Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Exclude carriage return in PDF regex to help prevent ReDoS #5912

Merged

Conversation

radarhere
Copy link
Member

@radarhere radarhere commented Dec 27, 2021

Like 3bce145 and #5393, except with \r instead of \n.

@radarhere radarhere added the automerge label Dec 28, 2021
@radarhere radarhere merged commit 43b800d into python-pillow:main Dec 28, 2021
49 checks passed
@radarhere radarhere deleted the fix-pdf-redos-carriage-return branch Dec 28, 2021
sbrunner added a commit to camptocamp/tilecloud-chain that referenced this issue Feb 2, 2022
  +==============================================================================+
  |                                                                              |
  |                               /$$$$$$            /$$                         |
  |                              /$$__  $$          | $$                         |
  |           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
  |          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
  |         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
  |          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
  |          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
  |         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
  |                                                          /$$  | $$           |
  |                                                         |  $$$$$$/           |
  |  by pyup.io                                              \______/            |
  |                                                                              |
  +==============================================================================+
  | REPORT                                                                       |
  | checked 1 packages, using free DB (updated once a month)                     |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | pipenv                     | 2020.8.13 | >=2018.10.9,<=2021.11.23 | 44492    |
  +==============================================================================+
  | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version     |
  | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of       |
  | requirements files allows an attacker to insert a specially crafted string   |
  | inside a comment anywhere within a requirements.txt file, which will cause   |
  | victims who use pipenv to install the requirements file to download          |
  | dependencies from a package index server controlled by the attacker. By      |
  | embedding malicious code in packages served from their malicious index       |
  | server, the attacker can trigger arbitrary remote code execution (RCE) on    |
  | the victims' systems. If an attacker is able to hide a malicious '--index-   |
  | url' option in a requirements file that a victim installs with pipenv, the   |
  | attacker can embed arbitrary malicious code in packages served from their    |
  | malicious index server that will be executed on the victim's host during     |
  | installation (remote code execution/RCE). When pip installs from a source    |
  | distribution, any code in the setup.py is executed by the install process.   |
  | GHSA-qc9x-gjcv-465w       |
  +==============================================================================+
  | REPORT                                                                       |
  | checked 63 packages, using free DB (updated once a month)                    |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | pillow                     | 8.3.2     | <9.0.0                   | 44487    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow |
  | before 9.0.0 allows evaluation of arbitrary expressions, such as ones that   |
  | use the Python exec method.                                                  |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict-    |
  | builtins-available-to-imagemath-eval                                         |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44485    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in    |
  | Pillow before 9.0.0 improperly initializes ImagePath.Path.                   |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-       |
  | imagepath-path-array-handling                                                |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44524    |
  +==============================================================================+
  | Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to |
  | avoid Denial of Service attacks.                                             |
  | python-pillow/Pillow#5921                            |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44525    |
  +==============================================================================+
  | Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS.    |
  | python-pillow/Pillow#5912                            |
  | https://github.com/python-                                                   |
  | pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363                |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44486    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in    |
  | Pillow before 9.0.0 has a buffer over-read during initialization of          |
  | ImagePath.Path.                                                              |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-       |
  | imagepath-path-array-handling                                                |
  +==============================================================================+
  | urllib3                    | 1.25.11   | <1.26.5                  | 43975    |
  +==============================================================================+
  | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in |
  | urllib3 before 1.26.5. When provided with a URL containing many @ characters |
  | in the authority component, the authority regular expression exhibits        |
  | catastrophic backtracking, causing a denial of service if a URL were passed  |
  | as a parameter or redirected to via an HTTP redirect.                        |
  | GHSA-q2q7-5pp4-w6pg                            |
  +==============================================================================+
sbrunner added a commit to camptocamp/tilecloud-chain that referenced this issue Feb 2, 2022
  +==============================================================================+
  |                                                                              |
  |                               /$$$$$$            /$$                         |
  |                              /$$__  $$          | $$                         |
  |           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
  |          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
  |         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
  |          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
  |          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
  |         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
  |                                                          /$$  | $$           |
  |                                                         |  $$$$$$/           |
  |  by pyup.io                                              \______/            |
  |                                                                              |
  +==============================================================================+
  | REPORT                                                                       |
  | checked 1 packages, using free DB (updated once a month)                     |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | pipenv                     | 2020.8.13 | >=2018.10.9,<=2021.11.23 | 44492    |
  +==============================================================================+
  | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version     |
  | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of       |
  | requirements files allows an attacker to insert a specially crafted string   |
  | inside a comment anywhere within a requirements.txt file, which will cause   |
  | victims who use pipenv to install the requirements file to download          |
  | dependencies from a package index server controlled by the attacker. By      |
  | embedding malicious code in packages served from their malicious index       |
  | server, the attacker can trigger arbitrary remote code execution (RCE) on    |
  | the victims' systems. If an attacker is able to hide a malicious '--index-   |
  | url' option in a requirements file that a victim installs with pipenv, the   |
  | attacker can embed arbitrary malicious code in packages served from their    |
  | malicious index server that will be executed on the victim's host during     |
  | installation (remote code execution/RCE). When pip installs from a source    |
  | distribution, any code in the setup.py is executed by the install process.   |
  | GHSA-qc9x-gjcv-465w       |
  +==============================================================================+
  | REPORT                                                                       |
  | checked 63 packages, using free DB (updated once a month)                    |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | pillow                     | 8.3.2     | <9.0.0                   | 44487    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow |
  | before 9.0.0 allows evaluation of arbitrary expressions, such as ones that   |
  | use the Python exec method.                                                  |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict-    |
  | builtins-available-to-imagemath-eval                                         |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44485    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in    |
  | Pillow before 9.0.0 improperly initializes ImagePath.Path.                   |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-       |
  | imagepath-path-array-handling                                                |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44524    |
  +==============================================================================+
  | Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to |
  | avoid Denial of Service attacks.                                             |
  | python-pillow/Pillow#5921                            |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44525    |
  +==============================================================================+
  | Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS.    |
  | python-pillow/Pillow#5912                            |
  | https://github.com/python-                                                   |
  | pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363                |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44486    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in    |
  | Pillow before 9.0.0 has a buffer over-read during initialization of          |
  | ImagePath.Path.                                                              |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-       |
  | imagepath-path-array-handling                                                |
  +==============================================================================+
  | urllib3                    | 1.25.11   | <1.26.5                  | 43975    |
  +==============================================================================+
  | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in |
  | urllib3 before 1.26.5. When provided with a URL containing many @ characters |
  | in the authority component, the authority regular expression exhibits        |
  | catastrophic backtracking, causing a denial of service if a URL were passed  |
  | as a parameter or redirected to via an HTTP redirect.                        |
  | GHSA-q2q7-5pp4-w6pg                            |
  +==============================================================================+
sbrunner added a commit to camptocamp/tilecloud-chain that referenced this issue Feb 2, 2022
  +==============================================================================+
  |                                                                              |
  |                               /$$$$$$            /$$                         |
  |                              /$$__  $$          | $$                         |
  |           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
  |          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
  |         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
  |          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
  |          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
  |         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
  |                                                          /$$  | $$           |
  |                                                         |  $$$$$$/           |
  |  by pyup.io                                              \______/            |
  |                                                                              |
  +==============================================================================+
  | REPORT                                                                       |
  | checked 1 packages, using free DB (updated once a month)                     |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | pipenv                     | 2020.8.13 | >=2018.10.9,<=2021.11.23 | 44492    |
  +==============================================================================+
  | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version     |
  | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of       |
  | requirements files allows an attacker to insert a specially crafted string   |
  | inside a comment anywhere within a requirements.txt file, which will cause   |
  | victims who use pipenv to install the requirements file to download          |
  | dependencies from a package index server controlled by the attacker. By      |
  | embedding malicious code in packages served from their malicious index       |
  | server, the attacker can trigger arbitrary remote code execution (RCE) on    |
  | the victims' systems. If an attacker is able to hide a malicious '--index-   |
  | url' option in a requirements file that a victim installs with pipenv, the   |
  | attacker can embed arbitrary malicious code in packages served from their    |
  | malicious index server that will be executed on the victim's host during     |
  | installation (remote code execution/RCE). When pip installs from a source    |
  | distribution, any code in the setup.py is executed by the install process.   |
  | GHSA-qc9x-gjcv-465w       |
  +==============================================================================+
  | REPORT                                                                       |
  | checked 63 packages, using free DB (updated once a month)                    |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | pillow                     | 8.3.2     | <9.0.0                   | 44487    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow |
  | before 9.0.0 allows evaluation of arbitrary expressions, such as ones that   |
  | use the Python exec method.                                                  |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict-    |
  | builtins-available-to-imagemath-eval                                         |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44485    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in    |
  | Pillow before 9.0.0 improperly initializes ImagePath.Path.                   |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-       |
  | imagepath-path-array-handling                                                |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44524    |
  +==============================================================================+
  | Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to |
  | avoid Denial of Service attacks.                                             |
  | python-pillow/Pillow#5921                            |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44525    |
  +==============================================================================+
  | Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS.    |
  | python-pillow/Pillow#5912                            |
  | https://github.com/python-                                                   |
  | pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363                |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44486    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in    |
  | Pillow before 9.0.0 has a buffer over-read during initialization of          |
  | ImagePath.Path.                                                              |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-       |
  | imagepath-path-array-handling                                                |
  +==============================================================================+
  | urllib3                    | 1.25.11   | <1.26.5                  | 43975    |
  +==============================================================================+
  | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in |
  | urllib3 before 1.26.5. When provided with a URL containing many @ characters |
  | in the authority component, the authority regular expression exhibits        |
  | catastrophic backtracking, causing a denial of service if a URL were passed  |
  | as a parameter or redirected to via an HTTP redirect.                        |
  | GHSA-q2q7-5pp4-w6pg                            |
  +==============================================================================+
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Feb 4, 2022
```
  +==============================================================================+
  |                                                                              |
  |                               /$$$$$$            /$$                         |
  |                              /$$__  $$          | $$                         |
  |           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
  |          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
  |         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
  |          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
  |          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
  |         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
  |                                                          /$$  | $$           |
  |                                                         |  $$$$$$/           |
  |  by pyup.io                                              \______/            |
  |                                                                              |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | urllib3                    | 1.25.9    | <1.26.5                  | 43975    |
  +==============================================================================+
  | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in |
  | urllib3 before 1.26.5. When provided with a URL containing many @ characters |
  | in the authority component, the authority regular expression exhibits        |
  | catastrophic backtracking, causing a denial of service if a URL were passed  |
  | as a parameter or redirected to via an HTTP redirect.                        |
  | GHSA-q2q7-5pp4-w6pg                            |
  +==============================================================================+
  | numpy                      | 1.21.5    | <1.22.0                  | 44716    |
  +==============================================================================+
  | Numpy 1.22.0 includes a fix for CVE-2021-41496: A buffer overflow in the     |
  | array_from_pyobj function of fortranobject.c, which allows attackers to      |
  | conduct a Denial of Service attacks by carefully constructing an array with  |
  | negative values.                                                             |
  | numpy/numpy#19000                                  |
  +==============================================================================+
  | numpy                      | 1.21.5    | <1.22.0                  | 44717    |
  +==============================================================================+
  | Numpy 1.22.0 includes a fix for CVE-2021-34141: An incomplete string         |
  | comparison in the numpy.core component in NumPy before 1.22.0 allows         |
  | attackers to trigger slightly incorrect copying by constructing specific     |
  | string objects. NOTE: the vendor states that this reported code behavior is  |
  | "completely harmless."                                                       |
  | numpy/numpy#18993                                  |
  +==============================================================================+
  | numpy                      | 1.21.5    | >0                       | 44715    |
  +==============================================================================+
  | All versions of Numpy are affected by CVE-2021-41495: A null Pointer         |
  | Dereference vulnerability exists in numpy.sort, in the PyArray_DescrNew      |
  | function due to missing return-value validation, which allows attackers to   |
  | conduct DoS attacks by repetitively creating sort arrays.                    |
  | numpy/numpy#19038                                  |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44487    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow |
  | before 9.0.0 allows evaluation of arbitrary expressions, such as ones that   |
  | use the Python exec method.                                                  |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict-    |
  | builtins-available-to-imagemath-eval                                         |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44485    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in    |
  | Pillow before 9.0.0 improperly initializes ImagePath.Path.                   |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-       |
  | imagepath-path-array-handling                                                |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44524    |
  +==============================================================================+
  | Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to |
  | avoid Denial of Service attacks.                                             |
  | python-pillow/Pillow#5921                            |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44525    |
  +==============================================================================+
  | Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS.    |
  | python-pillow/Pillow#5912                            |
  | https://github.com/python-                                                   |
  | pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363                |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44486    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in    |
  | Pillow before 9.0.0 has a buffer over-read during initialization of          |
  | ImagePath.Path.                                                              |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-       |
  | imagepath-path-array-handling                                                |
  +==============================================================================+
  | pipenv                     | 2021.5.29 | >=2018.10.9,<=2021.11.23 | 44492    |
  +==============================================================================+
  | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version     |
  | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of       |
  | requirements files allows an attacker to insert a specially crafted string   |
  | inside a comment anywhere within a requirements.txt file, which will cause   |
  | victims who use pipenv to install the requirements file to download          |
  | dependencies from a package index server controlled by the attacker. By      |
  | embedding malicious code in packages served from their malicious index       |
  | server, the attacker can trigger arbitrary remote code execution (RCE) on    |
  | the victims' systems. If an attacker is able to hide a malicious '--index-   |
  | url' option in a requirements file that a victim installs with pipenv, the   |
  | attacker can embed arbitrary malicious code in packages served from their    |
  | malicious index server that will be executed on the victim's host during     |
  | installation (remote code execution/RCE). When pip installs from a source    |
  | distribution, any code in the setup.py is executed by the install process.   |
  | GHSA-qc9x-gjcv-465w       |
  +==============================================================================+
```
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Feb 4, 2022
```
  +==============================================================================+
  |                                                                              |
  |                               /$$$$$$            /$$                         |
  |                              /$$__  $$          | $$                         |
  |           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
  |          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
  |         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
  |          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
  |          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
  |         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
  |                                                          /$$  | $$           |
  |                                                         |  $$$$$$/           |
  |  by pyup.io                                              \______/            |
  |                                                                              |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | urllib3                    | 1.25.9    | <1.26.5                  | 43975    |
  +==============================================================================+
  | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in |
  | urllib3 before 1.26.5. When provided with a URL containing many @ characters |
  | in the authority component, the authority regular expression exhibits        |
  | catastrophic backtracking, causing a denial of service if a URL were passed  |
  | as a parameter or redirected to via an HTTP redirect.                        |
  | GHSA-q2q7-5pp4-w6pg                            |
  +==============================================================================+
  | numpy                      | 1.21.5    | <1.22.0                  | 44716    |
  +==============================================================================+
  | Numpy 1.22.0 includes a fix for CVE-2021-41496: A buffer overflow in the     |
  | array_from_pyobj function of fortranobject.c, which allows attackers to      |
  | conduct a Denial of Service attacks by carefully constructing an array with  |
  | negative values.                                                             |
  | numpy/numpy#19000                                  |
  +==============================================================================+
  | numpy                      | 1.21.5    | <1.22.0                  | 44717    |
  +==============================================================================+
  | Numpy 1.22.0 includes a fix for CVE-2021-34141: An incomplete string         |
  | comparison in the numpy.core component in NumPy before 1.22.0 allows         |
  | attackers to trigger slightly incorrect copying by constructing specific     |
  | string objects. NOTE: the vendor states that this reported code behavior is  |
  | "completely harmless."                                                       |
  | numpy/numpy#18993                                  |
  +==============================================================================+
  | numpy                      | 1.21.5    | >0                       | 44715    |
  +==============================================================================+
  | All versions of Numpy are affected by CVE-2021-41495: A null Pointer         |
  | Dereference vulnerability exists in numpy.sort, in the PyArray_DescrNew      |
  | function due to missing return-value validation, which allows attackers to   |
  | conduct DoS attacks by repetitively creating sort arrays.                    |
  | numpy/numpy#19038                                  |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44487    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow |
  | before 9.0.0 allows evaluation of arbitrary expressions, such as ones that   |
  | use the Python exec method.                                                  |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict-    |
  | builtins-available-to-imagemath-eval                                         |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44485    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in    |
  | Pillow before 9.0.0 improperly initializes ImagePath.Path.                   |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-       |
  | imagepath-path-array-handling                                                |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44524    |
  +==============================================================================+
  | Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to |
  | avoid Denial of Service attacks.                                             |
  | python-pillow/Pillow#5921                            |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44525    |
  +==============================================================================+
  | Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS.    |
  | python-pillow/Pillow#5912                            |
  | https://github.com/python-                                                   |
  | pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363                |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44486    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in    |
  | Pillow before 9.0.0 has a buffer over-read during initialization of          |
  | ImagePath.Path.                                                              |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-       |
  | imagepath-path-array-handling                                                |
  +==============================================================================+
  | pipenv                     | 2021.5.29 | >=2018.10.9,<=2021.11.23 | 44492    |
  +==============================================================================+
  | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version     |
  | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of       |
  | requirements files allows an attacker to insert a specially crafted string   |
  | inside a comment anywhere within a requirements.txt file, which will cause   |
  | victims who use pipenv to install the requirements file to download          |
  | dependencies from a package index server controlled by the attacker. By      |
  | embedding malicious code in packages served from their malicious index       |
  | server, the attacker can trigger arbitrary remote code execution (RCE) on    |
  | the victims' systems. If an attacker is able to hide a malicious '--index-   |
  | url' option in a requirements file that a victim installs with pipenv, the   |
  | attacker can embed arbitrary malicious code in packages served from their    |
  | malicious index server that will be executed on the victim's host during     |
  | installation (remote code execution/RCE). When pip installs from a source    |
  | distribution, any code in the setup.py is executed by the install process.   |
  | GHSA-qc9x-gjcv-465w       |
  +==============================================================================+
```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
automerge
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants