Bug 1789532 (CVE-2020-5313)

Summary: CVE-2020-5313 python-pillow: out-of-bounds read in ImagingFliDecode when loading FLI images
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bdettelb, cstratak, dbecker, jjoyce, jschluet, jschorr, lbalhar, lhh, lpeer, manisandro, mburns, miminar, orion, python-maint, sclewis, slinaber, tomckay, torsava, tsmetana
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-pillow 6.2.2 Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds read was discovered in python-pillow in the way it decodes FLI images. An application that uses python-pillow to load untrusted images may be vulnerable to this flaw, which can allow an attacker to read the memory of the application they should be not allowed to read.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-28 19:28:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1789541, 1789542, 1799351, 1799352, 1857524    
Bug Blocks: 1789544    

Description Pedro Sampaio 2020-01-09 18:47:24 UTC 
libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow. 

Upstream patch:

https://github.com/python-pillow/Pillow/commit/a09acd0decd8a87ccce939d5ff65dab59e7d365b

References:

https://pillow.readthedocs.io/en/stable/releasenotes/6.2.2.html
Comment 1 Pedro Sampaio 2020-01-09 19:04:07 UTC 
Created python-pillow tracking bugs for this issue:

Affects: fedora-all [bug 1789541]


Created python3-pillow tracking bugs for this issue:

Affects: epel-7 [bug 1789542]
Comment 2 Jason Shepherd 2020-01-10 02:23:11 UTC 
While Red Hat Quay includes the python-pillow it's not used, therefore this issue is rated moderate for Red Hat Quay.
Comment 4 Riccardo Schirone 2020-02-06 13:44:56 UTC 
Function ImagingFliDecode() in FliDecode.c uses a buffer `buf` of `bytes` bytes as input. However, it tries to read 2 bytes from the buffer+4 when it was only checked that the buffer contained at least 4 bytes. If the size of the buffer is 4, for example, the additional 2 bytes would be read from the memory after the allocated buffer. This can result in an out-of-bound read, which could be used to leak some memory data from the program or, at most, make it crash.
Comment 8 errata-xmlrpc 2020-07-28 13:37:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3185 https://access.redhat.com/errata/RHSA-2020:3185
Comment 9 Product Security DevOps Team 2020-07-28 19:28:00 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-5313
Comment 10 errata-xmlrpc 2020-09-29 19:35:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:3887 https://access.redhat.com/errata/RHSA-2020:3887
Comment 11 errata-xmlrpc 2021-02-04 16:14:15 UTC 
This issue has been addressed in the following products:

  Red Hat Quay 3

Via RHSA-2021:0420 https://access.redhat.com/errata/RHSA-2021:0420