Update dependency pillow to v10 [SECURITY]#62
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
renovate
Bot
force-pushed
the
renovate/pypi-pillow-vulnerability
branch
from
d43f39f to
bb0d88e
Compare
renovate
Bot
force-pushed
the
renovate/pypi-pillow-vulnerability
branch
from
bb0d88e to
cf1e9f0
Compare
renovate
Bot
force-pushed
the
renovate/pypi-pillow-vulnerability
branch
from
cf1e9f0 to
80f46d2
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/pypi-pillow-vulnerability
branch
from
80f46d2 to
400c454
Compare
renovate
Bot
force-pushed
the
renovate/pypi-pillow-vulnerability
branch
2 times, most recently
from
8482cd9 to
57908d7
Compare
renovate
Bot
force-pushed
the
renovate/pypi-pillow-vulnerability
branch
from
57908d7 to
a670be4
Compare
|
Author
|
renovate
Bot
force-pushed
the
renovate/pypi-pillow-vulnerability
branch
from
a670be4 to
a43878e
Compare
|
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/pypi-pillow-vulnerability
branch
2 times, most recently
from
a43878e to
d2da342
Compare
|
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
7.2.0→10.3.0Pillow Out-of-bounds Write
CVE-2020-35654 / GHSA-vqcj-wrf2-7v73
More information
Details
In Pillow before 8.1.0, TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Regular Expression Denial of Service (ReDoS) in Pillow
CVE-2021-25292 / GHSA-9hx2-hgq2-2g4f
More information
Details
An issue was discovered in Pillow before 8.1.1. The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Out of bounds read in Pillow
CVE-2021-25293 / GHSA-p43w-g3c5-g5mq
More information
Details
An issue was discovered in Pillow before 8.1.1. There is an out-of-bounds read in SGIRleDecode.c.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Uncontrolled Resource Consumption in pillow
GHSA-jgpv-4h4c-xhw3
More information
Details
Impact
Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.
Patches
An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image.
Workarounds
An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image.
References
https://nvd.nist.gov/vuln/detail/CVE-2021-27921
For more information
If you have any questions or comments about this advisory:
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Insufficient Verification of Data Authenticity in Pillow
CVE-2021-28678 / GHSA-hjfx-8p6c-g7gx
More information
Details
An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data.
Severity
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Out-of-bounds Read in Pillow
CVE-2021-25287 / GHSA-77gc-v2xv-rvvh
More information
Details
An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_graya_la.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Pillow Out-of-bounds Read vulnerability
CVE-2021-25288 / GHSA-rwv7-3v45-hg29
More information
Details
An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_gray_i. This dates to Pillow 2.4.0.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Pillow denial of service
CVE-2021-28675 / GHSA-g6rj-rv7j-xwp4
More information
Details
An issue was discovered in Pillow before 8.2.0.
PSDImagePlugin.PsdImageFilelacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS onImage.openprior toImage.load.Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Potential infinite loop in Pillow
CVE-2021-28676 / GHSA-7r7m-5h27-29hp
More information
Details
An issue was discovered in Pillow before 8.2.0. For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Uncontrolled Resource Consumption in Pillow
CVE-2021-28677 / GHSA-q5hq-fp76-qmrc
More information
Details
An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Buffer Overflow in Pillow
CVE-2021-34552 / GHSA-7534-mm45-c74v
More information
Details
Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Out-of-bounds Read in Pillow
CVE-2022-22816 / GHSA-xrcv-f9gm-v42c
More information
Details
path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Improper Initialization in Pillow
CVE-2022-22815 / GHSA-pw3c-h7wp-cvhx
More information
Details
Pillow is the friendly PIL (Python Imaging Library) fork.
path_getbboxinpath.cin Pillow before 9.0.0 improperly initializesImagePath.Path.Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Path traversal in Pillow
CVE-2022-24303 / GHSA-9j59-75qj-795w
More information
Details
Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Infinite loop in Pillow
GHSA-4fx9-vc88-q2xc
More information
Details
JpegImagePlugin may append an EOF marker to the end of a truncated file, so that the last segment of the data will still be processed by the decoder.
If the EOF marker is not detected as such however, this could lead to an infinite loop where JpegImagePlugin keeps trying to end the file.
Severity
Low
References
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Pillow vulnerable to Data Amplification attack.
CVE-2022-45198 / GHSA-m2vv-5vj5-2hm7
More information
Details
Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification).
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Out of bounds read in Pillow
CVE-2021-25291 / GHSA-mvg9-xffr-p774
More information
Details
An issue was discovered in Pillow before 8.2.0. In
TiffDecode.c, there is an out-of-bounds read inTiffreadRGBATilevia invalid tile boundaries.Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Arbitrary expression injection in Pillow
CVE-2022-22817 / GHSA-8vj2-vxx3-667w
More information
Details
PIL.ImageMath.evalin Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec methodImageMath.eval("exec(exit())").While Pillow 9.0.0 restricted top-level builtins available to PIL.ImageMath.eval(), it did not prevent builtins available to lambda expressions. These are now also restricted in 9.0.1.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Uncontrolled Resource Consumption in pillow
CVE-2021-23437 / GHSA-98vv-pw6r-q6q4
More information
Details
The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
libwebp: OOB write in BuildHuffmanTable
CVE-2023-4863 / GHSA-j7hp-h8jx-5ppr
More information
Details
Heap buffer overflow in libwebp allow a remote attacker to perform an out of bounds memory write via a crafted HTML page.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Pillow Denial of Service vulnerability
CVE-2023-44271 / GHSA-8ghj-p4vj-mr35
More information
Details
An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Arbitrary Code Execution in Pillow
CVE-2023-50447 / GHSA-3f63-hfp8-52jq
More information
Details
Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Pillow buffer overflow vulnerability
CVE-2024-28219 / GHSA-44wm-f244-xhp3
More information
Details
In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy.
Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the [GitHub Advisor