Fedora Account System
Red Hat Associate
Red Hat Customer
PsdImagePlugin.PsdImageFile did not sanity check the number of input layers with regard to the size of the data block, this could lead to a denial-of-service on open() prior to load(). This dates to the PIL fork. References: https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#security https://github.com/python-pillow/Pillow/pull/5377
Created mingw-python-pillow tracking bugs for this issue: Affects: fedora-all [bug 1958244] Created python-pillow tracking bugs for this issue: Affects: fedora-all [bug 1958241] Created python2-pillow tracking bugs for this issue: Affects: fedora-all [bug 1958242] Created python3-pillow tracking bugs for this issue: Affects: epel-7 [bug 1958243]
Statement: To mitigate this feature on Red Hat Quay keep the invoice generation feature disabled, as it is by default.
Upstream patch: https://github.com/python-pillow/Pillow/commit/22e9bee4ef225c0edbb9323f94c26cee0c623497
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4149 https://access.redhat.com/errata/RHSA-2021:4149
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-28675