Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-1124

NIXPKGS-2026-1124

GitHub issue published on

Permalink CVE-2026-40192

updated 1 week, 6 days ago by @LeSuisse Activity log

Created suggestion 1 week, 6 days ago
@LeSuisse ignored
17 packages
- python312Packages.pillow-heif
- python312Packages.pillow-jpls
- python312Packages.pillowfight
- python313Packages.pillow-heif
- python313Packages.pillow-jpls
- python313Packages.pillowfight
- python314Packages.pillow-heif
- python314Packages.pillow-jpls
- python314Packages.pillowfight
- python312Packages.types-pillow
- python313Packages.types-pillow
- python314Packages.types-pillow
- python312Packages.pypillowfight
- python313Packages.pypillowfight
- python314Packages.pypillowfight
- python312Packages.pillow-avif-plugin
- python313Packages.pillow-avif-plugin
1 week, 6 days ago
@LeSuisse accepted 1 week, 6 days ago
@LeSuisse ignored maintainer @mweinelt 1 week, 6 days ago maintainer.ignore
@LeSuisse published on GitHub 1 week, 6 days ago

Pillow is vulnerable to a FITS GZIP decompression bomb

Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation). If users are unable to immediately upgrade, they should only open specific image formats, excluding FITS, as a workaround.

References

https://github.com/python-pillow/Pillow/security/advisories/GHSA-whj4-6x5x-4v2j x_refsource_CONFIRM
https://github.com/python-pillow/Pillow/pull/9521 x_refsource_MISC
https://github.com/python-pillow/Pillow/commit/3cb854e8b2bab43f40e342e665f9340d861aa628 x_refsource_MISC
https://pillow.readthedocs.io/en/stable/releasenotes/12.2.0.html#prevent-fits-decompression-bomb x_refsource_MISC

Affected products

Pillow

==>= 10.3.0, < 12.2.0

Matching in nixpkgs

pkgs.python312Packages.pillow

Friendly PIL fork (Python Imaging Library)

nixos-25.11 12.1.1
- nixos-25.11-small 12.1.1
- nixpkgs-25.11-darwin 12.1.1

pkgs.python313Packages.pillow

Friendly PIL fork (Python Imaging Library)

nixos-unstable 12.1.1
- nixpkgs-unstable 12.1.1
- nixos-unstable-small 12.1.1
nixos-25.11 12.1.1
- nixos-25.11-small 12.1.1
- nixpkgs-25.11-darwin 12.1.1

pkgs.python314Packages.pillow

Friendly PIL fork (Python Imaging Library)

nixos-unstable 12.1.1
- nixpkgs-unstable 12.1.1
- nixos-unstable-small 12.1.1

Ignored packages (17)

pkgs.python312Packages.pillow-heif

Python library for working with HEIF images and plugin for Pillow

nixos-25.11 1.1.0
- nixos-25.11-small 1.1.0
- nixpkgs-25.11-darwin 1.1.0

pkgs.python312Packages.pillow-jpls

JPEG-LS plugin for the Python Pillow library

nixos-25.11 1.3.2
- nixos-25.11-small 1.3.2
- nixpkgs-25.11-darwin 1.3.2

pkgs.python312Packages.pillowfight

Eases the transition from PIL to Pillow for Python packages

nixos-25.11 0.4
- nixos-25.11-small 0.4
- nixpkgs-25.11-darwin 0.4

pkgs.python313Packages.pillow-heif

Python library for working with HEIF images and plugin for Pillow

nixos-unstable 1.2.0
- nixpkgs-unstable 1.2.0
- nixos-unstable-small 1.2.0
nixos-25.11 1.1.0
- nixos-25.11-small 1.1.0
- nixpkgs-25.11-darwin 1.1.0

pkgs.python313Packages.pillow-jpls

JPEG-LS plugin for the Python Pillow library

nixos-unstable 1.3.2
- nixpkgs-unstable 1.3.2
- nixos-unstable-small 1.3.2
nixos-25.11 1.3.2
- nixos-25.11-small 1.3.2
- nixpkgs-25.11-darwin 1.3.2

pkgs.python313Packages.pillowfight

Eases the transition from PIL to Pillow for Python packages

nixos-unstable 0.4
- nixpkgs-unstable 0.4
- nixos-unstable-small 0.4
nixos-25.11 0.4
- nixos-25.11-small 0.4
- nixpkgs-25.11-darwin 0.4

pkgs.python314Packages.pillow-heif

Python library for working with HEIF images and plugin for Pillow

nixos-unstable 1.2.0
- nixpkgs-unstable 1.2.0
- nixos-unstable-small 1.2.0

pkgs.python314Packages.pillow-jpls

JPEG-LS plugin for the Python Pillow library

nixos-unstable 1.3.2
- nixpkgs-unstable 1.3.2
- nixos-unstable-small 1.3.2

pkgs.python314Packages.pillowfight

Eases the transition from PIL to Pillow for Python packages

nixos-unstable 0.4
- nixpkgs-unstable 0.4
- nixos-unstable-small 0.4

pkgs.python312Packages.types-pillow

Typing stubs for Pillow

nixos-25.11 10.2.0.20240822
- nixos-25.11-small 10.2.0.20240822
- nixpkgs-25.11-darwin 10.2.0.20240822

pkgs.python313Packages.types-pillow

Typing stubs for Pillow

nixos-unstable 10.2.0.20240822
- nixpkgs-unstable 10.2.0.20240822
- nixos-unstable-small 10.2.0.20240822
nixos-25.11 10.2.0.20240822
- nixos-25.11-small 10.2.0.20240822
- nixpkgs-25.11-darwin 10.2.0.20240822

pkgs.python314Packages.types-pillow

Typing stubs for Pillow

nixos-unstable 10.2.0.20240822
- nixpkgs-unstable 10.2.0.20240822
- nixos-unstable-small 10.2.0.20240822

pkgs.python312Packages.pypillowfight

Library containing various image processing algorithms

nixos-25.11 0.3.1
- nixos-25.11-small 0.3.1
- nixpkgs-25.11-darwin 0.3.1

pkgs.python313Packages.pypillowfight

Library containing various image processing algorithms

nixos-unstable 0.3.1
- nixpkgs-unstable 0.3.1
- nixos-unstable-small 0.3.1
nixos-25.11 0.3.1
- nixos-25.11-small 0.3.1
- nixpkgs-25.11-darwin 0.3.1

pkgs.python314Packages.pypillowfight

Library containing various image processing algorithms

nixos-unstable 0.3.1
- nixpkgs-unstable 0.3.1
- nixos-unstable-small 0.3.1

pkgs.python312Packages.pillow-avif-plugin

Pillow plugin that adds support for AVIF files

nixos-25.11 1.5.2
- nixos-25.11-small 1.5.2
- nixpkgs-25.11-darwin 1.5.2

pkgs.python313Packages.pillow-avif-plugin

Pillow plugin that adds support for AVIF files

nixos-25.11 1.5.2
- nixos-25.11-small 1.5.2
- nixpkgs-25.11-darwin 1.5.2

Package maintainers

Ignored maintainers (1)

@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>