Bug 1774066 (CVE-2019-16865)

Summary: CVE-2019-16865 python-pillow: reading specially crafted image files leads to allocation of large amounts of memory and denial of service
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bdettelb, cstratak, dbecker, jjoyce, jschluet, jschorr, kbasil, lhh, lpeer, manisandro, mburns, miminar, python-maint, sclewis, slinaber, tomckay, torsava, tsmetana
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-pillow 6.2.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered in the way the python-pillow may allocate a large amount of memory or require a long time while processing specially crafted image files, possibly causing a denial of service. Applications that use the library to process untrusted files may be vulnerable to this flaw.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-02-21 03:49:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1774067, 1774069, 1776555, 1790813, 1790814, 1803803, 1803829, 1804105    
Bug Blocks: 1774068    

Description Guilherme de Almeida Suckevicz 2019-11-19 13:53:17 UTC 
An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image.

References:
https://pillow.readthedocs.io/en/latest/releasenotes/6.2.0.html
http://www.cvedetails.com/cve/CVE-2019-16865/
Comment 1 Guilherme de Almeida Suckevicz 2019-11-19 13:53:30 UTC 
Created python-pillow tracking bugs for this issue:

Affects: fedora-all [bug 1774067]
Comment 2 Guilherme de Almeida Suckevicz 2019-11-19 13:54:13 UTC 
Created python-pillow tracking bugs for this issue:

Affects: openstack-rdo [bug 1774069]
Comment 5 Riccardo Schirone 2020-01-14 09:09:43 UTC 
Reference:
https://github.com/python-pillow/Pillow/issues/4123

Upstream fixes:
https://github.com/python-pillow/Pillow/commit/b36c1bc943d554ba223086c7efb502d080f73905
https://github.com/python-pillow/Pillow/commit/f228d0ccbf6bf9392d7fcd51356ef2cfda80c75a
https://github.com/python-pillow/Pillow/commit/b9693a51c99c260bd66d1affeeab4a226cf7e5a5
https://github.com/python-pillow/Pillow/commit/cc16025e234b7a7a4dd3a86d2fdc0980698db9cc
Comment 9 errata-xmlrpc 2020-02-20 22:16:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:0566 https://access.redhat.com/errata/RHSA-2020:0566
Comment 10 Product Security DevOps Team 2020-02-21 03:49:38 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-16865
Comment 11 errata-xmlrpc 2020-02-24 12:56:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0580 https://access.redhat.com/errata/RHSA-2020:0580
Comment 12 errata-xmlrpc 2020-02-24 13:30:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0578 https://access.redhat.com/errata/RHSA-2020:0578