PT-2021-4557 · Python+9 · Pillow+10

Published

2021-07-13

·

Updated

2024-06-15

·

CVE-2021-34552

CVSS v2.0

10

Critical

VectorAV:N/AC:L/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions Pillow versions 8.2.0 and earlier PIL (aka Python Imaging Library) versions 1.1.7 and earlier
Description The issue is related to a buffer overflow in Convert.c, which can be triggered by passing controlled parameters directly into a convert function. This can allow a remote attacker to access confidential data, compromise data integrity, and cause a denial of service. The vulnerability is associated with the convert() or ImagingConvertTransparent() function implementation in the Pillow and PIL libraries, where buffer copying occurs without checking the size of the input data.
Recommendations For Pillow versions 8.2.0 and earlier, consider disabling the convert function until a patch is available. For PIL (aka Python Imaging Library) versions 1.1.7 and earlier, restrict access to the convert() or ImagingConvertTransparent() function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-120CWE-119

Related Identifiers

ALSA-2021:4149
ALT-PU-2021-3028
ALT-PU-2023-7942
ALT-PU-2023-8182
BDU:2021-05225
BDU:2021-05405
BIT-PILLOW-2021-34552
CESA-2021_4149
CVE-2021-34552
DLA-2716-1
GHSA-7534-MM45-C74V
MGASA-2021-0389
OPENSUSE-SU-2021:1134-1
OPENSUSE-SU-2021_1134-1
OPENSUSE-SU-2024:11209-1
OPENSUSE-SU-2024:13827-1
OPENSUSE-SU-2024_1673-1
PYSEC-2021-331
RHSA-2021:4149
RHSA-2021_4149
RLSA-2021:4149
SUSE-SU-2021:2595-1
SUSE-SU-2021:2631-1
SUSE-SU-2021:2632-1
SUSE-SU-2024:1673-1
SUSE-SU-2024:1673-2
USN-5227-1
USN-5227-2

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Linuxmint
Pil
Pillow
Red Hat
Rocky Linux
Suse
Ubuntu