| Package | pillow |
|---|---|
| Version | 4.0.0-4+deb9u7 (stretch) |
| Related CVEs | CVE-2019-16865 CVE-2021-27922 CVE-2021-27923 CVE-2021-28675 |
Multiple vulnerabilties have been found in pillow, an image processing library for Python with potential effects of denial of service due to resource exhaustion.
CVE-2019-16865 When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image.
CVE-2021-27922
Denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large.
CVE-2021-27923
Denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.
CVE-2021-28675
PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load.
For Debian 9 stretch, these problems have been fixed in version 4.0.0-4+deb9u7.
We recommend that you upgrade your pillow packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.