—

PYSEC-2021-70

Details

In Pillow before 8.1.0, TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / pillow

Introduced in: 0 Fixed in: 8.1.0

Fix pip install --upgrade 'pillow>=8.1.0'

References

https://pillow.readthedocs.io/en/stable/releasenotes/index.html [WEB]
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD/ [WEB]
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE/ [WEB]
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TQQY6472RX4J2SUJENWDZAWKTJJGP2ML/ [WEB]
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZ/ [WEB]
https://github.com/advisories/GHSA-vqcj-wrf2-7v73 [ADVISORY]