FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-25 21:13:12 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
0700e76c-3eb0-11ea-8478-3085a9a95629	Pillow -- Multiple vulnerabilities Pillow developers report: This release addresses several security problems, as well as addressing CVE-2019-19911. CVE-2019-19911 is regarding FPX images. If an image reports that it has a large number of bands, a large amount of resources will be used when trying to process the image. This is fixed by limiting the number of bands to those usable by Pillow. Buffer overruns were found when processing an SGI, PCX or FLI image. Checks have been added to prevent this. Overflow checks have been added when calculating the size of a memory block to be reallocated in the processing of a TIFF image. Discovery 2019-12-19 Entry 2020-01-24 py27-pillow py35-pillow py36-pillow py37-pillow py38-pillow < 6.2.2 https://pillow.readthedocs.io/en/stable/releasenotes/6.2.2.html CVE-2019-19911 CVE-2020-5310 CVE-2020-5311 CVE-2020-5312 CVE-2020-5313 ports/243336
ed8a4215-675c-11ec-8dd4-a0f3c100ae18	Pillow -- Regular Expression Denial of Service (ReDoS) GitHub Advisory Database reports: Uncontrolled Resource Consumption in pillow. The package pillow from 0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. References: https://nvd.nist.gov/vuln/detail/CVE-2021-23437 https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html https://snyk.io/vuln/SNYK-PYTHON-PILLOW-1319443 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RNSG6VFXTAROGF7ACYLMAZNQV4EJ6I2C/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VKRCL7KKAKOXCVD7M6WC5OKFGL4L3SJT/ Discovery 2021-09-02 Entry 2021-09-03 py38-pillow ge 5.2.0 lt 8.3.2 CVE-2021-23437 https://nvd.nist.gov/vuln/detail/CVE-2021-23437
f947aa26-b2f9-11eb-a5f7-a0f3c100ae18	Pillow -- multiple vulnerabilities python-pillow reports: This release fixes several vulnerabilities found with `OSS-Fuzz`. `CVE-2021-25288`: Fix OOB read in Jpeg2KDecode. This dates to Pillow 2.4.0. `CVE-2021-28675`: Fix DOS in PsdImagePlugin. This dates to the PIL fork. `CVE-2021-28676`: Fix FLI DOS. This dates to the PIL fork. `CVE-2021-28677`: Fix EPS DOS on _open. This dates to the PIL fork. `CVE-2021-28678`: Fix BLP DOS. This dates to Pillow 5.1.0. Fix memory DOS in ImageFont. This dates to the PIL fork. Discovery 2021-04-01 Entry 2021-05-12 py38-pillow < 8.2.0 CVE-2021-25288 CVE-2021-28675 CVE-2021-28676 CVE-2021-28677 CVE-2021-28678

VuXML ID

Description

0700e76c-3eb0-11ea-8478-3085a9a95629

Pillow -- Multiple vulnerabilities

Pillow developers report:

This release addresses several security problems, as well as addressing CVE-2019-19911.
CVE-2019-19911 is regarding FPX images. If an image reports that it has a large number of bands, a large amount of resources will be used when trying to process the image. This is fixed by limiting the number of bands to those usable by Pillow.
Buffer overruns were found when processing an SGI, PCX or FLI image. Checks have been added to prevent this.
Overflow checks have been added when calculating the size of a memory block to be reallocated in the processing of a TIFF image.

Discovery 2019-12-19
Entry 2020-01-24
py27-pillow
py35-pillow
py36-pillow
py37-pillow
py38-pillow

< 6.2.2

https://pillow.readthedocs.io/en/stable/releasenotes/6.2.2.html
CVE-2019-19911
CVE-2020-5310
CVE-2020-5311
CVE-2020-5312
CVE-2020-5313
ports/243336

ed8a4215-675c-11ec-8dd4-a0f3c100ae18

Pillow -- Regular Expression Denial of Service (ReDoS)

GitHub Advisory Database reports:

Uncontrolled Resource Consumption in pillow.

The package pillow from 0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function.

References:

https://nvd.nist.gov/vuln/detail/CVE-2021-23437

https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b

https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html

https://snyk.io/vuln/SNYK-PYTHON-PILLOW-1319443

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RNSG6VFXTAROGF7ACYLMAZNQV4EJ6I2C/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VKRCL7KKAKOXCVD7M6WC5OKFGL4L3SJT/

Discovery 2021-09-02
Entry 2021-09-03
py38-pillow

ge 5.2.0 lt 8.3.2

CVE-2021-23437
https://nvd.nist.gov/vuln/detail/CVE-2021-23437

f947aa26-b2f9-11eb-a5f7-a0f3c100ae18

Pillow -- multiple vulnerabilities

python-pillow reports:

This release fixes several vulnerabilities found with `OSS-Fuzz`.

`CVE-2021-25288`: Fix OOB read in Jpeg2KDecode. This dates to Pillow 2.4.0.

`CVE-2021-28675`: Fix DOS in PsdImagePlugin. This dates to the PIL fork.

`CVE-2021-28676`: Fix FLI DOS. This dates to the PIL fork.

`CVE-2021-28677`: Fix EPS DOS on _open. This dates to the PIL fork.

`CVE-2021-28678`: Fix BLP DOS. This dates to Pillow 5.1.0.

Fix memory DOS in ImageFont. This dates to the PIL fork.

Discovery 2021-04-01
Entry 2021-05-12
py38-pillow

< 8.2.0

CVE-2021-25288
CVE-2021-28675
CVE-2021-28676
CVE-2021-28677
CVE-2021-28678