CVE-2023-44271: 
Python vulnerability analysis and mitigation

CVE-2023-44271 is a vulnerability discovered in Pillow versions before 10.0.0. The vulnerability involves a Denial of Service condition where the software uncontrollably allocates memory when processing certain tasks, specifically when the textlength function in an ImageDraw instance operates on a long text argument within the truetype ImageFont component (NVD, Checkmarx).

The vulnerability is classified with a CVSS v3.1 Base Score of 7.5 (High), with the following characteristics: Attack Vector: Network, Attack Complexity: Low, Privileges Required: None, User Interaction: None, Scope: Unchanged, Confidentiality Impact: None, Integrity Impact: None, Availability Impact: High. The issue is categorized under CWE-770 (Allocation of Resources Without Limits or Throttling) (NVD).

When exploited, this vulnerability can cause a service to crash by exhausting its memory resources. The impact is primarily on availability, with no direct effect on confidentiality or integrity. The vulnerability occurs when processing long text arguments in the ImageFont component, potentially leading to uncontrolled memory allocation (Checkmarx).

The vulnerability was fixed in Pillow version 10.0.0 by introducing ImageFont.MAX_STRING_LENGTH, which defaults to 1,000,000 characters. This limit can be adjusted or disabled by setting ImageFont.MAX_STRING_LENGTH to None. Users are recommended to upgrade to version 10.0.0 or later to address this vulnerability (Github Commit, Github PR).

The vulnerability has been acknowledged and patched by various Linux distributions. Debian included the fix in version 5.4.1-2+deb10u5 for Debian 10 (buster), and Fedora backported the fix to version 9.5.0-1.fc38 for Fedora 38 (Debian LTS, Fedora Update).