CVE-2021-28677

NameCVE-2021-28677
DescriptionAn issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2716-1
Debian Bugs989062

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pillow (PTS)buster5.4.1-2+deb10u3fixed
buster (security)5.4.1-2+deb10u6fixed
bullseye (security), bullseye8.1.2+dfsg-0.3+deb11u1fixed
bookworm9.4.0-1.1fixed
trixie10.2.0-1fixed
sid10.3.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pillowsourceexperimental8.2.0-1
pillowsourcestretch4.0.0-4+deb9u3DLA-2716-1
pillowsourcebuster5.4.1-2+deb10u3
pillowsource(unstable)8.1.2+dfsg-0.2989062

Notes

https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28677-fix-eps-dos-on-open
https://github.com/python-pillow/Pillow/commit/5a5e6db0abf4e7a638fb1b3408c4e495a096cb92
Search for package or bug name: Reporting problems