Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large. Reference: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.2.html
Created mingw-python-pillow tracking bugs for this issue: Affects: fedora-all [bug 1935399] Created python-pillow tracking bugs for this issue: Affects: fedora-all [bug 1935397] Created python2-pillow tracking bugs for this issue: Affects: fedora-all [bug 1935398] Created python3-pillow tracking bugs for this issue: Affects: epel-7 [bug 1935400]
Statement: Disable the invoice generation feature to mitigate this vulnerability in Red Hat Quay.
Upstream patch seems to be https://github.com/python-pillow/Pillow/commit/480f6819b592d7f07b9a9a52a7656c10bbe07442
This issue has been addressed in the following products: Red Hat Quay 3 Via RHSA-2021:3917 https://access.redhat.com/errata/RHSA-2021:3917
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-27922
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4149 https://access.redhat.com/errata/RHSA-2021:4149