Nixpkgs security tracker
Activity log
- Created suggestion
Pillow is vulnerable to a FITS GZIP decompression bomb
Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation). If users are unable to immediately upgrade, they should only open specific image formats, excluding FITS, as a workaround.
References
-
https://github.com/python-pillow/Pillow/security/advisories/GHSA-whj4-6x5x-4v2j x_refsource_CONFIRM
-
https://github.com/python-pillow/Pillow/pull/9521 x_refsource_MISC
Affected products
- ==>= 10.3.0, < 12.2.0
Matching in nixpkgs
pkgs.python312Packages.pillow
Friendly PIL fork (Python Imaging Library)
pkgs.python313Packages.pillow
Friendly PIL fork (Python Imaging Library)
pkgs.python314Packages.pillow
Friendly PIL fork (Python Imaging Library)
pkgs.python312Packages.pillow-heif
Python library for working with HEIF images and plugin for Pillow
pkgs.python312Packages.pillow-jpls
JPEG-LS plugin for the Python Pillow library
pkgs.python312Packages.pillowfight
Eases the transition from PIL to Pillow for Python packages
pkgs.python313Packages.pillow-heif
Python library for working with HEIF images and plugin for Pillow
pkgs.python313Packages.pillow-jpls
JPEG-LS plugin for the Python Pillow library
pkgs.python313Packages.pillowfight
Eases the transition from PIL to Pillow for Python packages
pkgs.python314Packages.pillow-heif
Python library for working with HEIF images and plugin for Pillow
pkgs.python314Packages.pillow-jpls
JPEG-LS plugin for the Python Pillow library
pkgs.python314Packages.pillowfight
Eases the transition from PIL to Pillow for Python packages
pkgs.python312Packages.types-pillow
Typing stubs for Pillow
-
nixos-25.11 10.2.0.20240822
- nixos-25.11-small 10.2.0.20240822
- nixpkgs-25.11-darwin 10.2.0.20240822
pkgs.python313Packages.types-pillow
Typing stubs for Pillow
-
nixos-unstable 10.2.0.20240822
- nixpkgs-unstable 10.2.0.20240822
- nixos-unstable-small 10.2.0.20240822
-
nixos-25.11 10.2.0.20240822
- nixos-25.11-small 10.2.0.20240822
- nixpkgs-25.11-darwin 10.2.0.20240822
pkgs.python314Packages.types-pillow
Typing stubs for Pillow
-
nixos-unstable 10.2.0.20240822
- nixpkgs-unstable 10.2.0.20240822
- nixos-unstable-small 10.2.0.20240822
pkgs.python312Packages.pypillowfight
Library containing various image processing algorithms
pkgs.python313Packages.pypillowfight
Library containing various image processing algorithms
pkgs.python314Packages.pypillowfight
Library containing various image processing algorithms
pkgs.python312Packages.pillow-avif-plugin
Pillow plugin that adds support for AVIF files
pkgs.python313Packages.pillow-avif-plugin
Pillow plugin that adds support for AVIF files
Package maintainers
-
@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
-
@D4ndellion Daniel Olsen <daniel@dodsorf.as>
-
@kuflierl Kennet Flierl <kuflierl@gmail.com>
-
@bcdarwin Ben Darwin <bcdarwin@gmail.com>
-
@pyrox0 Pyrox <pyrox@pyrox.dev>
-
@arjan-s Arjan Schrijver <github@anymore.nl>
-
@RatCornu Balthazar Patiachvili <ratcornu+programmation@skaven.org>