CVE-2021-28676

Summary

CVE	CVE-2021-28676
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-06-02 16:15:00 UTC
Updated	2023-12-22 15:15:00 UTC
Description	An issue was discovered in Pillow before 8.2.0. For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load.

Risk And Classification

Problem Types: CWE-835

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Fedoraproject	Fedora	33	All	All	All
Application	Python	Pillow	All	All	All	All

References

Reference	Source	Link	Tags
Security fixes for 8.2.0 by hugovk · Pull Request #5377 · python-pillow/Pillow · GitHub	MISC	github.com
8.2.0 — Pillow (PIL Fork) 8.2.0 documentation	MISC	pillow.readthedocs.io
[SECURITY] Fedora 33 Update: mingw-python-pillow-7.2.0-6.fc33 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[SECURITY] Fedora 33 Update: mingw-python-pillow-7.2.0-6.fc33 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
Pillow: Multiple vulnerabilities (GLSA 202107-33) — Gentoo security	GENTOO	security.gentoo.org
github.com/python-pillow/Pillow/commit/bb6c11fb889e6c11b0ee122b828132ee7...		github.com
[SECURITY] [DLA 2716-1] pillow security update	MLIST	lists.debian.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

178719 Debian Security Update for pillow (DLA 2716-1)
180281 Debian Security Update for pillow (CVE-2021-28676)
198379 Ubuntu Security Notification for Pillow vulnerabilities (USN-4963-1)
239802 Red Hat Update for python-pillow (RHSA-2021:4149)
281106 Fedora Security Update for mingw (FEDORA-2021-aa5d2e2289)
281504 Fedora Security Update for mingw (FEDORA-2021-77756994ba)
296059 Oracle Solaris 11.4 Support Repository Update (SRU) 36.0.1.101.2 Missing (CPUJUL2021)
296060 Oracle Solaris 11.4 Support Repository Update (SRU) 37.0.1.101.1 Missing (CPUJUL2021)
355121 Amazon Linux Security Advisory for python-pillow : ALAS2023-2023-146
355393 Amazon Linux Security Advisory for python-pillow : ALAS2-2023-2083
377325 Alibaba Cloud Linux Security Update for python-pillow (ALINUX3-SA-2022:0012)
501768 Alpine Linux Security Update for py3-pillow
505317 Alpine Linux Security Update for py3-pillow
670495 EulerOS Security Update for python-pillow (EulerOS-SA-2021-2253)
670521 EulerOS Security Update for python-pillow (EulerOS-SA-2021-2279)
670558 EulerOS Security Update for python-pillow (EulerOS-SA-2021-2314)
670587 EulerOS Security Update for python-pillow (EulerOS-SA-2021-2345)
670674 EulerOS Security Update for python-pillow (EulerOS-SA-2021-2432)
690140 Free Berkeley Software Distribution (FreeBSD) Security Update for pillow (f947aa26-b2f9-11eb-a5f7-a0f3c100ae18)
710035 Gentoo Linux Pillow Multiple vulnerabilities (GLSA 202107-33)
940109 AlmaLinux Security Update for python-pillow (ALSA-2021:4149)
980999 Python (pip) Security Update for Pillow (GHSA-7r7m-5h27-29hp)