Bug 1298874 (CVE-2016-0740)
Summary: | CVE-2016-0740 python-pillow: Integer overflow resulting in buffer overflow when reading invalid tiff file | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | carnil, miminar, security-response-team, tsmetana |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-03-01 13:38:06 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1298648 | ||
Bug Blocks: | 1298877 |
Description
Adam Mariš
2016-01-15 10:42:58 UTC
Introduced via the following commit: https://github.com/python-pillow/Pillow/commit/e782fe721e0156de9636e78cd881d9f9e7e6ce50 RHEL7 is affected. However, the sample reproducer image was compressed in a format that our python-pillow does not support. For testing purposes, I've backported https://github.com/python-pillow/Pillow/commit/a130c45990578a1bb0a6a000ed1b110e27324910 and can see the crash. Although I failed to do so, it may be possible to create an image that would trigger this image using a different, supported compression algorithm. python-imaging on RHEL5 and 6 is not linked to and does not support libtiff > 4.0.0. Since this issue requires the libtiff 4.0.0 64bit changes and they don't ship the vulnerable image processing code, they are not vulnerable. Acknowledgements: Red Hat would like to thank the Pillow project for reporting this issue. Upstream acknowledges FourOne as the original reporter. |