GHSA-q4mp-jvh2-76fj

Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-q4mp-jvh2-76fj/GHSA-q4mp-jvh2-76fj.json
Aliases
Published
2022-11-14T12:00:15Z
Modified
2022-11-22T18:33:21.180263Z
Details

Pillow starting with 9.2.0 and prior to 9.3.0 allows denial of service via SAMPLESPERPIXEL. A large value in the SAMPLESPERPIXEL tag could lead to a memory and runtime DOS in TiffImagePlugin.py when setting up the context for image decoding. This issue has been patched in version 9.3.0.

References

Affected packages

PyPI / pillow

pillow

Affected ranges

Type
ECOSYSTEM
Events
Introduced
9.2.0
Fixed
9.3.0

Affected versions

9.*

9.2.0

Ecosystem specific

{
    "affected_functions": [
        "PIL.TiffImagePlugin.MAX_SAMPLESPERPIXEL",
        "PIL.TiffImagePlugin.TiffImageFile._setup"
    ]
}