Bug 1304504 (CVE-2016-2533)

Summary: CVE-2016-2533 python-pillow: Buffer overflow in PCD decoding
Product: [Other] Security Response Reporter: Stefan Cornelius <scorneli>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: miminar, scorneli, security-response-team, torsava, tsmetana
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:48:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1298877, 1305006    

Description Stefan Cornelius 2016-02-03 20:38:36 UTC 
A heap-based buffer overflow flaw was reported in Pillow's PCD decoding. By tricking an unsuspecting user or automated script into processing a specially crafted PCD image file, an attacker could cause the Python process to crash, or, potentially, execute arbitrary code with the privileges of the Python script processing the image.

The problem is that the "ImagingPcdDecode()" function in PcdDecode.c increases a the unpack buffer pointer by 4 bytes (=32bit color), although the buffer is only supposed to hold 24bits of color (=3 bytes). This ultimately leads to an array indexing error resulting in an out-of-bounds write.

oss-security post:
http://www.openwall.com/lists/oss-security/2016/02/02/5

Upstream bug report:
https://github.com/python-pillow/Pillow/issues/568

Patch:
https://github.com/wiredfool/Pillow/commit/ae453aa18b66af54e7ff716f4ccb33adca60afd4
Comment 3 Stefan Cornelius 2016-02-08 09:09:20 UTC 
*** Bug 1305004 has been marked as a duplicate of this bug. ***
Comment 4 Stefan Cornelius 2016-02-22 12:29:10 UTC 
This still needs a CVE. A request has been sent to oss-sec before, but I don't think one was ever assigned. I've asked for an update:
http://www.openwall.com/lists/oss-security/2016/02/22/1
Comment 5 Andrej Nemec 2016-02-22 15:41:14 UTC 
CVE assignment:

http://www.openwall.com/lists/oss-security/2016/02/22/2