CVE-2021-28676

Advisory

Pillow version 8.2.0 includes a fix for CVE-2021-28676: For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load.
https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/
https://github.com/python-pillow/Pillow/pull/5377
https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676-fix-fli-dos

Affected package

Affected versions

Fixed versions

Vulnerability changelog

An issue was discovered in Pillow before 8.2.0. For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load. See CVE-2021-28676.


FEDORA:FEDORA-2021-77756994ba: https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/
MISC:https://github.com/python-pillow/Pillow/pull/5377: https://github.com/python-pillow/Pillow/pull/5377
MISC:https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676-fix-fli-dos: https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676-fix-fli-dos

Resources

• https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5
• https://github.com/python-pillow/Pillow/pull/5377
• https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676-fix-fli-dos
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28676
• https://security.gentoo.org/glsa/202107-33
• https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/
• https://github.com/python-pillow/Pillow/commit/bb6c11fb889e6c11b0ee122b828132ee763b5856