Bug 1789538 (CVE-2020-5310)

Summary: CVE-2020-5310 python-pillow: Integer overflow leading to buffer overflow in ImagingLibTiffDecode
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bdettelb, cstratak, dbecker, jjoyce, jschluet, lhh, lpeer, manisandro, mburns, miminar, orion, python-maint, sclewis, slinaber, tomckay, torsava, tsmetana
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-pillow 6.2.2 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-04 20:41:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1789541, 1789542    
Bug Blocks: 1789544    

Description Pedro Sampaio 2020-01-09 18:54:04 UTC 
libImaging/TiffDecode.c in Pillow before 6.2.2 has a TIFF decoding integer overflow, related to realloc.

Upstream patch:

https://github.com/python-pillow/Pillow/commit/4e2def2539ec13e53a82e06c4b3daf00454100c4

References:

https://pillow.readthedocs.io/en/stable/releasenotes/6.2.2.html
Comment 1 Pedro Sampaio 2020-01-09 19:03:55 UTC 
Created python-pillow tracking bugs for this issue:

Affects: fedora-all [bug 1789541]


Created python3-pillow tracking bugs for this issue:

Affects: epel-7 [bug 1789542]
Comment 2 Jason Shepherd 2020-01-10 02:24:17 UTC 
While Red Hat Quay includes the python-pillow it's not used, therefore this issue is rated moderate for Red Hat Quay.
Comment 4 Riccardo Schirone 2020-02-06 14:29:23 UTC 
The vulnerability was introduced with https://github.com/python-pillow/Pillow/commit/f0436a4ddc954541fa10a531e2d9ea0c5ae2065d and https://github.com/python-pillow/Pillow/commit/e91b851fdc1c914419543f485bdbaa010790719f, which add support for reading tiled TIFF images and add the realloc call.
Comment 5 Riccardo Schirone 2020-02-06 14:36:04 UTC 
Statement:

This issue did not affect the versions of python-pillow as shipped with Red Hat Enterprise Linux 5, 6, 7, and 8 as they did not include support for tiled TIFF images, where the flaw lies.
Comment 6 errata-xmlrpc 2021-02-04 16:14:22 UTC 
This issue has been addressed in the following products:

  Red Hat Quay 3

Via RHSA-2021:0420 https://access.redhat.com/errata/RHSA-2021:0420
Comment 7 Product Security DevOps Team 2021-02-04 20:41:52 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-5310