PYSEC-2021-71

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/pillow/PYSEC-2021-71.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2021-71

Aliases

BIT-pillow-2020-35655
CVE-2020-35655
GHSA-hf64-x4gq-p99h

Published

2021-01-12T09:15:00Z

Modified

2023-12-06T01:00:33.478747Z

Summary

[none]

Details

In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.

References

https://pillow.readthedocs.io/en/stable/releasenotes/index.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE/
https://github.com/advisories/GHSA-hf64-x4gq-p99h

Affected packages

PyPI / pillow

Package

Name: pillow; View open source insights on deps.dev
Purl: pkg:pypi/pillow

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.3.0

Fixed

8.1.0

Affected versions

4.*

4.3.0

5.*

5.0.0

5.1.0

5.2.0

5.3.0

5.4.0.dev0

5.4.0

5.4.1

6.*

6.0.0

6.1.0

6.2.0

6.2.1

6.2.2

7.*

7.0.0

7.1.0

7.1.1

7.1.2

7.2.0

8.*

8.0.0

8.0.1

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/pillow/PYSEC-2021-71.yaml"