Bug 1190229 – VUL-0: CVE-2021-23437: python-Pillow: Regular Expression Denial of Service (ReDoS) via the getrgb function

Bug 1190229 - (CVE-2021-23437) VUL-0: CVE-2021-23437: python-Pillow: Regular Expression Denial of Service (ReDoS) via the getrgb function

(CVE-2021-23437)
Summary:	VUL-0: CVE-2021-23437: python-Pillow: Regular Expression Denial of Service (R...

Status:	NEW

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/309103/
Whiteboard:	CVSSv3.1:SUSE:CVE-2021-23437:7.5:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2021-09-06 14:13 UTC by Gabriele Sonnu
Modified:	2021-11-10 09:23 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gabriele Sonnu 2021-09-06 14:13:56 UTC

The package pillow from 0 and before 8.3.2 are vulnerable to Regular Expression
Denial of Service (ReDoS) via the getrgb function.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-23437
http://www.cvedetails.com/cve/CVE-2021-23437/
https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23437
https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html
https://snyk.io/vuln/SNYK-PYTHON-PILLOW-1319443

Comment 1 Gabriele Sonnu 2021-09-06 14:14:07 UTC

Affected packages:

 - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/python-Pillow  4.2.1
 - SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/python-Pillow  5.2.0
 - openSUSE:Backports:SLE-15-SP2/python-Pillow                  5.0.0
 - openSUSE:Backports:SLE-15-SP3/python-Pillow                  7.2.0
 - openSUSE:Backports:SLE-15-SP4/python-Pillow                  7.2.0
 - openSUSE:Factory/python-Pillow                               8.3.1

Upstream patch:

https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b

Comment 4 Swamp Workflow Management 2021-09-27 19:23:18 UTC

SUSE-SU-2021:3234-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1190229
CVE References: CVE-2021-23437
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    python-Pillow-4.2.1-3.20.2
SUSE OpenStack Cloud 8 (src):    python-Pillow-4.2.1-3.20.2
HPE Helion Openstack 8 (src):    python-Pillow-4.2.1-3.20.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 5 Swamp Workflow Management 2021-09-27 19:24:27 UTC

SUSE-SU-2021:3235-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1190229
CVE References: CVE-2021-23437
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    python-Pillow-5.2.0-3.14.1
SUSE OpenStack Cloud 9 (src):    python-Pillow-5.2.0-3.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 6 Christian Almeida de Oliveira 2021-11-10 09:23:10 UTC

Solution for the affected SOC versions delivered. Back to Security team.