In Pillow before 7.1.0, there are two Buffer Overflows in libImaging/TiffDecode.c. PyTorch and TensorFlow uses Pillow.
CVEID:CVE-2020-10378
**DESCRIPTION:**Pillow could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read when reading PCX files where state->shuffle is instructed to read beyond state->buffer. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/184185 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
CVEID:CVE-2020-10379
**DESCRIPTION:**Pillow is vulnerable to a buffer overflow, caused by improper bounds checking by TiffDecode.c. By persuading a victim to open a specially crafted file, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/184184 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)
Affected Product(s) | Version(s) |
---|---|
IBM Watson Machine Learning Community Edition | 1.6.2 |
IBM Watson Machine Learning Community Edition | 1.7.0 |
A new version of Pillow has been included in WML CE. PyTorch and TensorFlow have been rebuilt to take advantage.
Tensorflow must be updated.
For the GPU enabled version:
conda update tensorflow-gpu
For the non GPU enabled version:
conda update tensorflow
PyTorch must be updated.
For the GPU enabled version:
conda update pytorch
For the non GPU enabled version:
conda update pytorch-cpu
CPE | Name | Operator | Version |
---|---|---|---|
ibm powerai | eq | 1.6.2 | |
ibm powerai | eq | 1.7.0 |