Lucene search

Debian Security Bug TrackerDEBIANCVE:CVE-2023-44271

HistoryNov 03, 2023 - 5:15 a.m.

CVE-2023-44271

2023-11-0305:15:30

Debian Security Bug Tracker

security-tracker.debian.org

pillow

denial of service

memory allocation

imagefont

imagedraw

truetype

cve-2023-44271

unix

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

6.5 Medium

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.001 Low

EPSS

Percentile

21.9%

JSON

An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.

OSVersionArchitecturePackageVersionFilename
Debian12allpillow<= 9.4.0-1.1pillow_9.4.0-1.1_all.deb
Debian11allpillow<= 8.1.2+dfsg-0.3+deb11u1pillow_8.1.2+dfsg-0.3+deb11u1_all.deb
Debian10allpillow< 5.4.1-2+deb10u5pillow_5.4.1-2+deb10u5_all.deb
Debian999allpillow< 10.0.0-1pillow_10.0.0-1_all.deb
Debian13allpillow< 10.0.0-1pillow_10.0.0-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	pillow	<= 9.4.0-1.1	pillow_9.4.0-1.1_all.deb
Debian	11	all	pillow	<= 8.1.2+dfsg-0.3+deb11u1	pillow_8.1.2+dfsg-0.3+deb11u1_all.deb
Debian	10	all	pillow	< 5.4.1-2+deb10u5	pillow_5.4.1-2+deb10u5_all.deb
Debian	999	all	pillow	< 10.0.0-1	pillow_10.0.0-1_all.deb
Debian	13	all	pillow	< 10.0.0-1	pillow_10.0.0-1_all.deb