Bug 1321929 (CVE-2016-3076)
| Summary: | CVE-2016-3076 python-pillow: buffer overflow in Jpeg2kEncode.c | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Andrej Nemec <anemec> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | dmoppert, miminar, security-response-team, tsmetana |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-05-11 05:28:49 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1327131 | ||
| Bug Blocks: | 1321931 | ||
Acknowledgements: Name: the Pillow project Upstream: Alyssa Besseling Created python-pillow tracking bugs for this issue: Affects: fedora-all [bug 1327131] This is public for some time: https://bugzilla.suse.com/show_bug.cgi?id=973786 https://lwn.net/Articles/683303/ This bug doesn't affect RHEL5, 6 or 7: The vulnerability was introduced to python-pillow in 2.5.0 in the new source file libImaging/Jpeg2KEncode.c and then fixed after 3.1.1 (see Andrej's comment above). RHEL7 presently ships python-pillow 2.0.0 which does not include the affected code. Repros fail as there is no support for .jpc/jpeg2k formatted images. RHEL5 and 6 are using python-imaging, from which python-pillow was later forked. python-imaging never contained the affected code. |
Pillow between 2.5.0 and 3.1.1 may overflow a buffer when reading rewriting a specially crafted Jpeg2000 file. This occurs specifically in the function *j2k_encode_entry*, at the line: ``` state->buffer = malloc (tile_width * tile_height * components * prec / 8); ``` If this buffer is smaller than expected, the jpeg2k encoding functions will write outside the allocation and onto the heap, corrupting memory. Reproducer and proposed fix can be found in original bug report: https://bugzilla.redhat.com/show_bug.cgi?id=1321422