Bug 1852814 (CVE-2020-11538)

Summary: CVE-2020-11538 python-pillow: out-of-bounds reads/writes in the parsing of SGI image files in expandrow/expandrow2
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bdettelb, cstratak, jschorr, manisandro, miminar, python-maint, tomckay, torsava, tsmetana
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-pillow 7.1.0 Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds read/write flaw was found in python-pillow, in the way SGI RLE images are decoded. An application that uses python-pillow to decode untrusted images may be vulnerable. This flaw allows an attacker to crash the application or potentially execute code on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-28 19:28:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1852815, 1852816, 1854807, 1854808, 1854809, 1854810    
Bug Blocks: 1852831    

Description Marian Rehak 2020-07-01 11:16:36 UTC 
In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads/writes exist in the parsing of SGI image files, a different issue than CVE-2020-5311.

Pull Request:

https://github.com/python-pillow/Pillow/pull/4538

Upstream Advisory:

https://pillow.readthedocs.io/en/stable/releasenotes/7.1.0.html
Comment 1 Marian Rehak 2020-07-01 11:17:23 UTC 
Created python-pillow tracking bugs for this issue:

Affects: fedora-31 [bug 1852815]
Affects: fedora-32 [bug 1852816]
Comment 3 Jason Shepherd 2020-07-02 01:32:32 UTC 
Upstream commit:
https://github.com/python-pillow/Pillow/commit/2ef59fdbaeb756bc512ab3f2ad15ac45665b303d
Comment 4 Riccardo Schirone 2020-07-08 08:57:47 UTC 
Statement:

This issue did not affect the versions of python-pillow and python-imaging as shipped with Red Hat Enterprise Linux 5, 6, and 7 as they did not include the SGI RLE image decoder, where the flaw lies.
Comment 5 Riccardo Schirone 2020-07-08 09:02:33 UTC 
Valgrind report:
```
==10235== Invalid write of size 2                                                              
==10235==    at 0x82BBAD0: expandrow2 (SgiRleDecode.c:87)
==10235==    by 0x82BBAD0: ImagingSgiRleDecode (SgiRleDecode.c:176)
==10235==    by 0x8294057: _decode (decode.c:130)            
==10235==    by 0x5488431: _PyCFunction_FastCallDict (in /usr/lib64/libpython3.6m.so.1.0)
==10235==    by 0x5488A4F: ??? (in /usr/lib64/libpython3.6m.so.1.0)   
==10235==    by 0x54B14C3: _PyEval_EvalFrameDefault (in /usr/lib64/libpython3.6m.so.1.0)
==10235==    by 0x5463A39: ??? (in /usr/lib64/libpython3.6m.so.1.0)  
==10235==    by 0x5488B35: ??? (in /usr/lib64/libpython3.6m.so.1.0)      
==10235==    by 0x54B14C3: _PyEval_EvalFrameDefault (in /usr/lib64/libpython3.6m.so.1.0)
==10235==    by 0x5493396: PyEval_EvalCodeEx (in /usr/lib64/libpython3.6m.so.1.0)
==10235==    by 0x54940EA: PyEval_EvalCode (in /usr/lib64/libpython3.6m.so.1.0)
==10235==    by 0x5533961: ??? (in /usr/lib64/libpython3.6m.so.1.0)
==10235==    by 0x540B632: PyRun_FileExFlags (in /usr/lib64/libpython3.6m.so.1.0)
==10235==  Address 0xbee2f80 is 0 bytes after a block of size 3,840 alloc'd
==10235==    at 0x4C331EA: calloc (vg_replace_malloc.c:762)
==10235==    by 0x82BB8D1: ImagingSgiRleDecode (SgiRleDecode.c:138)
==10235==    by 0x8294057: _decode (decode.c:130)
==10235==    by 0x5488431: _PyCFunction_FastCallDict (in /usr/lib64/libpython3.6m.so.1.0)
==10235==    by 0x5488A4F: ??? (in /usr/lib64/libpython3.6m.so.1.0)
==10235==    by 0x54B14C3: _PyEval_EvalFrameDefault (in /usr/lib64/libpython3.6m.so.1.0)
==10235==    by 0x5463A39: ??? (in /usr/lib64/libpython3.6m.so.1.0)
==10235==    by 0x5488B35: ??? (in /usr/lib64/libpython3.6m.so.1.0)
==10235==    by 0x54B14C3: _PyEval_EvalFrameDefault (in /usr/lib64/libpython3.6m.so.1.0)
==10235==    by 0x5493396: PyEval_EvalCodeEx (in /usr/lib64/libpython3.6m.so.1.0)
==10235==    by 0x54940EA: PyEval_EvalCode (in /usr/lib64/libpython3.6m.so.1.0)
==10235==    by 0x5533961: ??? (in /usr/lib64/libpython3.6m.so.1.0)
==10235== 
```
Comment 6 Riccardo Schirone 2020-07-08 09:03:41 UTC 
An heap-based out-of-bounds read/write is present in function expandrow2() as called by ImagingSgiRleDecode.
Comment 9 errata-xmlrpc 2020-07-28 13:37:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3185 https://access.redhat.com/errata/RHSA-2020:3185
Comment 10 Product Security DevOps Team 2020-07-28 19:28:34 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-11538
Comment 11 errata-xmlrpc 2020-08-04 07:39:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:3299 https://access.redhat.com/errata/RHSA-2020:3299
Comment 12 errata-xmlrpc 2020-08-04 10:28:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:3302 https://access.redhat.com/errata/RHSA-2020:3302
Comment 13 Mark Cooper 2021-02-04 00:59:56 UTC 
Set Quay affects to Low to match CVE-2020-10379 and given:

While python-pillow is listed as a dependency of Red Hat Quay, it is not used by the application.
Comment 14 errata-xmlrpc 2021-02-04 16:14:37 UTC 
This issue has been addressed in the following products:

  Red Hat Quay 3

Via RHSA-2021:0420 https://access.redhat.com/errata/RHSA-2021:0420