An issue was discovered in Pillow before 8.2.0. For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load.
References
Link | Resource |
---|---|
https://github.com/python-pillow/Pillow/commit/bb6c11fb889e6c11b0ee122b828132ee763b5856 | Patch |
https://github.com/python-pillow/Pillow/pull/5377 | Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html | Third Party Advisory |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ | Mailing List |
https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676-fix-fli-dos | Release Notes Third Party Advisory |
https://security.gentoo.org/glsa/202107-33 | Third Party Advisory |
Configurations
History
22 Dec 2023, 15:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
14 Sep 2021, 17:38
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
References | (GENTOO) https://security.gentoo.org/glsa/202107-33 - Third Party Advisory |
22 Jul 2021, 13:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
08 Jun 2021, 14:45
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : 5.0
v3 : 7.5 |
CPE | cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:* |
|
CWE | CWE-835 | |
References | (MISC) https://github.com/python-pillow/Pillow/pull/5377 - Third Party Advisory | |
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ - Mailing List, Third Party Advisory | |
References | (MISC) https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676-fix-fli-dos - Release Notes, Third Party Advisory |
03 Jun 2021, 03:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
02 Jun 2021, 16:28
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-06-02 16:15
Updated : 2024-02-04 21:47
NVD link : CVE-2021-28676
Mitre link : CVE-2021-28676
CVE.ORG link : CVE-2021-28676
JSON object : View
Products Affected
python
- pillow
fedoraproject
- fedora
CWE
CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop')