ALT-PU-2021-1491-2 — python3-module-Pillow

BDU:2021-05182

HIGH7.5

Уязвимость компонента TiffDecode.c библиотеки для работы с изображениями Pillow, связанная с записью за границами буфера, позволяющая нарушителю вызвать отказ в обслуживании

Опубликовано: 2021-10-27Изменено: 2023-11-21

CVSS 3.xВЫСОКАЯ 7.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0СРЕДНЯЯ 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P

Ссылки

CVE-2021-25290

BDU:2022-02667

CRITICAL9.8

Уязвимость библиотеки для работы с изображениями Pillow, вызванная переполнением буфера в динамической памяти, позволяющая нарушителю оказать воздействие на конфиденциальность и целостность защищаемой информации

Опубликовано: 2022-04-27

CVSS 3.xКРИТИЧЕСКАЯ 9.8

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0КРИТИЧЕСКАЯ 10.0

CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C

Ссылки

CVE-2021-25289

BDU:2025-04192

HIGH7.5

Уязвимость компонента SGIRleDecode.c библиотеки для работы с растровой графикой Pillow, позволяющая нарушителю вызвать отказ в обслуживании

Опубликовано: 2025-04-10Изменено: 2025-05-05

CVSS 3.xВЫСОКАЯ 7.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0СРЕДНЯЯ 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P

Ссылки

CVE-2021-25293

CVE-2021-25289

CRITICAL9.8

An issue was discovered in Pillow before 8.1.1. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654.

Опубликовано: 2021-03-19Изменено: 2024-11-21

CVSS 2.0ВЫСОКАЯ 7.5

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS 3.xКРИТИЧЕСКАЯ 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Ссылки

CVE-2021-25290

HIGH7.5

An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is a negative-offset memcpy with an invalid size.

Опубликовано: 2021-03-19Изменено: 2024-11-21

CVSS 2.0СРЕДНЯЯ 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS 3.xВЫСОКАЯ 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Ссылки

CVE-2021-25291

HIGH7.5

An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is an out-of-bounds read in TiffreadRGBATile via invalid tile boundaries.

Опубликовано: 2021-03-19Изменено: 2024-11-21

CVSS 2.0СРЕДНЯЯ 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS 3.xВЫСОКАЯ 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Ссылки

CVE-2021-25292

MEDIUM6.5

An issue was discovered in Pillow before 8.1.1. The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex.

Опубликовано: 2021-03-19Изменено: 2024-11-21

CVSS 2.0СРЕДНЯЯ 4.3

CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:P

CVSS 3.xСРЕДНЯЯ 6.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Ссылки

CVE-2021-25293

HIGH7.5

An issue was discovered in Pillow before 8.1.1. There is an out-of-bounds read in SGIRleDecode.c.

Опубликовано: 2021-03-19Изменено: 2024-11-21

CVSS 2.0СРЕДНЯЯ 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS 3.xВЫСОКАЯ 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Ссылки

CVE-2021-27921

HIGH7.5

Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.

Опубликовано: 2021-03-03Изменено: 2025-08-15

CVSS 2.0СРЕДНЯЯ 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS 3.xВЫСОКАЯ 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Ссылки

CVE-2021-27922

HIGH7.5

Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large.

Опубликовано: 2021-03-03Изменено: 2025-08-15

CVSS 2.0СРЕДНЯЯ 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS 3.xВЫСОКАЯ 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Ссылки

CVE-2021-27923

HIGH7.5

Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.

Опубликовано: 2021-03-03Изменено: 2025-08-15

CVSS 2.0СРЕДНЯЯ 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS 3.xВЫСОКАЯ 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Ссылки

GHSA-3wvg-mj6g-m9cv

HIGH8.7

Pillow Uncontrolled Resource Consumption

Опубликовано: 2021-03-18Изменено: 2025-08-15

CVSS 3.xВЫСОКАЯ 8.7

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0ВЫСОКАЯ 8.7

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Ссылки

GHSA-57h3-9rgr-c24m

CRITICAL9.3

Out of bounds write in Pillow

Опубликовано: 2021-03-29Изменено: 2024-10-08

CVSS 3.xКРИТИЧЕСКАЯ 9.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0КРИТИЧЕСКАЯ 9.3

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Ссылки

GHSA-8xjq-8fcg-g5hw

HIGH8.7

Out-of-bounds Write in Pillow

Опубликовано: 2021-03-29Изменено: 2024-10-08

CVSS 3.xВЫСОКАЯ 8.7

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0ВЫСОКАЯ 8.7

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Ссылки

GHSA-95q3-8gr9-gm8w

HIGH8.7

Pillow Denial of Service by Uncontrolled Resource Consumption

Опубликовано: 2021-03-18Изменено: 2025-08-15

CVSS 3.xВЫСОКАЯ 8.7

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0ВЫСОКАЯ 8.7

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Ссылки

GHSA-9hx2-hgq2-2g4f

MEDIUM6.9

Regular Expression Denial of Service (ReDoS) in Pillow

Опубликовано: 2021-03-29Изменено: 2024-10-10

CVSS 3.x

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CVSS 4.0

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Ссылки

GHSA-f4w8-cv6p-x6r5

HIGH8.7

Pillow Denial of Service by Uncontrolled Resource Consumption

Опубликовано: 2021-03-18Изменено: 2025-08-15

CVSS 3.xВЫСОКАЯ 8.7

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0ВЫСОКАЯ 8.7

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Ссылки

GHSA-mvg9-xffr-p774

HIGH8.7

Out of bounds read in Pillow

Опубликовано: 2021-03-29Изменено: 2024-10-10

CVSS 3.xВЫСОКАЯ 8.7

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0ВЫСОКАЯ 8.7

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Ссылки

GHSA-p43w-g3c5-g5mq

HIGH8.7

Out of bounds read in Pillow

Опубликовано: 2021-03-29Изменено: 2024-10-09

CVSS 3.xВЫСОКАЯ 8.7

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0ВЫСОКАЯ 8.7

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Ссылки

Обновление пакета python3-module-Pillow в ветке sisyphus

Закрытые проблемы (19)

Уязвимость компонента SGIRleDecode.c библиотеки для работы с растровой графикой Pillow, позволяющая нарушителю вызвать отказ в обслуживании

An issue was discovered in Pillow before 8.1.1. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654.

An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is a negative-offset memcpy with an invalid size.

An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is an out-of-bounds read in TiffreadRGBATile via invalid tile boundaries.

An issue was discovered in Pillow before 8.1.1. The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex.

An issue was discovered in Pillow before 8.1.1. There is an out-of-bounds read in SGIRleDecode.c.

Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.

Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large.

Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.

Pillow Uncontrolled Resource Consumption

Out of bounds write in Pillow

Out-of-bounds Write in Pillow

Pillow Denial of Service by Uncontrolled Resource Consumption

Regular Expression Denial of Service (ReDoS) in Pillow

Pillow Denial of Service by Uncontrolled Resource Consumption

Out of bounds read in Pillow

Out of bounds read in Pillow