Ensure JpegImagePlugin stops at the end of a truncated file #5921
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
radarhere
changed the title
hugovk
approved these changes
Jan 1, 2022
radarhere
added a commit
to radarhere/Pillow
that referenced
this pull request
Jan 1, 2022
sbrunner
added a commit
to camptocamp/tilecloud-chain
that referenced
this pull request
Feb 2, 2022
+==============================================================================+ | | | /$$$$$$ /$$ | | /$$__ $$ | $$ | | /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ | | /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ | | | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ | | \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ | | /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ | | |_______/ \_______/|__/ \_______/ \___/ \____ $$ | | /$$ | $$ | | | $$$$$$/ | | by pyup.io \______/ | | | +==============================================================================+ | REPORT | | checked 1 packages, using free DB (updated once a month) | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | pipenv | 2020.8.13 | >=2018.10.9,<=2021.11.23 | 44492 | +==============================================================================+ | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version | | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of | | requirements files allows an attacker to insert a specially crafted string | | inside a comment anywhere within a requirements.txt file, which will cause | | victims who use pipenv to install the requirements file to download | | dependencies from a package index server controlled by the attacker. By | | embedding malicious code in packages served from their malicious index | | server, the attacker can trigger arbitrary remote code execution (RCE) on | | the victims' systems. If an attacker is able to hide a malicious '--index- | | url' option in a requirements file that a victim installs with pipenv, the | | attacker can embed arbitrary malicious code in packages served from their | | malicious index server that will be executed on the victim's host during | | installation (remote code execution/RCE). When pip installs from a source | | distribution, any code in the setup.py is executed by the install process. | | GHSA-qc9x-gjcv-465w | +==============================================================================+ | REPORT | | checked 63 packages, using free DB (updated once a month) | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | pillow | 8.3.2 | <9.0.0 | 44487 | +==============================================================================+ | Pillow 9.0.0 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow | | before 9.0.0 allows evaluation of arbitrary expressions, such as ones that | | use the Python exec method. | | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict- | | builtins-available-to-imagemath-eval | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44485 | +==============================================================================+ | Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in | | Pillow before 9.0.0 improperly initializes ImagePath.Path. | | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed- | | imagepath-path-array-handling | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44524 | +==============================================================================+ | Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to | | avoid Denial of Service attacks. | | python-pillow/Pillow#5921 | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44525 | +==============================================================================+ | Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. | | python-pillow/Pillow#5912 | | https://github.com/python- | | pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44486 | +==============================================================================+ | Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in | | Pillow before 9.0.0 has a buffer over-read during initialization of | | ImagePath.Path. | | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed- | | imagepath-path-array-handling | +==============================================================================+ | urllib3 | 1.25.11 | <1.26.5 | 43975 | +==============================================================================+ | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in | | urllib3 before 1.26.5. When provided with a URL containing many @ characters | | in the authority component, the authority regular expression exhibits | | catastrophic backtracking, causing a denial of service if a URL were passed | | as a parameter or redirected to via an HTTP redirect. | | GHSA-q2q7-5pp4-w6pg | +==============================================================================+
sbrunner
added a commit
to camptocamp/tilecloud-chain
that referenced
this pull request
Feb 2, 2022
+==============================================================================+ | | | /$$$$$$ /$$ | | /$$__ $$ | $$ | | /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ | | /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ | | | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ | | \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ | | /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ | | |_______/ \_______/|__/ \_______/ \___/ \____ $$ | | /$$ | $$ | | | $$$$$$/ | | by pyup.io \______/ | | | +==============================================================================+ | REPORT | | checked 1 packages, using free DB (updated once a month) | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | pipenv | 2020.8.13 | >=2018.10.9,<=2021.11.23 | 44492 | +==============================================================================+ | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version | | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of | | requirements files allows an attacker to insert a specially crafted string | | inside a comment anywhere within a requirements.txt file, which will cause | | victims who use pipenv to install the requirements file to download | | dependencies from a package index server controlled by the attacker. By | | embedding malicious code in packages served from their malicious index | | server, the attacker can trigger arbitrary remote code execution (RCE) on | | the victims' systems. If an attacker is able to hide a malicious '--index- | | url' option in a requirements file that a victim installs with pipenv, the | | attacker can embed arbitrary malicious code in packages served from their | | malicious index server that will be executed on the victim's host during | | installation (remote code execution/RCE). When pip installs from a source | | distribution, any code in the setup.py is executed by the install process. | | GHSA-qc9x-gjcv-465w | +==============================================================================+ | REPORT | | checked 63 packages, using free DB (updated once a month) | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | pillow | 8.3.2 | <9.0.0 | 44487 | +==============================================================================+ | Pillow 9.0.0 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow | | before 9.0.0 allows evaluation of arbitrary expressions, such as ones that | | use the Python exec method. | | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict- | | builtins-available-to-imagemath-eval | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44485 | +==============================================================================+ | Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in | | Pillow before 9.0.0 improperly initializes ImagePath.Path. | | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed- | | imagepath-path-array-handling | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44524 | +==============================================================================+ | Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to | | avoid Denial of Service attacks. | | python-pillow/Pillow#5921 | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44525 | +==============================================================================+ | Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. | | python-pillow/Pillow#5912 | | https://github.com/python- | | pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44486 | +==============================================================================+ | Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in | | Pillow before 9.0.0 has a buffer over-read during initialization of | | ImagePath.Path. | | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed- | | imagepath-path-array-handling | +==============================================================================+ | urllib3 | 1.25.11 | <1.26.5 | 43975 | +==============================================================================+ | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in | | urllib3 before 1.26.5. When provided with a URL containing many @ characters | | in the authority component, the authority regular expression exhibits | | catastrophic backtracking, causing a denial of service if a URL were passed | | as a parameter or redirected to via an HTTP redirect. | | GHSA-q2q7-5pp4-w6pg | +==============================================================================+
sbrunner
added a commit
to camptocamp/tilecloud-chain
that referenced
this pull request
Feb 2, 2022
+==============================================================================+ | | | /$$$$$$ /$$ | | /$$__ $$ | $$ | | /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ | | /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ | | | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ | | \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ | | /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ | | |_______/ \_______/|__/ \_______/ \___/ \____ $$ | | /$$ | $$ | | | $$$$$$/ | | by pyup.io \______/ | | | +==============================================================================+ | REPORT | | checked 1 packages, using free DB (updated once a month) | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | pipenv | 2020.8.13 | >=2018.10.9,<=2021.11.23 | 44492 | +==============================================================================+ | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version | | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of | | requirements files allows an attacker to insert a specially crafted string | | inside a comment anywhere within a requirements.txt file, which will cause | | victims who use pipenv to install the requirements file to download | | dependencies from a package index server controlled by the attacker. By | | embedding malicious code in packages served from their malicious index | | server, the attacker can trigger arbitrary remote code execution (RCE) on | | the victims' systems. If an attacker is able to hide a malicious '--index- | | url' option in a requirements file that a victim installs with pipenv, the | | attacker can embed arbitrary malicious code in packages served from their | | malicious index server that will be executed on the victim's host during | | installation (remote code execution/RCE). When pip installs from a source | | distribution, any code in the setup.py is executed by the install process. | | GHSA-qc9x-gjcv-465w | +==============================================================================+ | REPORT | | checked 63 packages, using free DB (updated once a month) | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | pillow | 8.3.2 | <9.0.0 | 44487 | +==============================================================================+ | Pillow 9.0.0 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow | | before 9.0.0 allows evaluation of arbitrary expressions, such as ones that | | use the Python exec method. | | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict- | | builtins-available-to-imagemath-eval | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44485 | +==============================================================================+ | Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in | | Pillow before 9.0.0 improperly initializes ImagePath.Path. | | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed- | | imagepath-path-array-handling | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44524 | +==============================================================================+ | Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to | | avoid Denial of Service attacks. | | python-pillow/Pillow#5921 | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44525 | +==============================================================================+ | Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. | | python-pillow/Pillow#5912 | | https://github.com/python- | | pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44486 | +==============================================================================+ | Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in | | Pillow before 9.0.0 has a buffer over-read during initialization of | | ImagePath.Path. | | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed- | | imagepath-path-array-handling | +==============================================================================+ | urllib3 | 1.25.11 | <1.26.5 | 43975 | +==============================================================================+ | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in | | urllib3 before 1.26.5. When provided with a URL containing many @ characters | | in the authority component, the authority regular expression exhibits | | catastrophic backtracking, causing a denial of service if a URL were passed | | as a parameter or redirected to via an HTTP redirect. | | GHSA-q2q7-5pp4-w6pg | +==============================================================================+
sbrunner
added a commit
to camptocamp/c2cgeoportal
that referenced
this pull request
Feb 4, 2022
``` +==============================================================================+ | | | /$$$$$$ /$$ | | /$$__ $$ | $$ | | /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ | | /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ | | | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ | | \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ | | /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ | | |_______/ \_______/|__/ \_______/ \___/ \____ $$ | | /$$ | $$ | | | $$$$$$/ | | by pyup.io \______/ | | | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | urllib3 | 1.25.9 | <1.26.5 | 43975 | +==============================================================================+ | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in | | urllib3 before 1.26.5. When provided with a URL containing many @ characters | | in the authority component, the authority regular expression exhibits | | catastrophic backtracking, causing a denial of service if a URL were passed | | as a parameter or redirected to via an HTTP redirect. | | GHSA-q2q7-5pp4-w6pg | +==============================================================================+ | numpy | 1.21.5 | <1.22.0 | 44716 | +==============================================================================+ | Numpy 1.22.0 includes a fix for CVE-2021-41496: A buffer overflow in the | | array_from_pyobj function of fortranobject.c, which allows attackers to | | conduct a Denial of Service attacks by carefully constructing an array with | | negative values. | | numpy/numpy#19000 | +==============================================================================+ | numpy | 1.21.5 | <1.22.0 | 44717 | +==============================================================================+ | Numpy 1.22.0 includes a fix for CVE-2021-34141: An incomplete string | | comparison in the numpy.core component in NumPy before 1.22.0 allows | | attackers to trigger slightly incorrect copying by constructing specific | | string objects. NOTE: the vendor states that this reported code behavior is | | "completely harmless." | | numpy/numpy#18993 | +==============================================================================+ | numpy | 1.21.5 | >0 | 44715 | +==============================================================================+ | All versions of Numpy are affected by CVE-2021-41495: A null Pointer | | Dereference vulnerability exists in numpy.sort, in the PyArray_DescrNew | | function due to missing return-value validation, which allows attackers to | | conduct DoS attacks by repetitively creating sort arrays. | | numpy/numpy#19038 | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44487 | +==============================================================================+ | Pillow 9.0.0 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow | | before 9.0.0 allows evaluation of arbitrary expressions, such as ones that | | use the Python exec method. | | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict- | | builtins-available-to-imagemath-eval | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44485 | +==============================================================================+ | Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in | | Pillow before 9.0.0 improperly initializes ImagePath.Path. | | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed- | | imagepath-path-array-handling | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44524 | +==============================================================================+ | Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to | | avoid Denial of Service attacks. | | python-pillow/Pillow#5921 | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44525 | +==============================================================================+ | Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. | | python-pillow/Pillow#5912 | | https://github.com/python- | | pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44486 | +==============================================================================+ | Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in | | Pillow before 9.0.0 has a buffer over-read during initialization of | | ImagePath.Path. | | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed- | | imagepath-path-array-handling | +==============================================================================+ | pipenv | 2021.5.29 | >=2018.10.9,<=2021.11.23 | 44492 | +==============================================================================+ | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version | | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of | | requirements files allows an attacker to insert a specially crafted string | | inside a comment anywhere within a requirements.txt file, which will cause | | victims who use pipenv to install the requirements file to download | | dependencies from a package index server controlled by the attacker. By | | embedding malicious code in packages served from their malicious index | | server, the attacker can trigger arbitrary remote code execution (RCE) on | | the victims' systems. If an attacker is able to hide a malicious '--index- | | url' option in a requirements file that a victim installs with pipenv, the | | attacker can embed arbitrary malicious code in packages served from their | | malicious index server that will be executed on the victim's host during | | installation (remote code execution/RCE). When pip installs from a source | | distribution, any code in the setup.py is executed by the install process. | | GHSA-qc9x-gjcv-465w | +==============================================================================+ ```
sbrunner
added a commit
to camptocamp/c2cgeoportal
that referenced
this pull request
Feb 4, 2022
``` +==============================================================================+ | | | /$$$$$$ /$$ | | /$$__ $$ | $$ | | /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ | | /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ | | | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ | | \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ | | /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ | | |_______/ \_______/|__/ \_______/ \___/ \____ $$ | | /$$ | $$ | | | $$$$$$/ | | by pyup.io \______/ | | | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | urllib3 | 1.25.9 | <1.26.5 | 43975 | +==============================================================================+ | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in | | urllib3 before 1.26.5. When provided with a URL containing many @ characters | | in the authority component, the authority regular expression exhibits | | catastrophic backtracking, causing a denial of service if a URL were passed | | as a parameter or redirected to via an HTTP redirect. | | GHSA-q2q7-5pp4-w6pg | +==============================================================================+ | numpy | 1.21.5 | <1.22.0 | 44716 | +==============================================================================+ | Numpy 1.22.0 includes a fix for CVE-2021-41496: A buffer overflow in the | | array_from_pyobj function of fortranobject.c, which allows attackers to | | conduct a Denial of Service attacks by carefully constructing an array with | | negative values. | | numpy/numpy#19000 | +==============================================================================+ | numpy | 1.21.5 | <1.22.0 | 44717 | +==============================================================================+ | Numpy 1.22.0 includes a fix for CVE-2021-34141: An incomplete string | | comparison in the numpy.core component in NumPy before 1.22.0 allows | | attackers to trigger slightly incorrect copying by constructing specific | | string objects. NOTE: the vendor states that this reported code behavior is | | "completely harmless." | | numpy/numpy#18993 | +==============================================================================+ | numpy | 1.21.5 | >0 | 44715 | +==============================================================================+ | All versions of Numpy are affected by CVE-2021-41495: A null Pointer | | Dereference vulnerability exists in numpy.sort, in the PyArray_DescrNew | | function due to missing return-value validation, which allows attackers to | | conduct DoS attacks by repetitively creating sort arrays. | | numpy/numpy#19038 | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44487 | +==============================================================================+ | Pillow 9.0.0 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow | | before 9.0.0 allows evaluation of arbitrary expressions, such as ones that | | use the Python exec method. | | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict- | | builtins-available-to-imagemath-eval | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44485 | +==============================================================================+ | Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in | | Pillow before 9.0.0 improperly initializes ImagePath.Path. | | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed- | | imagepath-path-array-handling | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44524 | +==============================================================================+ | Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to | | avoid Denial of Service attacks. | | python-pillow/Pillow#5921 | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44525 | +==============================================================================+ | Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. | | python-pillow/Pillow#5912 | | https://github.com/python- | | pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44486 | +==============================================================================+ | Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in | | Pillow before 9.0.0 has a buffer over-read during initialization of | | ImagePath.Path. | | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed- | | imagepath-path-array-handling | +==============================================================================+ | pipenv | 2021.5.29 | >=2018.10.9,<=2021.11.23 | 44492 | +==============================================================================+ | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version | | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of | | requirements files allows an attacker to insert a specially crafted string | | inside a comment anywhere within a requirements.txt file, which will cause | | victims who use pipenv to install the requirements file to download | | dependencies from a package index server controlled by the attacker. By | | embedding malicious code in packages served from their malicious index | | server, the attacker can trigger arbitrary remote code execution (RCE) on | | the victims' systems. If an attacker is able to hide a malicious '--index- | | url' option in a requirements file that a victim installs with pipenv, the | | attacker can embed arbitrary malicious code in packages served from their | | malicious index server that will be executed on the victim's host during | | installation (remote code execution/RCE). When pip installs from a source | | distribution, any code in the setup.py is executed by the install process. | | GHSA-qc9x-gjcv-465w | +==============================================================================+ ```
geiregjo
pushed a commit
to Awingu/Pillow
that referenced
this pull request
May 10, 2022
Ensure JpegImagePlugin stops at the end of a truncated file
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
JpegImagePluginmay append an EOF marker to the end of a truncated file, so that the last segment of the data will still be processed by the decoder.If the EOF marker is not detected as such however, this could lead to an infinite loop where
JpegImagePluginkeeps trying to end the file.