CVE-2021-28677

NameCVE-2021-28677
DescriptionAn issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2716-1
NVD severitymedium
Debian Bugs989062

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pillow (PTS)stretch4.0.0-4+deb9u1vulnerable
stretch (security)4.0.0-4+deb9u3fixed
buster5.4.1-2+deb10u2vulnerable
buster (security)5.4.1-2+deb10u1vulnerable
bookworm, bullseye8.1.2+dfsg-0.3fixed
sid8.3.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pillowsourceexperimental8.2.0-1
pillowsourcestretch4.0.0-4+deb9u3DLA-2716-1
pillowsource(unstable)8.1.2+dfsg-0.2989062

Notes

[buster] - pillow <no-dsa> (Minor issue)
https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28677-fix-eps-dos-on-open
https://github.com/python-pillow/Pillow/commit/5a5e6db0abf4e7a638fb1b3408c4e495a096cb92

Search for package or bug name: Reporting problems