Bug 1216894 (CVE-2023-44271)

Summary: VUL-0: CVE-2023-44271: python-Pillow: uncontrolled resource consumption when textlength in an ImageDraw instance operates on a long text argument
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: daniel.garcia, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/384054/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-44271:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2023-11-06 04:15:18 UTC 
An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that
uncontrollably allocates memory to process a given task, potentially causing a
service to crash by having it run out of memory. This occurs for truetype in
ImageFont when textlength in an ImageDraw instance operates on a long text
argument.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-44271
Comment 3 OBSbugzilla Bot 2023-11-13 10:35:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1216894) was mentioned in
https://build.opensuse.org/request/show/1125429 Factory / python-Pillow
Comment 5 Maintenance Automation 2023-11-16 20:30:24 UTC 
SUSE-SU-2023:4465-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1216894
CVE References: CVE-2023-44271
Sources used:
openSUSE Leap 15.5 (src): python-Pillow-7.2.0-150300.3.3.1
openSUSE Leap 15.3 (src): python-Pillow-7.2.0-150300.3.3.1
openSUSE Leap 15.4 (src): python-Pillow-7.2.0-150300.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Maintenance Automation 2023-11-22 16:30:06 UTC 
SUSE-SU-2023:4528-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1216894
CVE References: CVE-2023-44271
Sources used:
openSUSE Leap 15.4 (src): python-Pillow-9.5.0-150400.5.6.1
openSUSE Leap 15.5 (src): python-Pillow-9.5.0-150400.5.6.1
Python 3 Module 15-SP4 (src): python-Pillow-9.5.0-150400.5.6.1
Python 3 Module 15-SP5 (src): python-Pillow-9.5.0-150400.5.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Maintenance Automation 2023-12-01 16:36:07 UTC 
SUSE-SU-2023:4631-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1216894
CVE References: CVE-2023-44271
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src): python-Pillow-4.2.1-3.23.2
HPE Helion OpenStack 8 (src): python-Pillow-4.2.1-3.23.2
SUSE OpenStack Cloud 8 (src): python-Pillow-4.2.1-3.23.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Maintenance Automation 2023-12-01 16:36:12 UTC 
SUSE-SU-2023:4630-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1216894
CVE References: CVE-2023-44271
Sources used:
SUSE OpenStack Cloud 9 (src): python-Pillow-5.2.0-3.20.1
SUSE OpenStack Cloud Crowbar 9 (src): python-Pillow-5.2.0-3.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.