Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2021-34552

Published: 13 July 2021

Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c.

Notes

AuthorNote
mdeslaur
limited to a DoS only because of FORTIFY_SOURCE

Priority

Low

Cvss 3 Severity Score

9.8

Score breakdown

Status

Package Release Status
pillow
Launchpad, Ubuntu, Debian
focal
Released (7.0.0-4ubuntu0.5)
impish Not vulnerable
(8.1.2+dfsg-0.3)
jammy Not vulnerable
(8.1.2+dfsg-0.3)
kinetic Not vulnerable
(8.1.2+dfsg-0.3)
trusty
Released (2.3.0-1ubuntu3.4+esm3)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
xenial
Released (3.1.2-0ubuntu1.6+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
groovy Ignored
(end of life)
upstream
Released (8.1.2+dfsg-0.3, 8.3.0)
bionic
Released (5.1.0-1ubuntu0.7)
hirsute
Released (8.1.2-1ubuntu0.2)
lunar Not vulnerable
(8.1.2+dfsg-0.3)
Patches:
upstream: https://github.com/python-pillow/Pillow/commit/31c473898c29d1b7cb6555ce67d9503a4906b83f
upstream: https://github.com/python-pillow/Pillow/commit/518ee3722a99d7f7d890db82a20bd81c1c0327fb
This vulnerability is mitigated in part by the use of -D_FORTIFY_SOURCE=2 in Ubuntu.
pillow-python2
Launchpad, Ubuntu, Debian
impish Does not exist

jammy Does not exist

kinetic Does not exist

trusty Does not exist

xenial Does not exist

bionic Does not exist

focal Needs triage

hirsute Does not exist

upstream Needs triage

groovy Ignored
(end of life)
lunar Does not exist

python-imaging
Launchpad, Ubuntu, Debian
impish Does not exist

jammy Does not exist

kinetic Does not exist

trusty Does not exist

xenial Does not exist

bionic Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

upstream Needs triage

lunar Does not exist

Severity score breakdown

Parameter Value
Base score 9.8
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H