffer over-read. This will cause the program to crash and produce a crash report. Reported by Jie Yu of Google. Version: Unspecified. OS: Debian Linux. Day of Publication: 21st Feb 2018. It is possible that other applications that import certain very long or very wide images may have a similar issue. You can check if you are vulnerable to this issue by importing an image with a very long or very wide path. If you are on a Debian or Ubuntu-based system, you can install the latest stable version of Pillow by running the following command: apt-get install pillow IMPORTANT: If you are running an older version of Pillow than 9.0.0, upgrading to version 9.0.0 is the only solution

Check if you are vulnerable to CVE-2018-2072 -23085

If you are on a Debian or Ubuntu-based system, you can install the latest stable version of Pillow by running the following command: apt-get install pillow

Are you vulnerable?

Are you vulnerable to this issue?
If you are on a Debian or Ubuntu-based system and you were using an older version of Pillow than 9.0.0, upgrading to version 9.0.0 is the only solution. If you are not on a Debian or Ubuntu-based system, you should not be vulnerable to this issue.

Path Over-Read Vulnerability - CVE-2022-22815

This issue occurred when calling path_getbbox with a path that was a very long or very wide image. Reported by Andrew Price of Google. Version: Unspecified. OS: Debian Linux. Day of Publication: 21st Feb 2018. If you have a very long or very wide image and try to import it, Pillow in version before 9.0.0 will have a buffer over-read. This will cause the program to crash and produce a crash report. Reported by Andrew Price of Google. Version: Unspecified. OS: Linux. Day of Publication: 21st Feb 2018
If you received this error, updating to the latest stable version is necessary for your application to continue running without crashing on import operations involving images with very long or very wide paths (CVE-2022-22816).

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe