{"id":"PYSEC-2021-71","details":"In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.","aliases":["BIT-pillow-2020-35655","CVE-2020-35655","GHSA-hf64-x4gq-p99h"],"modified":"2023-12-06T01:00:33.478747Z","published":"2021-01-12T09:15:00Z","references":[{"type":"WEB","url":"https://pillow.readthedocs.io/en/stable/releasenotes/index.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE/"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-hf64-x4gq-p99h"}],"affected":[{"package":{"name":"pillow","ecosystem":"PyPI","purl":"pkg:pypi/pillow"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.3.0"},{"fixed":"8.1.0"}]}],"versions":["4.3.0","5.0.0","5.1.0","5.2.0","5.3.0","5.4.0.dev0","5.4.0","5.4.1","6.0.0","6.1.0","6.2.0","6.2.1","6.2.2","7.0.0","7.1.0","7.1.1","7.1.2","7.2.0","8.0.0","8.0.1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/pillow/PYSEC-2021-71.yaml"}}],"schema_version":"1.7.3"}