CVE-2021-28677
Published: 10 May 2021
An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening.
Priority
Low
CVSS 3 base score: 7.5
Status
| Package | Release | Status |
|---|---|---|
|
pillow Launchpad, Ubuntu, Debian |
bionic |
Released
(5.1.0-1ubuntu0.6)
|
| focal |
Released
(7.0.0-4ubuntu0.4)
|
|
| groovy |
Released
(7.2.0-1ubuntu0.3)
|
|
| hirsute |
Released
(8.1.2-1ubuntu0.1)
|
|
| impish |
Released
(8.1.2+dfsg-0.1ubuntu1)
|
|
| jammy |
Released
(8.1.2+dfsg-0.1ubuntu1)
|
|
| kinetic |
Released
(8.1.2+dfsg-0.1ubuntu1)
|
|
| precise |
Does not exist
|
|
| trusty |
Needs triage
|
|
| upstream |
Released
(8.2.0)
|
|
| xenial |
Needs triage
|
|
|
Patches: upstream: https://github.com/python-pillow/Pillow/commit/5a5e6db0abf4e7a638fb1b3408c4e495a096cb92 |
||
|
pillow-python2 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Needs triage
|
|
| groovy |
Ignored
(reached end-of-life)
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
python-imaging Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| precise |
Ignored
(end of ESM support, was needs-triage)
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|