/
PYSEC-2021-93.yaml
110 lines (110 loc) · 1.91 KB
/
PYSEC-2021-93.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
id: PYSEC-2021-93
details: An issue was discovered in Pillow before 8.2.0. For EPS data, the readline
implementation used in EPSImageFile has to deal with any combination of \r and \n
as line endings. It used an accidentally quadratic method of accumulating lines
while looking for a line ending. A malicious EPS file could use this to perform
a DoS of Pillow in the open phase, before an image was accepted for opening.
affected:
- package:
name: pillow
ecosystem: PyPI
purl: pkg:pypi/pillow
ranges:
- type: ECOSYSTEM
events:
- introduced: '0'
- fixed: 8.2.0
versions:
- '1.0'
- '1.1'
- '1.2'
- '1.3'
- '1.4'
- '1.5'
- '1.6'
- 1.7.0
- 1.7.1
- 1.7.2
- 1.7.3
- 1.7.4
- 1.7.5
- 1.7.6
- 1.7.7
- 1.7.8
- 2.0.0
- 2.1.0
- 2.2.0
- 2.2.1
- 2.2.2
- 2.3.0
- 2.3.1
- 2.3.2
- 2.4.0
- 2.5.0
- 2.5.1
- 2.5.2
- 2.5.3
- 2.6.0
- 2.6.1
- 2.6.2
- 2.7.0
- 2.8.0
- 2.8.1
- 2.8.2
- 2.9.0
- 3.0.0
- 3.1.0
- 3.1.0.rc1
- 3.1.0rc1
- 3.1.1
- 3.1.2
- 3.2.0
- 3.3.0
- 3.3.1
- 3.3.2
- 3.3.3
- 3.4.0
- 3.4.1
- 3.4.2
- 4.0.0
- 4.1.0
- 4.1.1
- 4.2.0
- 4.2.1
- 4.3.0
- 5.0.0
- 5.1.0
- 5.2.0
- 5.3.0
- 5.4.0
- 5.4.0.dev0
- 5.4.1
- 6.0.0
- 6.1.0
- 6.2.0
- 6.2.1
- 6.2.2
- 7.0.0
- 7.1.0
- 7.1.1
- 7.1.2
- 7.2.0
- 8.0.0
- 8.0.1
- 8.1.0
- 8.1.1
- 8.1.2
references:
- type: WEB
url: https://github.com/python-pillow/Pillow/pull/5377
- type: WEB
url: https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28677-fix-eps-dos-on-open
- type: WEB
url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/
- type: ADVISORY
url: https://github.com/advisories/GHSA-q5hq-fp76-qmrc
aliases:
- CVE-2021-28677
- GHSA-q5hq-fp76-qmrc
modified: '2021-06-09T05:00:59.042287Z'
published: '2021-06-02T16:15:00Z'