CVE-2019-19911

Name
CVE-2019-19911
Description
There is a DoS vulnerability in Pillow before 6.2.2 caused by FpxImagePlugin.py calling the range function on an unvalidated 32-bit integer if the number of bands is large. On Windows running 32-bit Python, this results in an OverflowError or MemoryError due to the 2 GB limit. However, on Linux running 64-bit Python this results in the process being terminated by the OOM killer.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Release Notes https://pillow.readthedocs.io/en/stable/releasenotes/6.2.2.html
UBUNTU https://usn.ubuntu.com/4272-1/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3DUMIBUYGJRAVJCTFUWBRLVQKOUTVX5P/
DEBIAN https://www.debian.org/security/2020/dsa-4631

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:* pillow >= None < 6.2.2

Vulnerable and fixed packages

Source package Branch Version Maintainer Status