Update dependency Pillow to v10 [SECURITY]#95
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/pypi-pillow-vulnerability
branch
from
e099493 to
14fd7e0
Compare
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/pypi-pillow-vulnerability
branch
2 times, most recently
from
14fd7e0 to
ffe013b
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==5.1.0→==10.3.0Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
DOS attack in Pillow when processing specially crafted image files
CVE-2019-16865 / GHSA-j7mj-748x-7p78
More information
Details
An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Out-of-bounds Read in Pillow
CVE-2020-5313 / GHSA-hj69-c76v-86wr
More information
Details
libImaging/FliDecode.cin Pillow before 6.2.2 has an FLI buffer overflow.Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Buffer overflow in Pillow
CVE-2020-10379 / GHSA-8843-m7mw-mxqm
More information
Details
In Pillow before 7.1.0, there are two Buffer Overflows in
libImaging/TiffDecode.c.Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Out-of-bounds reads in Pillow
CVE-2020-10994 / GHSA-vj42-xq3r-hr3r
More information
Details
In
libImaging/Jpeg2KDecode.cin Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file.Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Out-of-bounds reads in Pillow
CVE-2020-10177 / GHSA-cqhg-xjhh-p8hf
More information
Details
Pillow before 7.1.0 has multiple out-of-bounds reads in
libImaging/FliDecode.c.Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Out-of-bounds read in Pillow
CVE-2020-11538 / GHSA-43fq-w8qq-v88h
More information
Details
In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311.
Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Pillow Out-of-bounds Write
CVE-2020-35654 / GHSA-vqcj-wrf2-7v73
More information
Details
In Pillow before 8.1.0, TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Regular Expression Denial of Service (ReDoS) in Pillow
CVE-2021-25292 / GHSA-9hx2-hgq2-2g4f
More information
Details
An issue was discovered in Pillow before 8.1.1. The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Out of bounds read in Pillow
CVE-2021-25293 / GHSA-p43w-g3c5-g5mq
More information
Details
An issue was discovered in Pillow before 8.1.1. There is an out-of-bounds read in SGIRleDecode.c.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Uncontrolled Resource Consumption in pillow
GHSA-jgpv-4h4c-xhw3
More information
Details
Impact
Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.
Patches
An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image.
Workarounds
An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image.
References
https://nvd.nist.gov/vuln/detail/CVE-2021-27921
For more information
If you have any questions or comments about this advisory:
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Insufficient Verification of Data Authenticity in Pillow
CVE-2021-28678 / GHSA-hjfx-8p6c-g7gx
More information
Details
An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data.
Severity
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Out-of-bounds Read in Pillow
CVE-2021-25287 / GHSA-77gc-v2xv-rvvh
More information
Details
An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_graya_la.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Pillow Out-of-bounds Read vulnerability
CVE-2021-25288 / GHSA-rwv7-3v45-hg29
More information
Details
An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_gray_i. This dates to Pillow 2.4.0.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Potential infinite loop in Pillow
CVE-2021-28676 / GHSA-7r7m-5h27-29hp
More information
Details
An issue was discovered in Pillow before 8.2.0. For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Pillow denial of service
CVE-2021-28675 / GHSA-g6rj-rv7j-xwp4
More information
Details
An issue was discovered in Pillow before 8.2.0.
PSDImagePlugin.PsdImageFilelacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS onImage.openprior toImage.load.Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Uncontrolled Resource Consumption in Pillow
CVE-2021-28677 / GHSA-q5hq-fp76-qmrc
More information
Details
An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Buffer Overflow in Pillow
CVE-2021-34552 / GHSA-7534-mm45-c74v
More information
Details
Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Out-of-bounds read in Pillow
CVE-2020-10378 / GHSA-3xv8-3j54-hgrp
More information
Details
In
libImaging/PcxDecode.cin Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files wherestate->shuffleis instructed to read beyondstate->buffer.Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
PCX P mode buffer overflow in Pillow
CVE-2020-5312 / GHSA-p49h-hjvm-jg3h
More information
Details
libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer overflow.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Out-of-bounds Read in Pillow
CVE-2022-22816 / GHSA-xrcv-f9gm-v42c
More information
Details
path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Improper Initialization in Pillow
CVE-2022-22815 / GHSA-pw3c-h7wp-cvhx
More information
Details
Pillow is the friendly PIL (Python Imaging Library) fork.
path_getbboxinpath.cin Pillow before 9.0.0 improperly initializesImagePath.Path.Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Path traversal in Pillow
CVE-2022-24303 / GHSA-9j59-75qj-795w
More information
Details
Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Infinite loop in Pillow
GHSA-4fx9-vc88-q2xc
More information
Details
JpegImagePlugin may append an EOF marker to the end of a truncated file, so that the last segment of the data will still be processed by the decoder.
If the EOF marker is not detected as such however, this could lead to an infinite loop where JpegImagePlugin keeps trying to end the file.
Severity
Low
References