CVE-2021-28677
HIGHPillow < 8.2.0 - Denial of Service via EPS Line Ending Parsing
Title source: llmDescription
An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening.
References (5)
Core 5
Core References
Third Party Advisory x_refsource_misc
https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28677-fix-eps-dos-on-open
Patch, Third Party Advisory x_refsource_misc
https://github.com/python-pillow/Pillow/pull/5377
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202107-33
Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html
Scores
CVSS v3
7.5
EPSS
0.0026
EPSS Percentile
49.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
Status
published
Products (3)
fedoraproject/fedora
33
pypi/pillow
0 - 8.2.0PyPI
python/pillow
< 8.2.0
Published
Jun 02, 2021
Tracked Since
Feb 18, 2026