CVE-2016-9190

Advisory

Pillow before 3.3.2 allows context-dependent attackers to execute arbitrary code by using the "crafted image file" approach, related to an "Insecure Sign Extension" issue affecting the ImagingNew in Storage.c component.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

Pillow before 3.3.2 allows context-dependent attackers to execute arbitrary code by using the "crafted image file" approach, related to an "Insecure Sign Extension" issue affecting the ImagingNew in Storage.c component.

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9190
• http://pillow.readthedocs.io/en/3.4.x/releasenotes/3.3.2.html
• https://github.com/python-pillow/Pillow/issues/2105
• https://github.com/python-pillow/Pillow/pull/2146/commits/5d8a0be45aad78c5a22c8d099118ee26ef8144af
• http://www.securityfocus.com/bid/94234
• http://www.debian.org/security/2016/dsa-3710
• https://security.gentoo.org/glsa/201612-52