Bug 1298874 (CVE-2016-0740)

Summary: CVE-2016-0740 python-pillow: Integer overflow resulting in buffer overflow when reading invalid tiff file
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, miminar, security-response-team, tsmetana
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-01 13:38:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1298648    
Bug Blocks: 1298877    

Description Adam Mariš 2016-01-15 10:42:58 UTC 
It was reported that python-pillow 3.1.0 when linked against libtiff >= 4.0.0 may overflow a buffer when reading a specially crafted tiff file. libtiff >=4.0.0 changed the return type of TIFFScanlineSize from int32 to machine dependent int32|64. If the scanline is sized so that it overflows an int32, it may be interpreted as a negative number, which will then pass the size check in TiffDecode.c line 236. To do this, the logical scanline size has to be > 2gb. If the size of allocated buffer is 64k, any image data over 64k is written over the heap, causing a segfault. 

Original bug report (contains reproducer):

https://bugzilla.redhat.com/show_bug.cgi?id=1298648
Comment 1 Stefan Cornelius 2016-01-18 09:49:33 UTC 
Introduced via the following commit:
https://github.com/python-pillow/Pillow/commit/e782fe721e0156de9636e78cd881d9f9e7e6ce50
Comment 2 Stefan Cornelius 2016-01-18 12:28:40 UTC 
RHEL7 is affected. However, the sample reproducer image was compressed in a format that our python-pillow does not support. For testing purposes, I've backported https://github.com/python-pillow/Pillow/commit/a130c45990578a1bb0a6a000ed1b110e27324910 and can see the crash.

Although I failed to do so, it may be possible to create an image that would trigger this image using a different, supported compression algorithm.
Comment 3 Stefan Cornelius 2016-01-18 13:01:26 UTC 
python-imaging on RHEL5 and 6 is not linked to and does not support libtiff > 4.0.0. Since this issue requires the libtiff 4.0.0 64bit changes and they don't ship the vulnerable image processing code, they are not vulnerable.
Comment 4 Stefan Cornelius 2016-02-03 20:07:08 UTC 
Acknowledgements:

Red Hat would like to thank the Pillow project for reporting this issue. Upstream acknowledges FourOne as the original reporter.