https://github.com/python-pillow/Pillow/pull/5377

https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos

FEDORA-2021-77756994ba

GLSA-202107-33

According to the versions of the python-pillow packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - An issue was discovered in Pillow before 8.2.0. There     is an out-of-bounds read in J2kDecode, in     j2ku_graya_la.(CVE-2021-25287)

  - An issue was discovered in Pillow before 8.2.0. There     is an out-of-bounds read in J2kDecode, in     j2ku_gray_i.(CVE-2021-25288)

  - Pillow before 8.1.1 allows attackers to cause a denial     of service (memory consumption) because the reported     size of a contained image is not properly checked for a     BLP container, and thus an attempted memory allocation     can be very large.(CVE-2021-27921)

  - Pillow before 8.1.1 allows attackers to cause a denial     of service (memory consumption) because the reported     size of a contained image is not properly checked for     an ICNS container, and thus an attempted memory     allocation can be very large.(CVE-2021-27922)

  - Pillow before 8.1.1 allows attackers to cause a denial     of service (memory consumption) because the reported     size of a contained image is not properly checked for     an ICO container, and thus an attempted memory     allocation can be very large.(CVE-2021-27923)

  - An issue was discovered in Pillow before 8.2.0.
    PSDImagePlugin.PsdImageFile lacked a sanity check on     the number of input layers relative to the size of the     data block. This could lead to a DoS on Image.open     prior to Image.load.(CVE-2021-28675)

  - An issue was discovered in Pillow before 8.2.0. For FLI     data, FliDecode did not properly check that the block     advance was non-zero, potentially leading to an     infinite loop on load.(CVE-2021-28676)

  - An issue was discovered in Pillow before 8.2.0. For EPS     data, the readline implementation used in EPSImageFile     has to deal with any combination of \r and \n as line     endings. It used an accidentally quadratic method of     accumulating lines while looking for a line ending. A     malicious EPS file could use this to perform a DoS of     Pillow in the open phase, before an image was accepted     for opening.(CVE-2021-28677)

  - An issue was discovered in Pillow before 8.2.0. For BLP     data, BlpImagePlugin did not properly check that reads     (after jumping to file offsets) returned data. This     could lead to a DoS where the decoder could be run a     large number of times on empty data.(CVE-2021-28678)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the python-pillow package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Pillow before 8.1.1 allows attackers to cause a denial     of service (memory consumption) because the reported     size of a contained image is not properly checked for a     BLP container, and thus an attempted memory allocation     can be very large.(CVE-2021-27921)

  - Pillow before 8.1.1 allows attackers to cause a denial     of service (memory consumption) because the reported     size of a contained image is not properly checked for     an ICNS container, and thus an attempted memory     allocation can be very large.(CVE-2021-27922)

  - Pillow before 8.1.1 allows attackers to cause a denial     of service (memory consumption) because the reported     size of a contained image is not properly checked for     an ICO container, and thus an attempted memory     allocation can be very large.(CVE-2021-27923)

  - In Pillow before 8.1.0, SGIRleDecode has a 4-byte     buffer over-read when decoding crafted SGI RLE image     files because offsets and length tables are     mishandled.(CVE-2020-35655)

  - An issue was discovered in Pillow before 8.2.0.
    PSDImagePlugin.PsdImageFile lacked a sanity check on     the number of input layers relative to the size of the     data block. This could lead to a DoS on Image.open     prior to Image.load.(CVE-2021-28675)

  - An issue was discovered in Pillow before 8.2.0. For FLI     data, FliDecode did not properly check that the block     advance was non-zero, potentially leading to an     infinite loop on load.(CVE-2021-28676)

  - An issue was discovered in Pillow before 8.2.0. For EPS     data, the readline implementation used in EPSImageFile     has to deal with any combination of \r and \n as line     endings. It used an accidentally quadratic method of     accumulating lines while looking for a line ending. A     malicious EPS file could use this to perform a DoS of     Pillow in the open phase, before an image was accepted     for opening.(CVE-2021-28677)

  - An issue was discovered in Pillow before 8.2.0. For BLP     data, BlpImagePlugin did not properly check that reads     (after jumping to file offsets) returned data. This     could lead to a DoS where the decoder could be run a     large number of times on empty data.(CVE-2021-28678)

  - An issue was discovered in Pillow before 8.2.0. There     is an out-of-bounds read in J2kDecode, in     j2ku_graya_la.(CVE-2021-25287)

  - An issue was discovered in Pillow before 8.2.0. There     is an out-of-bounds read in J2kDecode, in     j2ku_gray_i.(CVE-2021-25288)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the python-pillow package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - Pillow before 8.1.1 allows attackers to cause a denial     of service (memory consumption) because the reported     size of a contained image is not properly checked for     an ICO container, and thus an attempted memory     allocation can be very large. (CVE-2021-27923)

  - Pillow before 8.1.1 allows attackers to cause a denial     of service (memory consumption) because the reported     size of a contained image is not properly checked for     an ICNS container, and thus an attempted memory     allocation can be very large. (CVE-2021-27922)

  - Pillow before 8.1.1 allows attackers to cause a denial     of service (memory consumption) because the reported     size of a contained image is not properly checked for a     BLP container, and thus an attempted memory allocation     can be very large. (CVE-2021-27921)

  - In Pillow before 8.1.0, SGIRleDecode has a 4-byte     buffer over-read when decoding crafted SGI RLE image     files because offsets and length tables are     mishandled.(CVE-2020-35655)

  - An issue was discovered in Pillow before 8.2.0. For EPS     data, the readline implementation used in EPSImageFile     has to deal with any combination of \r and \n as line     endings. It used an accidentally quadratic method of     accumulating lines while looking for a line ending. A     malicious EPS file could use this to perform a DoS of     Pillow in the open phase, before an image was accepted     for opening.(CVE-2021-28677)

  - An issue was discovered in Pillow before 8.2.0. For FLI     data, FliDecode did not properly check that the block     advance was non-zero, potentially leading to an     infinite loop on load.(CVE-2021-28676)

  - An issue was discovered in Pillow before 8.2.0. There     is an out-of-bounds read in J2kDecode, in     j2ku_graya_la.(CVE-2021-25287)

  - An issue was discovered in Pillow before 8.2.0. For BLP     data, BlpImagePlugin did not properly check that reads     (after jumping to file offsets) returned data. This     could lead to a DoS where the decoder could be run a     large number of times on empty data.(CVE-2021-28678)

  - An issue was discovered in Pillow before 8.2.0. There     is an out-of-bounds read in J2kDecode, in     j2ku_gray_i.(CVE-2021-25288)

  - An issue was discovered in Pillow before 8.2.0.
    PSDImagePlugin.PsdImageFile lacked a sanity check on     the number of input layers relative to the size of the     data block. This could lead to a DoS on Image.open     prior to Image.load.(CVE-2021-28675)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Ubuntu 18.04 LTS / 20.04 LTS / 20.10 / 21.04 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4963-1 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

python-pillow reports :

This release fixes several vulnerabilities found with `OSS-Fuzz`.

- `CVE-2021-25288`: Fix OOB read in Jpeg2KDecode. This dates to Pillow 2.4.0.

- `CVE-2021-28675`: Fix DOS in PsdImagePlugin. This dates to the PIL fork.

- `CVE-2021-28676`: Fix FLI DOS. This dates to the PIL fork.

- `CVE-2021-28677`: Fix EPS DOS on _open. This dates to the PIL fork.

- `CVE-2021-28678`: Fix BLP DOS. This dates to Pillow 5.1.0.

- Fix memory DOS in ImageFont. This dates to the PIL fork.

ID	Name	Product	Family	Severity
152397	EulerOS 2.0 SP8 : python-pillow (EulerOS-SA-2021-2314)	Nessus	Huawei Local Security Checks	critical
152314	EulerOS 2.0 SP9 : python-pillow (EulerOS-SA-2021-2253)	Nessus	Huawei Local Security Checks	critical
152285	EulerOS 2.0 SP9 : python-pillow (EulerOS-SA-2021-2279)	Nessus	Huawei Local Security Checks	critical
151567	EulerOS Virtualization 2.9.0 : python-pillow (EulerOS-SA-2021-2209)	Nessus	Huawei Local Security Checks	critical
151547	EulerOS Virtualization 2.9.1 : python-pillow (EulerOS-SA-2021-2187)	Nessus	Huawei Local Security Checks	critical
149818	Ubuntu 18.04 LTS / 20.04 LTS / 20.10 / 21.04 : Pillow vulnerabilities (USN-4963-1)	Nessus	Ubuntu Local Security Checks	critical
149464	FreeBSD : Pillow -- multiple vulnerabilities (f947aa26-b2f9-11eb-a5f7-a0f3c100ae18)	Nessus	FreeBSD Local Security Checks	critical

CVE-2021-28678

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical