Resource Exhaustion Affecting python-pillow-tk package, versions <0:2.0.0-23.gitd1c6db8.amzn2.0.12
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-AMZN2-PYTHONPILLOWTK-6515675
- published 2 Apr 2024
- disclosed 3 Nov 2023
Introduced: 3 Nov 2023
CVE-2023-44271 Open this link in a new tabHow to fix?
Upgrade Amazon-Linux:2 python-pillow-tk to version 0:2.0.0-23.gitd1c6db8.amzn2.0.12 or higher.
This issue was patched in ALAS2-2024-2508.
NVD Description
Note: Versions mentioned in the description apply only to the upstream python-pillow-tk package and not the python-pillow-tk package as distributed by Amazon-Linux.
See How to fix? for Amazon-Linux:2 relevant fixed versions and status.
An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.
References
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44271
- https://devhub.checkmarx.com/cve-details/CVE-2023-44271/
- https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7
- https://github.com/python-pillow/Pillow/pull/7244
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N2JOEDUJDQLCUII2LQYZYSM7RJL2I3P4/
- https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html