Bug 1133306 (CVE-2014-3606)

Summary: CVE-2014-3606 python-pillow: flaw in _unop()
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: falonso, miminar, mmcallis, security-response-team, tsmetana, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-11-12 09:17:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1133307    

Description Murray McAllister 2014-08-24 13:49:10 UTC 
A flaw was found in the _unop() function in python-pillow's math add-on. A specially-crafted image could cause an application using Python Pillow to crash or, potentially, execute arbitrary code.

Acknowledgements:

This issue was discovered by Francisco Alonso of Red Hat Product Security.
Comment 8 Tomas Hoger 2014-11-12 09:51:49 UTC 
This issue was found while fuzzing PIL/pillow.  A specially crafted arguments passed to _imagingmath.unop() trigger crash in the native code of the library.

The _imagingmath is an internal helper module used by the ImageMath module, that is not meant to be used directly.  The unop() function uses its arguments as pointers, even a function pointer in case of its first argument.  Any use case where its called with untrusted arguments would allow code execution.

However, that's not how unop() is used in ImageMath, which properly constructs arguments for the function.  Contrary to the information in comment 0, observed crash is not triggered by a specially-crafted image, but rather caused by an incorrect function use.

Hence this is not a security issue.
Comment 9 Doran Moppert 2020-02-11 00:28:39 UTC 
Statement:

Red Hat Product Security determined that this flaw was not a security vulnerability. See the Bugzilla link for more details.