Fluid Attacks Database

Description

Pillow denial of service via Crafted Block Size PIL/IcnsImagePlugin.py in Python Imaging Library (PIL) and Pillow before 2.3.2 and 2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted block size.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	pillow	>=0 <2.3.2 \|\| >=2.5 <2.5.2	2.3.2, 2.5.2
debian 14	pillow	>=0 <2.5.3-1	2.5.3-1
debian 13	pillow	>=0 <2.5.3-1	2.5.3-1
debian 12	pillow	>=0 <2.5.3-1	2.5.3-1
pypi	pil	-	-
debian 11	pillow	>=0 <2.5.3-1	2.5.3-1
rpm rhel7	python-pillow	-	-
rpm rhel6	python-imaging	-	-
rpm rhel5	python-imaging	-	-

Aliases

1. CVE-2014-35892. NVD-2014-35893. OSV-2014-35894. OSV-DEBIAN-2014-35895. GCVE-2014-35896. SECURITY-TRACKER-CVE-2014-3589

References

1. https://github.com/python-pillow/Pillow/commit/205e056f8f9b06ed7b925cf8aa0874bc4aaf8a7d2. https://github.com/python-pillow/Pillow/commit/5efeed77666bfd17708f3434b1d2daa9db1e13353. https://github.com/python-pillow/Pillow/commit/d47611e6fbb808ea109366781dd76559ffb80bcd4. https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2014-10.yaml5. https://pypi.python.org/pypi/Pillow/2.3.26. https://pypi.python.org/pypi/Pillow/2.5.27. http://lists.opensuse.org/opensuse-updates/2015-04/msg00056.html8. http://www.debian.org/security/2014/dsa-30099. http://osvdb.org/show/osvdb/11012810. http://seclists.org/bugtraq/2014/Sep/25

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.