VulnerableCode Package Details - pkg:deb/debian/pillow@8.1.2%2Bdfsg-0.3%2Bdeb11u2

Search for packages

Package details: pkg:deb/debian/pillow@8.1.2%2Bdfsg-0.3%2Bdeb11u2

Essentials
History (38)

purl	pkg:deb/debian/pillow@8.1.2%2Bdfsg-0.3%2Bdeb11u2

Next non-vulnerable version	9.4.0-1.1+deb12u1
Latest non-vulnerable version	9.4.0-1.1+deb12u1
Risk	4.1

Vulnerabilities affecting this package (3)

Vulnerability	Summary	Fixed by
VCID-5fpe-de5a-37ct Aliases: BIT-pillow-2021-23437 CVE-2021-23437 GHSA-98vv-pw6r-q6q4 PYSEC-2021-317 SNYK-PYTHON-PILLOW-1319443	The package pillow from 0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function.	9.4.0-1.1+deb12u1 Affected by 0 other vulnerabilities.
VCID-9due-xke8-vqgt Aliases: BIT-pillow-2022-24303 CVE-2022-24303 GHSA-9j59-75qj-795w GMS-2022-348 PYSEC-2022-168	Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled.	9.4.0-1.1+deb12u1 Affected by 0 other vulnerabilities.
VCID-jgwx-yhhb-6yft Aliases: BIT-pillow-2022-45198 CVE-2022-45198 GHSA-m2vv-5vj5-2hm7 PYSEC-2022-42979	Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification).	9.4.0-1.1+deb12u1 Affected by 0 other vulnerabilities.

Vulnerabilities fixed by this package (35)

Vulnerability	Summary	Aliases
VCID-13kb-u1tp-73fu	An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_gray_i.	BIT-pillow-2021-25288 CVE-2021-25288 GHSA-rwv7-3v45-hg29 PYSEC-2021-138
VCID-1zmn-5zx3-2kab	Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.	BIT-pillow-2021-27923 CVE-2021-27923 GHSA-95q3-8gr9-gm8w PYSEC-2021-42
VCID-22vm-fpzm-hkep	Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.	BIT-pillow-2021-27921 CVE-2021-27921 GHSA-f4w8-cv6p-x6r5 PYSEC-2021-40
VCID-5wm9-zath-x7dy	There is a DoS vulnerability in Pillow before 6.2.2 caused by FpxImagePlugin.py calling the range function on an unvalidated 32-bit integer if the number of bands is large. On Windows running 32-bit Python, this results in an OverflowError or MemoryError due to the 2 GB limit. However, on Linux running 64-bit Python this results in the process being terminated by the OOM killer.	CVE-2019-19911 GHSA-5gm3-px64-rw72 PYSEC-2020-172
VCID-7jch-5hxc-6ufk	An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image.	CVE-2019-16865 GHSA-j7mj-748x-7p78 PYSEC-2019-110
VCID-8u3x-uhum-dbdz	PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method.	BIT-pillow-2022-22817 CVE-2022-22817 GHSA-8vj2-vxx3-667w PYSEC-2022-10
VCID-9qhg-wthd-2feb	path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path.	BIT-pillow-2022-22815 CVE-2022-22815 GHSA-pw3c-h7wp-cvhx PYSEC-2022-8
VCID-b21b-ucpb-pbbv	An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load.	BIT-pillow-2021-28675 CVE-2021-28675 GHSA-g6rj-rv7j-xwp4 PYSEC-2021-139
VCID-beyg-bzsk-h7dd	libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer overflow.	BIT-pillow-2020-5312 CVE-2020-5312 GHSA-p49h-hjvm-jg3h PYSEC-2020-83
VCID-cpms-qu5p-bffb	In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations.	BIT-pillow-2020-35653 CVE-2020-35653 GHSA-f5g8-5qq7-938w PYSEC-2021-69
VCID-dhhz-5aav-m7am	In Pillow before 8.1.0, TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode.	BIT-pillow-2020-35654 CVE-2020-35654 GHSA-vqcj-wrf2-7v73 PYSEC-2021-70
VCID-e4yx-7np3-j7cg	An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is an out-of-bounds read in TiffreadRGBATile via invalid tile boundaries.	BIT-pillow-2021-25291 CVE-2021-25291 GHSA-mvg9-xffr-p774 PYSEC-2021-37
VCID-e51c-zvqh-bbdk	An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is a negative-offset memcpy with an invalid size.	BIT-pillow-2021-25290 CVE-2021-25290 GHSA-8xjq-8fcg-g5hw PYSEC-2021-36
VCID-egyy-erjx-tuey	An issue was discovered in Pillow before 8.1.1. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654.	BIT-pillow-2021-25289 CVE-2021-25289 GHSA-57h3-9rgr-c24m PYSEC-2021-35
VCID-gezp-xc9s-6fhd	An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data.	BIT-pillow-2021-28678 CVE-2021-28678 GHSA-hjfx-8p6c-g7gx PYSEC-2021-94
VCID-j4bx-8hbu-n3cp	Arbitrary Code Execution in Pillow Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).	CVE-2023-50447 GHSA-3f63-hfp8-52jq
VCID-jqw6-pxaj-mkcg	An issue was discovered in Pillow before 8.2.0. For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load.	BIT-pillow-2021-28676 CVE-2021-28676 GHSA-7r7m-5h27-29hp PYSEC-2021-92
VCID-jwr6-nxcq-cfaz	Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c.	BIT-pillow-2020-10177 CVE-2020-10177 GHSA-cqhg-xjhh-p8hf PYSEC-2020-76
VCID-mrgz-udvr-xfcy	Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c.	BIT-pillow-2021-34552 CVE-2021-34552 GHSA-7534-mm45-c74v PYSEC-2021-331
VCID-ndu9-a6dm-c7hk	An issue was discovered in Pillow before 8.1.1. There is an out-of-bounds read in SGIRleDecode.c.	BIT-pillow-2021-25293 CVE-2021-25293 GHSA-p43w-g3c5-g5mq PYSEC-2021-39
VCID-qa59-e7mz-tuah	path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path.	BIT-pillow-2022-22816 CVE-2022-22816 GHSA-xrcv-f9gm-v42c PYSEC-2022-9
VCID-qdgq-uetp-huet	In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer.	BIT-pillow-2020-10378 CVE-2020-10378 GHSA-3xv8-3j54-hgrp PYSEC-2020-77
VCID-qg7c-edaa-jqfp	An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening.	BIT-pillow-2021-28677 CVE-2021-28677 GHSA-q5hq-fp76-qmrc PYSEC-2021-93
VCID-t423-5mrd-zfgc	In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.	BIT-pillow-2020-35655 CVE-2020-35655 GHSA-hf64-x4gq-p99h PYSEC-2021-71
VCID-tcp3-b9dq-xkbf	In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file.	BIT-pillow-2020-10994 CVE-2020-10994 GHSA-vj42-xq3r-hr3r PYSEC-2020-79
VCID-u2tx-1zrw-e3d1	In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311.	BIT-pillow-2020-11538 CVE-2020-11538 GHSA-43fq-w8qq-v88h PYSEC-2020-80
VCID-u6sh-ntun-7ybj	libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow.	BIT-pillow-2020-5313 CVE-2020-5313 GHSA-hj69-c76v-86wr PYSEC-2020-84
VCID-uhhx-w7hq-7faz	In Pillow before 7.1.0, there are two Buffer Overflows in libImaging/TiffDecode.c.	BIT-pillow-2020-10379 CVE-2020-10379 GHSA-8843-m7mw-mxqm PYSEC-2020-78
VCID-v8cj-pcn6-juff	An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.	BIT-pillow-2023-44271 CVE-2023-44271 GHSA-8ghj-p4vj-mr35 PYSEC-2023-227
VCID-x9n2-jz5u-n7b5	An issue was discovered in Pillow before 8.1.1. The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex.	BIT-pillow-2021-25292 CVE-2021-25292 GHSA-9hx2-hgq2-2g4f PYSEC-2021-38
VCID-xxem-11vz-akfc	Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large.	BIT-pillow-2021-27922 CVE-2021-27922 GHSA-3wvg-mj6g-m9cv PYSEC-2021-41
VCID-yc15-m42h-quhg	Pillow buffer overflow vulnerability In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy.	CVE-2024-28219 GHSA-44wm-f244-xhp3
VCID-ygd3-7jsw-3bcm	libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer overflow.	BIT-pillow-2020-5311 CVE-2020-5311 GHSA-r7rm-8j6h-r933 PYSEC-2020-82
VCID-zkmc-8kzj-hqa4	An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_graya_la.	BIT-pillow-2021-25287 CVE-2021-25287 GHSA-77gc-v2xv-rvvh PYSEC-2021-137
VCID-zv8x-5snd-f3e3	libImaging/TiffDecode.c in Pillow before 6.2.2 has a TIFF decoding integer overflow, related to realloc.	BIT-pillow-2020-5310 CVE-2020-5310 GHSA-vcqg-3p29-xw73 PYSEC-2020-81

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-08-01T19:31:52.421445+00:00	Debian Oval Importer	Fixing	VCID-dhhz-5aav-m7am	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T19:30:54.678952+00:00	Debian Oval Importer	Fixing	VCID-tcp3-b9dq-xkbf	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T19:27:53.664727+00:00	Debian Oval Importer	Fixing	VCID-jqw6-pxaj-mkcg	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T19:26:38.011728+00:00	Debian Oval Importer	Fixing	VCID-ygd3-7jsw-3bcm	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T19:26:22.712902+00:00	Debian Oval Importer	Fixing	VCID-7jch-5hxc-6ufk	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T19:19:31.340399+00:00	Debian Oval Importer	Fixing	VCID-qg7c-edaa-jqfp	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T19:03:29.773540+00:00	Debian Oval Importer	Fixing	VCID-u6sh-ntun-7ybj	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T18:10:24.785016+00:00	Debian Oval Importer	Fixing	VCID-13kb-u1tp-73fu	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T17:54:20.222973+00:00	Debian Oval Importer	Fixing	VCID-qdgq-uetp-huet	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T17:12:47.295933+00:00	Debian Oval Importer	Fixing	VCID-e51c-zvqh-bbdk	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T17:08:07.845413+00:00	Debian Oval Importer	Fixing	VCID-1zmn-5zx3-2kab	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T16:48:33.128792+00:00	Debian Oval Importer	Fixing	VCID-uhhx-w7hq-7faz	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T16:20:21.944826+00:00	Debian Oval Importer	Fixing	VCID-x9n2-jz5u-n7b5	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T16:14:49.227620+00:00	Debian Oval Importer	Fixing	VCID-beyg-bzsk-h7dd	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T15:43:02.575960+00:00	Debian Oval Importer	Fixing	VCID-yc15-m42h-quhg	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T15:17:52.825216+00:00	Debian Oval Importer	Fixing	VCID-t423-5mrd-zfgc	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T15:02:50.262016+00:00	Debian Oval Importer	Fixing	VCID-gezp-xc9s-6fhd	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T14:42:01.838006+00:00	Debian Oval Importer	Fixing	VCID-22vm-fpzm-hkep	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T14:31:47.245082+00:00	Debian Oval Importer	Fixing	VCID-xxem-11vz-akfc	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T14:27:30.962473+00:00	Debian Oval Importer	Fixing	VCID-cpms-qu5p-bffb	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T14:14:29.084866+00:00	Debian Oval Importer	Fixing	VCID-5wm9-zath-x7dy	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T14:11:44.414051+00:00	Debian Oval Importer	Fixing	VCID-zv8x-5snd-f3e3	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T13:55:40.577037+00:00	Debian Oval Importer	Fixing	VCID-v8cj-pcn6-juff	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T13:54:39.186101+00:00	Debian Oval Importer	Fixing	VCID-ndu9-a6dm-c7hk	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T13:26:51.846167+00:00	Debian Oval Importer	Fixing	VCID-qa59-e7mz-tuah	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T13:24:46.935547+00:00	Debian Oval Importer	Fixing	VCID-9qhg-wthd-2feb	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T13:21:50.603033+00:00	Debian Importer	Affected by	VCID-5fpe-de5a-37ct	https://security-tracker.debian.org/tracker/data/json	37.0.0
2025-08-01T13:16:26.182256+00:00	Debian Oval Importer	Fixing	VCID-zkmc-8kzj-hqa4	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T13:08:35.693476+00:00	Debian Oval Importer	Fixing	VCID-mrgz-udvr-xfcy	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T13:04:26.618345+00:00	Debian Oval Importer	Fixing	VCID-8u3x-uhum-dbdz	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T12:37:11.886817+00:00	Debian Importer	Affected by	VCID-jgwx-yhhb-6yft	https://security-tracker.debian.org/tracker/data/json	37.0.0
2025-08-01T12:33:49.321614+00:00	Debian Importer	Affected by	VCID-9due-xke8-vqgt	https://security-tracker.debian.org/tracker/data/json	37.0.0
2025-08-01T12:17:37.498039+00:00	Debian Oval Importer	Fixing	VCID-e4yx-7np3-j7cg	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T12:11:32.254922+00:00	Debian Oval Importer	Fixing	VCID-egyy-erjx-tuey	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T12:10:26.328780+00:00	Debian Oval Importer	Fixing	VCID-u2tx-1zrw-e3d1	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T12:09:19.336676+00:00	Debian Oval Importer	Fixing	VCID-b21b-ucpb-pbbv	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T12:05:58.840729+00:00	Debian Oval Importer	Fixing	VCID-jwr6-nxcq-cfaz	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T11:52:19.168130+00:00	Debian Oval Importer	Fixing	VCID-j4bx-8hbu-n3cp	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0