CVE-2021-28677
Summary
| CVE | CVE-2021-28677 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-06-02 16:15:00 UTC |
| Updated | 2023-11-07 03:32:00 UTC |
| Description | An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening. |
Risk And Classification
Problem Types: NVD-CWE-noinfo
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Fedoraproject | Fedora | 33 | All | All | All |
| Application | Python | Pillow | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| 8.2.0 — Pillow (PIL Fork) 8.2.0 documentation | MISC | pillow.readthedocs.io | |
| Security fixes for 8.2.0 by hugovk · Pull Request #5377 · python-pillow/Pillow · GitHub | MISC | github.com | |
| [SECURITY] Fedora 33 Update: mingw-python-pillow-7.2.0-6.fc33 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 33 Update: mingw-python-pillow-7.2.0-6.fc33 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| Pillow: Multiple vulnerabilities (GLSA 202107-33) — Gentoo security | GENTOO | security.gentoo.org | |
| [SECURITY] [DLA 2716-1] pillow security update | MLIST | lists.debian.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 178719 Debian Security Update for pillow (DLA 2716-1)
- 179813 Debian Security Update for pillow (CVE-2021-28677)
- 198379 Ubuntu Security Notification for Pillow vulnerabilities (USN-4963-1)
- 239802 Red Hat Update for python-pillow (RHSA-2021:4149)
- 281106 Fedora Security Update for mingw (FEDORA-2021-aa5d2e2289)
- 281504 Fedora Security Update for mingw (FEDORA-2021-77756994ba)
- 296059 Oracle Solaris 11.4 Support Repository Update (SRU) 36.0.1.101.2 Missing (CPUJUL2021)
- 296060 Oracle Solaris 11.4 Support Repository Update (SRU) 37.0.1.101.1 Missing (CPUJUL2021)
- 355121 Amazon Linux Security Advisory for python-pillow : ALAS2023-2023-146
- 355393 Amazon Linux Security Advisory for python-pillow : ALAS2-2023-2083
- 501768 Alpine Linux Security Update for py3-pillow
- 505317 Alpine Linux Security Update for py3-pillow
- 670495 EulerOS Security Update for python-pillow (EulerOS-SA-2021-2253)
- 670521 EulerOS Security Update for python-pillow (EulerOS-SA-2021-2279)
- 670558 EulerOS Security Update for python-pillow (EulerOS-SA-2021-2314)
- 670587 EulerOS Security Update for python-pillow (EulerOS-SA-2021-2345)
- 670674 EulerOS Security Update for python-pillow (EulerOS-SA-2021-2432)
- 670990 EulerOS Security Update for python-pillow (EulerOS-SA-2021-2611)
- 690140 Free Berkeley Software Distribution (FreeBSD) Security Update for pillow (f947aa26-b2f9-11eb-a5f7-a0f3c100ae18)
- 710035 Gentoo Linux Pillow Multiple vulnerabilities (GLSA 202107-33)
- 940109 AlmaLinux Security Update for python-pillow (ALSA-2021:4149)
- 980994 Python (pip) Security Update for Pillow (GHSA-q5hq-fp76-qmrc)