Fluid Attacks Database

Description

DOS attack in Pillow when processing specially crafted image files An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	pillow	>=0 <6.2.0-1	6.2.0-1
pypi	pillow	>=0 <6.2.0	6.2.0
debian 11	pillow	>=0 <6.2.0-1	6.2.0-1
debian 13	pillow	>=0 <6.2.0-1	6.2.0-1
debian 12	pillow	>=0 <6.2.0-1	6.2.0-1
rpm rhel8	python-pillow	<0:5.1.1-10.el8_1	0:5.1.1-10.el8_1
rpm rhel7	python-pillow	<0:2.0.0-20.gitd1c6db8.el7_7	0:2.0.0-20.gitd1c6db8.el7_7
rpm rhel6	python-imaging	-	-
rpm rhel5	python-imaging	-	-

Aliases

1. CVE-2019-168652. NVD-2019-168653. OSV-DEBIAN-2019-168654. OSV-2019-168655. GHSA-j7mj-748x-7p786. GCVE-2019-168657. SECURITY-TRACKER-CVE-2019-168658. ubuntu.com9. access.redhat.com10. access.redhat.com11. access.redhat.com12. access.redhat.com13. access.redhat.com14. access.redhat.com

References

1. https://github.com/python-pillow/Pillow/issues/41232. https://github.com/python-pillow/Pillow/commit/ab52630d0644e42a75eb88b78b9a9d7438a6fbeb3. https://www.debian.org/security/2020/dsa-46314. https://usn.ubuntu.com/4272-15. https://pillow.readthedocs.io/en/latest/releasenotes/6.2.0.html6. https://lists.fedoraproject.org/archives/list/[email protected]/message/LYDXD7EE4YAEVSTNIFZKNVPRVJX5ZOG37. https://lists.fedoraproject.org/archives/list/[email protected]/message/EMJBUZQGQ2Q7HXYCQVRLU7OXNC7CAWWU8. https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2019-110.yaml

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.