PublicDateAtUSN: 2020-01-05 22:15:00 UTC
Candidate: CVE-2019-19911
PublicDate: 2020-01-05 22:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19911
 https://pillow.readthedocs.io/en/stable/releasenotes/6.2.2.html
 https://ubuntu.com/security/notices/USN-4272-1
Description:
 There is a DoS vulnerability in Pillow before 6.2.2 caused by
 FpxImagePlugin.py calling the range function on an unvalidated 32-bit
 integer if the number of bands is large. On Windows running 32-bit Python,
 this results in an OverflowError or MemoryError due to the 2 GB limit.
 However, on Linux running 64-bit Python this results in the process being
 terminated by the OOM killer.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948224
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]


Patches_pillow:
 upstream: https://github.com/python-pillow/Pillow/commit/774e53bb132461d8d5ebefec1162e29ec0ebc63d
upstream_pillow: released (7.0.0-1)
precise/esm_pillow: DNE
trusty_pillow: ignored (out of standard support)
trusty/esm_pillow: released (2.3.0-1ubuntu3.4+esm1)
xenial_pillow: released (3.1.2-0ubuntu1.3)
esm-infra/xenial_pillow: released (3.1.2-0ubuntu1.3)
bionic_pillow: released (5.1.0-1ubuntu0.2)
disco_pillow: ignored (reached end-of-life)
eoan_pillow: released (6.1.0-1ubuntu0.2)
devel_pillow: released (7.0.0-4)