Bug 1133306 (CVE-2014-3606)
Summary: | CVE-2014-3606 python-pillow: flaw in _unop() | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Murray McAllister <mmcallis> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | unspecified | CC: | falonso, miminar, mmcallis, security-response-team, tsmetana, vdanen |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-11-12 09:17:28 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1133307 |
Description
Murray McAllister
2014-08-24 13:49:10 UTC
This issue was found while fuzzing PIL/pillow. A specially crafted arguments passed to _imagingmath.unop() trigger crash in the native code of the library. The _imagingmath is an internal helper module used by the ImageMath module, that is not meant to be used directly. The unop() function uses its arguments as pointers, even a function pointer in case of its first argument. Any use case where its called with untrusted arguments would allow code execution. However, that's not how unop() is used in ImageMath, which properly constructs arguments for the function. Contrary to the information in comment 0, observed crash is not triggered by a specially-crafted image, but rather caused by an incorrect function use. Hence this is not a security issue. Statement: Red Hat Product Security determined that this flaw was not a security vulnerability. See the Bugzilla link for more details. |