FITS GZIP decompression bomb in Pillow

### Impact Pillow did not limit the amount of GZIP-compressed data read when decoding a FITS image, making it vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation). ### Patches The amount of data read is now limited to the necessary amount. Fixed in Pillow 12.2.0 (PR #9521). ### Workarounds Avoid Pillow >= 10.3.0, < 12.2.0 Only open [specific image formats](https://pillow.readthedocs.io/en/stable/releasenotes/8.0.0.html#image-open-add-formats-parameter), excluding FITS. Source Code Location: https://github.com/python-pillow/Pillow Affected Packages: - pip:pillow, affected >= 10.3.0, < 12.2.0, patched in 12.2.0 CWEs: - CWE-770: Allocation of Resources Without Limits or Throttling CVSS: - CVSS_V4: score 8.7, CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N References: - https://github.com/python-pillow/Pillow/security/advisories/GHSA-whj4-6x5x-4v2j - https://github.com/python-pillow/Pillow/pull/9521 - https://github.com/python-pillow/Pillow/commit/3cb854e8b2bab43f40e342e665f9340d861aa628 - https://pillow.readthedocs.io/en/stable/releasenotes/12.2.0.html#prevent-fits-decompression-bomb - https://github.com/advisories/GHSA-whj4-6x5x-4v2j