First published: Tue Jul 13 2021(Updated: )
Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Python Pillow | >=1.0<=1.1.7 | |
Python Pillow | >=1.2<=8.2.0 | |
Debian Debian Linux | =9.0 | |
Fedoraproject Fedora | =33 | |
Fedoraproject Fedora | =34 | |
redhat/python-pillow | <0:5.1.1-16.el8 | 0:5.1.1-16.el8 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this flaw in python-pillow is CVE-2021-34552.
The severity rating of CVE-2021-34552 is medium with a score of 5.9.
The "convert()" and "ImagingConvertTransparent()" functions in Convert.c are affected by CVE-2021-34552.
The impacted software is python-pillow versions 0:5.1.1-16.el8 and versions up to, but excluding, 8.3.0.
You can find more information about CVE-2021-34552 at the following references: [CVE-2021-34552](https://www.cve.org/CVERecord?id=CVE-2021-34552), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2021-34552), [Pillow Release Notes](https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow), [Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=1982378), [Red Hat Security Advisory](https://access.redhat.com/errata/RHSA-2021:4149).