Merge pull request #10 from ActiveState/BE-152-cve-2021-27922

Update changelogs with fixes that were already in, BE-584, BE-151, BE…
2025-08-11 15:54:45 +03:00 · 2023-03-13 16:40:30 -05:00 · 2023-03-13 16:40:30 -05:00 · c3851b77ca
commit c3851b77ca
parent b06ecb4365 5a35a1d0d4
2 changed files with 12 additions and 3 deletions
--- a/CHANGES.rst
+++ b/CHANGES.rst
@ -12,7 +12,11 @@ Changelog (Pillow)
 since Pillow 4.3.0.
  [rickprice]

- Fix CVE-2021-27291
+- Fix CVE-2021-27921
+  [rickprice]
+- Fix CVE-2021-27922
+  [rickprice]
+- Fix CVE-2021-27923
  [rickprice]

 - Fix CVE-2021-25290
--- a/docs/releasenotes/6.2.2.4.rst
+++ b/docs/releasenotes/6.2.2.4.rst
@ -11,6 +11,11 @@ since Pillow 4.3.0.

 :cve: `CVE-2021-25291`: An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is an out-of-bounds read in TiffreadRGBATile via invalid tile boundaries.

-:cve: `CVE-2021-2791` : Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.
+:cve: `CVE-2021-27921` : Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.
+
+:cve: `CVE-2021-27922` : Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.
+
+:cve: `CVE-2021-27923` : Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.
+

 :cve: `CVE-2021-25290` : Fix negative size read in TiffDecode.c