Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ensure JpegImagePlugin stops at the end of a truncated file #5921

Merged
merged 1 commit into from Jan 1, 2022

Conversation

radarhere
Copy link
Member

@radarhere radarhere commented Jan 1, 2022

JpegImagePlugin may append an EOF marker to the end of a truncated file, so that the last segment of the data will still be processed by the decoder.

If the EOF marker is not detected as such however, this could lead to an infinite loop where JpegImagePlugin keeps trying to end the file.

@radarhere radarhere added the JPEG label Jan 1, 2022
@radarhere radarhere changed the title If appended JPEG EOI did not work, do not keep trying Ensure JpegImagePlugin stops at the end of a truncated file Jan 1, 2022
hugovk
hugovk approved these changes Jan 1, 2022
@hugovk hugovk added the automerge label Jan 1, 2022
@mergify mergify bot merged commit baae9ec into python-pillow:main Jan 1, 2022
49 checks passed
@radarhere radarhere deleted the jpeg_eoi branch Jan 1, 2022
sbrunner added a commit to camptocamp/tilecloud-chain that referenced this issue Feb 2, 2022
  +==============================================================================+
  |                                                                              |
  |                               /$$$$$$            /$$                         |
  |                              /$$__  $$          | $$                         |
  |           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
  |          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
  |         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
  |          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
  |          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
  |         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
  |                                                          /$$  | $$           |
  |                                                         |  $$$$$$/           |
  |  by pyup.io                                              \______/            |
  |                                                                              |
  +==============================================================================+
  | REPORT                                                                       |
  | checked 1 packages, using free DB (updated once a month)                     |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | pipenv                     | 2020.8.13 | >=2018.10.9,<=2021.11.23 | 44492    |
  +==============================================================================+
  | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version     |
  | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of       |
  | requirements files allows an attacker to insert a specially crafted string   |
  | inside a comment anywhere within a requirements.txt file, which will cause   |
  | victims who use pipenv to install the requirements file to download          |
  | dependencies from a package index server controlled by the attacker. By      |
  | embedding malicious code in packages served from their malicious index       |
  | server, the attacker can trigger arbitrary remote code execution (RCE) on    |
  | the victims' systems. If an attacker is able to hide a malicious '--index-   |
  | url' option in a requirements file that a victim installs with pipenv, the   |
  | attacker can embed arbitrary malicious code in packages served from their    |
  | malicious index server that will be executed on the victim's host during     |
  | installation (remote code execution/RCE). When pip installs from a source    |
  | distribution, any code in the setup.py is executed by the install process.   |
  | GHSA-qc9x-gjcv-465w       |
  +==============================================================================+
  | REPORT                                                                       |
  | checked 63 packages, using free DB (updated once a month)                    |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | pillow                     | 8.3.2     | <9.0.0                   | 44487    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow |
  | before 9.0.0 allows evaluation of arbitrary expressions, such as ones that   |
  | use the Python exec method.                                                  |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict-    |
  | builtins-available-to-imagemath-eval                                         |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44485    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in    |
  | Pillow before 9.0.0 improperly initializes ImagePath.Path.                   |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-       |
  | imagepath-path-array-handling                                                |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44524    |
  +==============================================================================+
  | Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to |
  | avoid Denial of Service attacks.                                             |
  | python-pillow/Pillow#5921                            |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44525    |
  +==============================================================================+
  | Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS.    |
  | python-pillow/Pillow#5912                            |
  | https://github.com/python-                                                   |
  | pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363                |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44486    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in    |
  | Pillow before 9.0.0 has a buffer over-read during initialization of          |
  | ImagePath.Path.                                                              |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-       |
  | imagepath-path-array-handling                                                |
  +==============================================================================+
  | urllib3                    | 1.25.11   | <1.26.5                  | 43975    |
  +==============================================================================+
  | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in |
  | urllib3 before 1.26.5. When provided with a URL containing many @ characters |
  | in the authority component, the authority regular expression exhibits        |
  | catastrophic backtracking, causing a denial of service if a URL were passed  |
  | as a parameter or redirected to via an HTTP redirect.                        |
  | GHSA-q2q7-5pp4-w6pg                            |
  +==============================================================================+
sbrunner added a commit to camptocamp/tilecloud-chain that referenced this issue Feb 2, 2022
  +==============================================================================+
  |                                                                              |
  |                               /$$$$$$            /$$                         |
  |                              /$$__  $$          | $$                         |
  |           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
  |          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
  |         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
  |          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
  |          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
  |         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
  |                                                          /$$  | $$           |
  |                                                         |  $$$$$$/           |
  |  by pyup.io                                              \______/            |
  |                                                                              |
  +==============================================================================+
  | REPORT                                                                       |
  | checked 1 packages, using free DB (updated once a month)                     |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | pipenv                     | 2020.8.13 | >=2018.10.9,<=2021.11.23 | 44492    |
  +==============================================================================+
  | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version     |
  | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of       |
  | requirements files allows an attacker to insert a specially crafted string   |
  | inside a comment anywhere within a requirements.txt file, which will cause   |
  | victims who use pipenv to install the requirements file to download          |
  | dependencies from a package index server controlled by the attacker. By      |
  | embedding malicious code in packages served from their malicious index       |
  | server, the attacker can trigger arbitrary remote code execution (RCE) on    |
  | the victims' systems. If an attacker is able to hide a malicious '--index-   |
  | url' option in a requirements file that a victim installs with pipenv, the   |
  | attacker can embed arbitrary malicious code in packages served from their    |
  | malicious index server that will be executed on the victim's host during     |
  | installation (remote code execution/RCE). When pip installs from a source    |
  | distribution, any code in the setup.py is executed by the install process.   |
  | GHSA-qc9x-gjcv-465w       |
  +==============================================================================+
  | REPORT                                                                       |
  | checked 63 packages, using free DB (updated once a month)                    |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | pillow                     | 8.3.2     | <9.0.0                   | 44487    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow |
  | before 9.0.0 allows evaluation of arbitrary expressions, such as ones that   |
  | use the Python exec method.                                                  |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict-    |
  | builtins-available-to-imagemath-eval                                         |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44485    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in    |
  | Pillow before 9.0.0 improperly initializes ImagePath.Path.                   |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-       |
  | imagepath-path-array-handling                                                |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44524    |
  +==============================================================================+
  | Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to |
  | avoid Denial of Service attacks.                                             |
  | python-pillow/Pillow#5921                            |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44525    |
  +==============================================================================+
  | Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS.    |
  | python-pillow/Pillow#5912                            |
  | https://github.com/python-                                                   |
  | pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363                |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44486    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in    |
  | Pillow before 9.0.0 has a buffer over-read during initialization of          |
  | ImagePath.Path.                                                              |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-       |
  | imagepath-path-array-handling                                                |
  +==============================================================================+
  | urllib3                    | 1.25.11   | <1.26.5                  | 43975    |
  +==============================================================================+
  | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in |
  | urllib3 before 1.26.5. When provided with a URL containing many @ characters |
  | in the authority component, the authority regular expression exhibits        |
  | catastrophic backtracking, causing a denial of service if a URL were passed  |
  | as a parameter or redirected to via an HTTP redirect.                        |
  | GHSA-q2q7-5pp4-w6pg                            |
  +==============================================================================+
sbrunner added a commit to camptocamp/tilecloud-chain that referenced this issue Feb 2, 2022
  +==============================================================================+
  |                                                                              |
  |                               /$$$$$$            /$$                         |
  |                              /$$__  $$          | $$                         |
  |           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
  |          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
  |         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
  |          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
  |          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
  |         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
  |                                                          /$$  | $$           |
  |                                                         |  $$$$$$/           |
  |  by pyup.io                                              \______/            |
  |                                                                              |
  +==============================================================================+
  | REPORT                                                                       |
  | checked 1 packages, using free DB (updated once a month)                     |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | pipenv                     | 2020.8.13 | >=2018.10.9,<=2021.11.23 | 44492    |
  +==============================================================================+
  | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version     |
  | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of       |
  | requirements files allows an attacker to insert a specially crafted string   |
  | inside a comment anywhere within a requirements.txt file, which will cause   |
  | victims who use pipenv to install the requirements file to download          |
  | dependencies from a package index server controlled by the attacker. By      |
  | embedding malicious code in packages served from their malicious index       |
  | server, the attacker can trigger arbitrary remote code execution (RCE) on    |
  | the victims' systems. If an attacker is able to hide a malicious '--index-   |
  | url' option in a requirements file that a victim installs with pipenv, the   |
  | attacker can embed arbitrary malicious code in packages served from their    |
  | malicious index server that will be executed on the victim's host during     |
  | installation (remote code execution/RCE). When pip installs from a source    |
  | distribution, any code in the setup.py is executed by the install process.   |
  | GHSA-qc9x-gjcv-465w       |
  +==============================================================================+
  | REPORT                                                                       |
  | checked 63 packages, using free DB (updated once a month)                    |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | pillow                     | 8.3.2     | <9.0.0                   | 44487    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow |
  | before 9.0.0 allows evaluation of arbitrary expressions, such as ones that   |
  | use the Python exec method.                                                  |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict-    |
  | builtins-available-to-imagemath-eval                                         |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44485    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in    |
  | Pillow before 9.0.0 improperly initializes ImagePath.Path.                   |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-       |
  | imagepath-path-array-handling                                                |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44524    |
  +==============================================================================+
  | Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to |
  | avoid Denial of Service attacks.                                             |
  | python-pillow/Pillow#5921                            |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44525    |
  +==============================================================================+
  | Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS.    |
  | python-pillow/Pillow#5912                            |
  | https://github.com/python-                                                   |
  | pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363                |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44486    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in    |
  | Pillow before 9.0.0 has a buffer over-read during initialization of          |
  | ImagePath.Path.                                                              |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-       |
  | imagepath-path-array-handling                                                |
  +==============================================================================+
  | urllib3                    | 1.25.11   | <1.26.5                  | 43975    |
  +==============================================================================+
  | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in |
  | urllib3 before 1.26.5. When provided with a URL containing many @ characters |
  | in the authority component, the authority regular expression exhibits        |
  | catastrophic backtracking, causing a denial of service if a URL were passed  |
  | as a parameter or redirected to via an HTTP redirect.                        |
  | GHSA-q2q7-5pp4-w6pg                            |
  +==============================================================================+
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Feb 4, 2022
```
  +==============================================================================+
  |                                                                              |
  |                               /$$$$$$            /$$                         |
  |                              /$$__  $$          | $$                         |
  |           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
  |          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
  |         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
  |          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
  |          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
  |         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
  |                                                          /$$  | $$           |
  |                                                         |  $$$$$$/           |
  |  by pyup.io                                              \______/            |
  |                                                                              |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | urllib3                    | 1.25.9    | <1.26.5                  | 43975    |
  +==============================================================================+
  | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in |
  | urllib3 before 1.26.5. When provided with a URL containing many @ characters |
  | in the authority component, the authority regular expression exhibits        |
  | catastrophic backtracking, causing a denial of service if a URL were passed  |
  | as a parameter or redirected to via an HTTP redirect.                        |
  | GHSA-q2q7-5pp4-w6pg                            |
  +==============================================================================+
  | numpy                      | 1.21.5    | <1.22.0                  | 44716    |
  +==============================================================================+
  | Numpy 1.22.0 includes a fix for CVE-2021-41496: A buffer overflow in the     |
  | array_from_pyobj function of fortranobject.c, which allows attackers to      |
  | conduct a Denial of Service attacks by carefully constructing an array with  |
  | negative values.                                                             |
  | numpy/numpy#19000                                  |
  +==============================================================================+
  | numpy                      | 1.21.5    | <1.22.0                  | 44717    |
  +==============================================================================+
  | Numpy 1.22.0 includes a fix for CVE-2021-34141: An incomplete string         |
  | comparison in the numpy.core component in NumPy before 1.22.0 allows         |
  | attackers to trigger slightly incorrect copying by constructing specific     |
  | string objects. NOTE: the vendor states that this reported code behavior is  |
  | "completely harmless."                                                       |
  | numpy/numpy#18993                                  |
  +==============================================================================+
  | numpy                      | 1.21.5    | >0                       | 44715    |
  +==============================================================================+
  | All versions of Numpy are affected by CVE-2021-41495: A null Pointer         |
  | Dereference vulnerability exists in numpy.sort, in the PyArray_DescrNew      |
  | function due to missing return-value validation, which allows attackers to   |
  | conduct DoS attacks by repetitively creating sort arrays.                    |
  | numpy/numpy#19038                                  |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44487    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow |
  | before 9.0.0 allows evaluation of arbitrary expressions, such as ones that   |
  | use the Python exec method.                                                  |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict-    |
  | builtins-available-to-imagemath-eval                                         |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44485    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in    |
  | Pillow before 9.0.0 improperly initializes ImagePath.Path.                   |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-       |
  | imagepath-path-array-handling                                                |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44524    |
  +==============================================================================+
  | Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to |
  | avoid Denial of Service attacks.                                             |
  | python-pillow/Pillow#5921                            |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44525    |
  +==============================================================================+
  | Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS.    |
  | python-pillow/Pillow#5912                            |
  | https://github.com/python-                                                   |
  | pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363                |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44486    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in    |
  | Pillow before 9.0.0 has a buffer over-read during initialization of          |
  | ImagePath.Path.                                                              |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-       |
  | imagepath-path-array-handling                                                |
  +==============================================================================+
  | pipenv                     | 2021.5.29 | >=2018.10.9,<=2021.11.23 | 44492    |
  +==============================================================================+
  | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version     |
  | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of       |
  | requirements files allows an attacker to insert a specially crafted string   |
  | inside a comment anywhere within a requirements.txt file, which will cause   |
  | victims who use pipenv to install the requirements file to download          |
  | dependencies from a package index server controlled by the attacker. By      |
  | embedding malicious code in packages served from their malicious index       |
  | server, the attacker can trigger arbitrary remote code execution (RCE) on    |
  | the victims' systems. If an attacker is able to hide a malicious '--index-   |
  | url' option in a requirements file that a victim installs with pipenv, the   |
  | attacker can embed arbitrary malicious code in packages served from their    |
  | malicious index server that will be executed on the victim's host during     |
  | installation (remote code execution/RCE). When pip installs from a source    |
  | distribution, any code in the setup.py is executed by the install process.   |
  | GHSA-qc9x-gjcv-465w       |
  +==============================================================================+
```
sbrunner added a commit to camptocamp/c2cgeoportal that referenced this issue Feb 4, 2022
```
  +==============================================================================+
  |                                                                              |
  |                               /$$$$$$            /$$                         |
  |                              /$$__  $$          | $$                         |
  |           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
  |          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
  |         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
  |          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
  |          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
  |         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
  |                                                          /$$  | $$           |
  |                                                         |  $$$$$$/           |
  |  by pyup.io                                              \______/            |
  |                                                                              |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | urllib3                    | 1.25.9    | <1.26.5                  | 43975    |
  +==============================================================================+
  | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in |
  | urllib3 before 1.26.5. When provided with a URL containing many @ characters |
  | in the authority component, the authority regular expression exhibits        |
  | catastrophic backtracking, causing a denial of service if a URL were passed  |
  | as a parameter or redirected to via an HTTP redirect.                        |
  | GHSA-q2q7-5pp4-w6pg                            |
  +==============================================================================+
  | numpy                      | 1.21.5    | <1.22.0                  | 44716    |
  +==============================================================================+
  | Numpy 1.22.0 includes a fix for CVE-2021-41496: A buffer overflow in the     |
  | array_from_pyobj function of fortranobject.c, which allows attackers to      |
  | conduct a Denial of Service attacks by carefully constructing an array with  |
  | negative values.                                                             |
  | numpy/numpy#19000                                  |
  +==============================================================================+
  | numpy                      | 1.21.5    | <1.22.0                  | 44717    |
  +==============================================================================+
  | Numpy 1.22.0 includes a fix for CVE-2021-34141: An incomplete string         |
  | comparison in the numpy.core component in NumPy before 1.22.0 allows         |
  | attackers to trigger slightly incorrect copying by constructing specific     |
  | string objects. NOTE: the vendor states that this reported code behavior is  |
  | "completely harmless."                                                       |
  | numpy/numpy#18993                                  |
  +==============================================================================+
  | numpy                      | 1.21.5    | >0                       | 44715    |
  +==============================================================================+
  | All versions of Numpy are affected by CVE-2021-41495: A null Pointer         |
  | Dereference vulnerability exists in numpy.sort, in the PyArray_DescrNew      |
  | function due to missing return-value validation, which allows attackers to   |
  | conduct DoS attacks by repetitively creating sort arrays.                    |
  | numpy/numpy#19038                                  |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44487    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow |
  | before 9.0.0 allows evaluation of arbitrary expressions, such as ones that   |
  | use the Python exec method.                                                  |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict-    |
  | builtins-available-to-imagemath-eval                                         |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44485    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in    |
  | Pillow before 9.0.0 improperly initializes ImagePath.Path.                   |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-       |
  | imagepath-path-array-handling                                                |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44524    |
  +==============================================================================+
  | Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to |
  | avoid Denial of Service attacks.                                             |
  | python-pillow/Pillow#5921                            |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44525    |
  +==============================================================================+
  | Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS.    |
  | python-pillow/Pillow#5912                            |
  | https://github.com/python-                                                   |
  | pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363                |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44486    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in    |
  | Pillow before 9.0.0 has a buffer over-read during initialization of          |
  | ImagePath.Path.                                                              |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-       |
  | imagepath-path-array-handling                                                |
  +==============================================================================+
  | pipenv                     | 2021.5.29 | >=2018.10.9,<=2021.11.23 | 44492    |
  +==============================================================================+
  | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version     |
  | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of       |
  | requirements files allows an attacker to insert a specially crafted string   |
  | inside a comment anywhere within a requirements.txt file, which will cause   |
  | victims who use pipenv to install the requirements file to download          |
  | dependencies from a package index server controlled by the attacker. By      |
  | embedding malicious code in packages served from their malicious index       |
  | server, the attacker can trigger arbitrary remote code execution (RCE) on    |
  | the victims' systems. If an attacker is able to hide a malicious '--index-   |
  | url' option in a requirements file that a victim installs with pipenv, the   |
  | attacker can embed arbitrary malicious code in packages served from their    |
  | malicious index server that will be executed on the victim's host during     |
  | installation (remote code execution/RCE). When pip installs from a source    |
  | distribution, any code in the setup.py is executed by the install process.   |
  | GHSA-qc9x-gjcv-465w       |
  +==============================================================================+
```
geiregjo pushed a commit to Awingu/Pillow that referenced this issue May 10, 2022
Ensure JpegImagePlugin stops at the end of a truncated file
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
automerge JPEG
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants