GHSA-q4mp-jvh2-76fj

Source

https://github.com/advisories/GHSA-q4mp-jvh2-76fj

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-q4mp-jvh2-76fj/GHSA-q4mp-jvh2-76fj.json

Aliases

BIT-pillow-2022-45199
CVE-2022-45199
PYSEC-2022-42980

Published

2022-11-14T12:00:15Z

Modified

2023-12-06T01:02:42.645414Z

Details

Pillow starting with 9.2.0 and prior to 9.3.0 allows denial of service via SAMPLESPERPIXEL. A large value in the SAMPLESPERPIXEL tag could lead to a memory and runtime DOS in TiffImagePlugin.py when setting up the context for image decoding. This issue has been patched in version 9.3.0.

References

https://nvd.nist.gov/vuln/detail/CVE-2022-45199
https://github.com/python-pillow/Pillow/pull/6700
https://github.com/python-pillow/Pillow/commit/2444cddab2f83f28687c7c20871574acbb6dbcf3
https://bugs.gentoo.org/878769
https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2022-42980.yaml
https://github.com/python-pillow/Pillow
https://github.com/python-pillow/Pillow/releases/tag/9.3.0
https://security.gentoo.org/glsa/202211-10

Affected packages

PyPI / pillow

Package

Name: pillow

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.2.0

Fixed

9.3.0

Affected versions

9.*

9.2.0

Ecosystem specific

{
    "affected_functions": [
        "PIL.TiffImagePlugin.MAX_SAMPLESPERPIXEL",
        "PIL.TiffImagePlugin.TiffImageFile._setup"
    ]
}