Bug 1915420 (CVE-2020-35653)
Summary: | CVE-2020-35653 python-pillow: Buffer over-read in PCX image reader | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Michael Kaplan <mkaplan> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | bdettelb, cstratak, manisandro, mcooper, miminar, python-maint, tomckay, torsava |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | python-pillow 8.1.0 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in python-pillow. The PcxDecode in Pillow has a buffer over-read when decoding a crafted PCX file due to the user-supplied stride value trusted for buffer calculations. The highest threat from this vulnerability is to system availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-10-19 14:08:28 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1915421, 1915422, 1915428, 1916008 | ||
Bug Blocks: | 1915433 |
Description
Michael Kaplan
2021-01-12 16:03:05 UTC
Created python-pillow tracking bugs for this issue: Affects: fedora-32 [bug 1915421] Created python-pillow tracking bugs for this issue: Affects: fedora-33 [bug 1915428] Upstream patch: https://github.com/python-pillow/Pillow/commit/2f409261eb1228e166868f8f0b5da5cda52e55bf . Note that this patch says that it is for CVE-2020-35655 but the issue correponds to the upstream advisory and MITRE CVE for CVE-2020-35653[1][2]. 1. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.0.html#security 2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35653 Flaw summary: In src/PIL/PcxImagePlugin.py PcxImageFile's _open() method accepted a `stride` length via `stride = i16(s, 66)` where `s` points to user-controlled input data from a PCX file. This meant that an attacker who is able to provide a crafted file with an invalid stride length could cause an out-of-bounds read that could potentially lead to an impact to application availability, or less likely, an impact to data confidentiality depending on how pillow is used in the application. The following Quay containers contain python-pillow 7.2.0 and hence are affected by the CVE (checked upstream 7.2.0 contains the same vulnerable code): - quay-registry-container - quay-builder-qemu-rhcos-container This issue has been addressed in the following products: Red Hat Quay 3 Via RHSA-2021:3917 https://access.redhat.com/errata/RHSA-2021:3917 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-35653 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4149 https://access.redhat.com/errata/RHSA-2021:4149 |