Headline
CVE-2022-45198: vulnerable to gif extent(?) decompression bombs
Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification).
Description Michał Górny 2022-07-02 07:34:22 UTC
From Changelog:
± Added GIF decompression bomb check #6402
- [radarhere]
Not much information here: https://github.com/python-pillow/Pillow/pull/6402
but it seems that it covers another possible case of decompression bomb in gif files.
Related news
Ubuntu Security Notice 5777-1 - It was discovered that Pillow incorrectly handled the deletion of temporary files when using a temporary directory that contains spaces. An attacker could possibly use this issue to delete arbitrary files. This issue only affected Ubuntu 20.04 LTS. It was discovered that Pillow incorrectly handled the decompression of highly compressed GIF data. An attacker could possibly use this issue to cause Pillow to crash, resulting in a denial of service.
Gentoo Linux Security Advisory 202211-10 - Multiple vulnerabilities have been found in Pillow, the worst of which could result in arbitrary code execution. Versions less than 9.3.0 are affected.