CVE-2016-9190

EUVD-2016-0025
Pillow before 3.3.2 allows context-dependent attackers to execute arbitrary code by using the "crafted image file" approach, related to an "Insecure Sign Extension" issue affecting the ImagingNew in Storage.c component.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
NONE
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 68%
Affected Products (NVD)
VendorProductVersion
pythonpillow
𝑥
≤ 3.3.1
debiandebian_linux
8.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
pillow
bookworm
9.4.0-1.1+deb12u1
fixed
bookworm (security)
9.4.0-1.1+deb12u1
fixed
bullseye
8.1.2+dfsg-0.3+deb11u2
fixed
bullseye (security)
8.1.2+dfsg-0.3+deb11u2
fixed
sid
10.4.0-1
fixed
trixie
10.4.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
pillow
precise
dne
trusty
Fixed 2.3.0-1ubuntu3.4
released
xenial
Fixed 3.1.2-0ubuntu1.1
released
yakkety
Fixed 3.3.1-1ubuntu0.1
released
python-imaging
precise
Fixed 1.1.7-4ubuntu0.12.04.3
released
trusty
dne
xenial
dne
yakkety
dne
Common Weakness Enumeration
References
http://pillow.readthedocs.io/en/3.4.x/releasenotes/3.3.2.html
http://www.debian.org/security/2016/dsa-3710
http://www.securityfocus.com/bid/94234
https://github.com/python-pillow/Pillow/issues/2105
https://github.com/python-pillow/Pillow/pull/2146/commits/5d8a0be45aad78c5a22c8d099118ee26ef8144af
https://security.gentoo.org/glsa/201612-52
http://pillow.readthedocs.io/en/3.4.x/releasenotes/3.3.2.html
http://www.debian.org/security/2016/dsa-3710
http://www.securityfocus.com/bid/94234
https://github.com/python-pillow/Pillow/issues/2105
https://github.com/python-pillow/Pillow/pull/2146/commits/5d8a0be45aad78c5a22c8d099118ee26ef8144af
https://security.gentoo.org/glsa/201612-52