UBUNTU-CVE-2021-28677

See a problem?

Source

https://ubuntu.com/security/notices/UBUNTU-CVE-2021-28677

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-28677.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2021-28677

Related

Published

2021-05-10T00:00:00Z

Modified

2021-05-10T00:00:00Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening.

References

Affected packages

Ubuntu:Pro:14.04:LTS / pillow

Package

Name: pillow

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.2.1-1ubuntu2

2.2.1-2ubuntu1

2.2.1-3ubuntu2

2.2.1-3ubuntu3

2.2.1-3ubuntu4

2.2.1-3ubuntu6

2.3.0-1ubuntu1

2.3.0-1ubuntu2

2.3.0-1ubuntu3

2.3.0-1ubuntu3.2

2.3.0-1ubuntu3.3

2.3.0-1ubuntu3.4

2.3.0-1ubuntu3.4+esm1

2.3.0-1ubuntu3.4+esm2

2.3.0-1ubuntu3.4+esm3

2.3.0-1ubuntu3.4+esm4

Ecosystem specific

{
    "ubuntu_priority": "low"
}

Ubuntu:Pro:16.04:LTS / pillow

Package

Name: pillow

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.9.0-1

3.*

3.0.0-1

3.0.0-1build1

3.1.0-1

3.1.1-1

3.1.2-0ubuntu1

3.1.2-0ubuntu1.1

3.1.2-0ubuntu1.3

3.1.2-0ubuntu1.4

3.1.2-0ubuntu1.5

3.1.2-0ubuntu1.6

3.1.2-0ubuntu1.6+esm1

3.1.2-0ubuntu1.6+esm2

Ecosystem specific

{
    "ubuntu_priority": "low"
}

Ubuntu:18.04:LTS / pillow

Package

Name: pillow
Purl: pkg:deb/ubuntu/pillow@5.1.0-1ubuntu0.6?arch=src?distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.1.0-1ubuntu0.6

Affected versions

4.*

4.1.1-3build2

4.3.0-2ubuntu1

5.*

5.0.0-1

5.1.0-1

5.1.0-1ubuntu0.2

5.1.0-1ubuntu0.3

5.1.0-1ubuntu0.4

5.1.0-1ubuntu0.5

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "low",
    "binaries": [
        {
            "python3-pil-dbg": "5.1.0-1ubuntu0.6",
            "python-pil-dbg": "5.1.0-1ubuntu0.6",
            "python-pil-doc": "5.1.0-1ubuntu0.6",
            "python3-pil.imagetk": "5.1.0-1ubuntu0.6",
            "python3-pil.imagetk-dbg": "5.1.0-1ubuntu0.6",
            "python-pil.imagetk": "5.1.0-1ubuntu0.6",
            "python-pil.imagetk-dbg": "5.1.0-1ubuntu0.6",
            "python3-pil": "5.1.0-1ubuntu0.6",
            "python-pil": "5.1.0-1ubuntu0.6"
        }
    ]
}

Ubuntu:20.04:LTS / pillow

Package

Name: pillow
Purl: pkg:deb/ubuntu/pillow@7.0.0-4ubuntu0.4?arch=src?distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.0.0-4ubuntu0.4

Affected versions

6.*

6.1.0-1

6.1.0-1build1

6.2.1-2

7.*

7.0.0-4

7.0.0-4build1

7.0.0-4ubuntu0.1

7.0.0-4ubuntu0.2

7.0.0-4ubuntu0.3

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "low",
    "binaries": [
        {
            "python3-pil.imagetk-dbg": "7.0.0-4ubuntu0.4",
            "python3-pil-dbg": "7.0.0-4ubuntu0.4",
            "python-pil-doc": "7.0.0-4ubuntu0.4",
            "python3-pil": "7.0.0-4ubuntu0.4",
            "python3-pil.imagetk": "7.0.0-4ubuntu0.4"
        }
    ]
}

Ubuntu:20.04:LTS / pillow-python2

Package

Name: pillow-python2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

6.*

6.2.1-3~build1

6.2.1-3

Ecosystem specific

{
    "ubuntu_priority": "low"
}