1.公告詳情：

• 在8.1.0之前的Pillow中，由于對偏移量和長度表的處理不正確，因此在解碼制作的SGI RLE圖像文件時，SGIRleDecode會讀取4字節的緩沖區。（CVE-2020-35655）

• 在8.1.0之前的Pillow中，由于在RGBA模式下與LibTIFF的某些解釋沖突，因此在解碼制作的YCbCr文件時，TiffDecode具有基于堆的緩沖區溢出。（CVE-2020-35654）

• 在8.1.0之前的Pillow中，PcxDecode在解碼制作的PCX文件時會讀取緩沖區，因為用戶提供的步幅值可用于緩沖區計算。（CVE-2020-35653）

2. 受影響的操作系統：

• 銀河麒麟桌面操作系統V10專業版

• 銀河麒麟桌面操作系統V4

• 銀河麒麟桌面操作系統V4 SP1

• 銀河麒麟桌面操作系統V4 SP2

• 銀河麒麟桌面操作系統V4 SP3

• 銀河麒麟桌面操作系統V4 SP4

• 銀河麒麟桌面操作系統V10

• 銀河麒麟桌面操作系統V10 SP1

• 銀河麒麟服務器操作系統V4

• 銀河麒麟服務器操作系統V4 SP1

• 銀河麒麟服務器操作系統V4 SP2

• 銀河麒麟服務器操作系統V4 SP3

• 銀河麒麟服務器操作系統V4 SP4

3. 修復版本

軟件包：pillow

python-pil - 3.1.2-0kord1.5（V4、V10）

python3-pil - 3.1.2-0kord1.5（V4、V10）

python3-pil - 7.0.0-4kylin1（V10專業版）

4. 受影響的軟件包

• 銀河麒麟桌面操作系統V4桌面版

python-imaging

python-pil-dbg

python-pil-doc

python-pil.imagetk-dbg

python-pil.imagetk

python-pil

python3-pil-dbg

python3-pil.imagetk-dbg

python3-pil.imagetk

python3-pil

• 銀河麒麟桌面操作系統V10桌面版
  

python-imaging

python-pil-dbg

python-pil-doc

python-pil.imagetk-dbg

python-pil.imagetk

python-pil

python3-pil-dbg

python3-pil.imagetk-dbg

python3-pil.imagetk

python3-pil

• 銀河麒麟桌面操作系統V10專業版

python-pil-doc

python3-pil-dbg

python3-pil.imagetk-dbg

python3-pil.imagetk

python3-pil

5.修復方法

方法一：配置源進行升級安裝

        打開軟件包源配置文件，根據倉庫地址進行修改。

                4.0.2: http://archive.kylinos.cn/kylin/KYLIN-ALL 4.0.2-desktop main restricted universe multiverse

                4.0.2-sp1: http://archive.kylinos.cn/kylin/KYLIN-ALL 4.0.2sp1-desktop main restricted universe multiverse

                4.0.2-sp2: http://archive.kylinos.cn/kylin/KYLIN-ALL 4.0.2sp2-desktop main restricted universe multiverse

                4.0.2-sp3: http://archive.kylinos.cn/kylin/KYLIN-ALL 4.0.2sp3-desktop main restricted universe multiverse

                4.0.2-sp4: http://archive.kylinos.cn/kylin/KYLIN-ALL 4.0.2sp4-desktop main restricted universe multiverse

                10.0: http://archive.kylinos.cn/kylin/KYLIN-ALL 10.0 main restricted universe multiverse

                10.0專業版: http://archive.kylinos.cn/kylin/KYLIN-ALL 10.1 main restricted universe multiverse

        配置完成后執行更新命令進行升級  $sudo apt update

方法二：下載安裝包進行升級安裝

        通過軟件包地址下載軟件包，使用軟件包升級命令根據受影響的組件包列表 升級相關的組件包。  $dpkg -i Packagelists

6. 軟件包下載地址

• 麒麟操作系統V10桌面版、V4

  X86_64軟件包下載地址：

  http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/p/pillow/python-imaging_3.1.2-0kord1.5_all.deb

  http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/p/pillow/python-pil-dbg_3.1.2-0kord1.5_amd64.deb

  http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/p/pillow/python-pil-doc_3.1.2-0kord1.5_all.deb

  http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/p/pillow/python-pil.imagetk-dbg_3.1.2-0kord1.5_amd64.deb

  http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/p/pillow/python-pil.imagetk_3.1.2-0kord1.5_amd64.deb

  http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/p/pillow/python-pil_3.1.2-0kord1.5_amd64.deb

  http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/p/pillow/python3-pil-dbg_3.1.2-0kord1.5_amd64.deb

  http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/p/pillow/python3-pil.imagetk-dbg_3.1.2-0kord1.5_amd64.deb

  http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/p/pillow/python3-pil.imagetk_3.1.2-0kord1.5_amd64.deb

  http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/p/pillow/python3-pil_3.1.2-0kord1.5_amd64.deb

  arm64軟件包下載地址：

  http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/p/pillow/python-imaging_3.1.2-0kord1.5_all.deb

  http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/p/pillow/python-pil-dbg_3.1.2-0kord1.5_arm64.deb

  http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/p/pillow/python-pil-doc_3.1.2-0kord1.5_all.deb

  http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/p/pillow/python-pil.imagetk-dbg_3.1.2-0kord1.5_arm64.deb

  http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/p/pillow/python-pil.imagetk_3.1.2-0kord1.5_arm64.deb

  http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/p/pillow/python-pil_3.1.2-0kord1.5_arm64.deb

  http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/p/pillow/python3-pil-dbg_3.1.2-0kord1.5_arm64.deb

  http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/p/pillow/python3-pil.imagetk-dbg_3.1.2-0kord1.5_arm64.deb

  http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/p/pillow/python3-pil.imagetk_3.1.2-0kord1.5_arm64.deb

  http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/p/pillow/python3-pil_3.1.2-0kord1.5_arm64.deb

• 銀河麒麟桌面操作系統V10專業版

  X86_64軟件包下載地址：

  http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/p/pillow/python-pil-doc_7.0.0-4kylin1_all.deb

  http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/p/pillow/python3-pil-dbg_7.0.0-4kylin1_amd64.deb

  http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/p/pillow/python3-pil.imagetk-dbg_7.0.0-4kylin1_amd64.deb

  http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/p/pillow/python3-pil.imagetk_7.0.0-4kylin1_amd64.deb

  http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/p/pillow/python3-pil_7.0.0-4kylin1_amd64.deb

  arm64軟件包下載地址：

  http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/p/pillow/python-pil-doc_7.0.0-4kylin1_all.deb

  http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/p/pillow/python3-pil-dbg_7.0.0-4kylin1_arm64.deb

  http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/p/pillow/python3-pil.imagetk-dbg_7.0.0-4kylin1_arm64.deb

  http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/p/pillow/python3-pil.imagetk_7.0.0-4kylin1_arm64.deb

  http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/p/pillow/python3-pil_3.1.2-0kord1.5_arm64.deb

  mips64el軟件包下載地址：

  http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/p/pillow/python-pil-doc_7.0.0-4kylin1_all.deb

  http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/p/pillow/python3-pil-dbg_7.0.0-4kylin1_mips64el.deb

  http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/p/pillow/python3-pil.imagetk-dbg_7.0.0-4kylin1_mips64el.deb

  http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/p/pillow/python3-pil.imagetk_7.0.0-4kylin1_mips64el.deb

  http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/p/pillow/python3-pil_7.0.0-4kylin1_mips64el.deb