Headline
CVE-2021-23437: 8.3.2
The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function.
Back to top
Edit this page
Toggle table of contents sidebar
Security#
CVE-2021-23437: Avoid a potential ReDoS (regular expression denial of service) in ImageColor’s getrgb() by raising ValueError if the color specifier is too long. Present since Pillow 5.2.0.
Fix 6-byte out-of-bounds (OOB) read. The previous bounds check in FliDecode.c incorrectly calculated the required read buffer size when copying a chunk, potentially reading six extra bytes off the end of the allocated buffer from the heap. Present since Pillow 7.1.0. This bug was found by Google’s OSS-Fuzz CIFuzz runs.
Other Changes#
Python 3.10 wheels#
Pillow now includes binary wheels for Python 3.10.
The Python 3.10 release candidate was released on 2021-08-03 with the final release due 2021-10-04 (PEP 619). The CPython core team strongly encourages maintainers of third-party Python projects to prepare for 3.10 compatibility. And as there are no ABI changes planned we are releasing wheels to help others prepare for 3.10, and ensure Pillow can be used immediately on release day of 3.10.0 final.
Fixed regressions#
Ensure TIFF RowsPerStrip is multiple of 8 for JPEG compression (#5588).
Updates for ImagePalette channel order (#5599).
Hide FriBiDi shim symbols to avoid conflict with real FriBiDi library (#5651).
Related news
Gentoo Linux Security Advisory 202211-10 - Multiple vulnerabilities have been found in Pillow, the worst of which could result in arbitrary code execution. Versions less than 9.3.0 are affected.
Ubuntu Security Notice 5227-3 - USN-5227-1 fixed vulnerabilities in Pillow. It was discovered that the fix for CVE-2022-22817 was incomplete. This update fixes the problem. It was discovered that Pillow incorrectly handled certain image files. If a user or automated system were tricked into opening a specially-crafted file, a remote attacker could cause Pillow to hang, resulting in a denial of service. It was discovered that Pillow incorrectly handled certain image files. If a user or automated system were tricked into opening a specially-crafted file, a remote attacker could cause Pillow to crash, resulting in a denial of service. This issue ony affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 21.04. It was discovered that Pillow incorrectly handled certain image files. If a user or automated system were tricked into opening a specially-crafted file, a remote attacker could cause Pillow to crash, resulting in a denial of service, or possibly execute arbitrary code. It was disco...