Bug 1915424 (CVE-2020-35654)
| Summary: | CVE-2020-35654 python-pillow: decoding crafted YCbCr files could result in heap-based buffer overflow | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Michael Kaplan <mkaplan> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | bdettelb, cstratak, lbalhar, manisandro, miminar, pviktori, python-maint, rschiron, tcullum, tomckay, torsava |
| Target Milestone: | --- | Keywords: | Reopened, Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | python-pillow 8.1.0 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in python-pillow. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-10-19 14:08:33 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1915425, 1915427, 1915429 | ||
| Bug Blocks: | 1915433 | ||
|
Description
Michael Kaplan
2021-01-12 16:06:02 UTC
Created python-pillow tracking bugs for this issue: Affects: fedora-32 [bug 1915425] Created python-pillow tracking bugs for this issue: Affects: fedora-33 [bug 1915427] If Pillow can be removed from the Printing stack dependencies, it should be removed from RHEL9. Anyway, the fixed Pillow 8.1.0 is in Rawhide and ELN. The next build should pick it up. Sorry, wrong bug. This one should stay open. Statement: python-pillow as shipped with Red Hat Enterprise Linux 7 and 8 are not affected by this flaw as the flaw was introduced in a newer version than shipped. Upstream patch: https://github.com/python-pillow/Pillow/commit/eb8c1206d6b170d4e798a00db7432e023853da5c The following Quay containers contain python-pillow 7.2.0 and hence are affected by the CVE (checked upstream 7.2.0 contains the same vulnerable code): - quay-registry-container - quay-builder-qemu-rhcos-container I can confirm that the pillow in RHEL 8 is not vulnerable:
# python3 image_load.py crash-2020-10-test.tif
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data. Expecting to read 16908288 bytes but only got 0. Skipping tag 0
" Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data. Expecting to read 67895296 bytes but only got 0. Skipping tag 0
" Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data. Expecting to read 1572864 bytes but only got 0. Skipping tag 42
" Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data. Expecting to read 116647 bytes but only got 4867. Skipping tag 42738
" Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data. Expecting to read 3468830728 bytes but only got 4851. Skipping tag 279
" Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data. Expecting to read 2198732800 bytes but only got 0. Skipping tag 0
" Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data. Expecting to read 67239937 bytes but only got 4125. Skipping tag 0
" Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data. Expecting to read 33947764 bytes but only got 0. Skipping tag 139
" Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data. Expecting to read 17170432 bytes but only got 0. Skipping tag 0
" Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data. Expecting to read 80478208 bytes but only got 0. Skipping tag 1
" Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data. Expecting to read 787460 bytes but only got 4882. Skipping tag 20
" Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data. Expecting to read 1075 bytes but only got 0. Skipping tag 256
" Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data. Expecting to read 120586240 bytes but only got 0. Skipping tag 194
" Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data. Expecting to read 65536 bytes but only got 0. Skipping tag 3
" Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data. Expecting to read 198656 bytes but only got 0. Skipping tag 279
" Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data. Expecting to read 206848 bytes but only got 0. Skipping tag 64512
" Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data. Expecting to read 130968 bytes but only got 4882. Skipping tag 256
" Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data. Expecting to read 77848 bytes but only got 4689. Skipping tag 64270
" Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data. Expecting to read 262156 bytes but only got 0. Skipping tag 257
" Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data. Expecting to read 33624064 bytes but only got 0. Skipping tag 49152
" Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data. Expecting to read 67178752 bytes but only got 4627. Skipping tag 50688
" Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data. Expecting to read 33632768 bytes but only got 0. Skipping tag 56320
" Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data. Expecting to read 134386688 bytes but only got 4115. Skipping tag 2048
" Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data. Expecting to read 33912832 bytes but only got 0. Skipping tag 7168
" Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data. Expecting to read 151966208 bytes but only got 4627. Skipping tag 10240
" Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data. Expecting to read 119032832 bytes but only got 3859. Skipping tag 256
" Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data. Expecting to read 46535680 bytes but only got 0. Skipping tag 256
" Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data. Expecting to read 35651584 bytes but only got 0. Skipping tag 42
" Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data. Expecting to read 524288 bytes but only got 0. Skipping tag 0
" Skipping tag %s" % (size, len(data), tag))
_TIFFVSetField: tempfile.tif: Null count for "Tag 769" (type 1, writecount -3, passcount 1).
_TIFFVSetField: tempfile.tif: Null count for "Tag 42754" (type 1, writecount -3, passcount 1).
_TIFFVSetField: tempfile.tif: Null count for "Tag 769" (type 1, writecount -3, passcount 1).
_TIFFVSetField: tempfile.tif: Null count for "Tag 42754" (type 1, writecount -3, passcount 1).
ZIPDecode: Decoding error at scanline 0, incorrect header check.
ZIPDecode: Decoding error at scanline 0, invalid stored block lengths.
ZIPDecode: Decoding error at scanline 0, incorrect data check.
ZIPDecode: Decoding error at scanline 0, invalid stored block lengths.
ZIPDecode: Decoding error at scanline 0, invalid distance too far back.
ZIPDecode: Decoding error at scanline 0, invalid distance code.
ZIPDecode: ZLib error: .
Traceback (most recent call last):
File "image_load.py", line 6, in <module>
im.load()
File "/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py", line 1053, in load
return self._load_libtiff()
File "/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py", line 1145, in _load_libtiff
raise IOError(err)
OSError: -2
This issue has been addressed in the following products: Red Hat Quay 3 Via RHSA-2021:3917 https://access.redhat.com/errata/RHSA-2021:3917 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-35654 |