Bug 1298874 - (CVE-2016-0740) CVE-2016-0740 python-pillow: Integer overflow resulting in buffer overflow when reading invalid tiff file
CVE-2016-0740 python-pillow: Integer overflow resulting in buffer overflow wh...
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20160204,repor...
: Security
Depends On: 1298648
Blocks: 1298877
  Show dependency treegraph
 
Reported: 2016-01-15 05:42 EST by Adam Mariš
Modified: 2016-03-01 08:38 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-03-01 08:38:06 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2016-01-15 05:42:58 EST
It was reported that python-pillow 3.1.0 when linked against libtiff >= 4.0.0 may overflow a buffer when reading a specially crafted tiff file. libtiff >=4.0.0 changed the return type of TIFFScanlineSize from int32 to machine dependent int32|64. If the scanline is sized so that it overflows an int32, it may be interpreted as a negative number, which will then pass the size check in TiffDecode.c line 236. To do this, the logical scanline size has to be > 2gb. If the size of allocated buffer is 64k, any image data over 64k is written over the heap, causing a segfault. 

Original bug report (contains reproducer):

https://bugzilla.redhat.com/show_bug.cgi?id=1298648
Comment 1 Stefan Cornelius 2016-01-18 04:49:33 EST
Introduced via the following commit:
https://github.com/python-pillow/Pillow/commit/e782fe721e0156de9636e78cd881d9f9e7e6ce50
Comment 2 Stefan Cornelius 2016-01-18 07:28:40 EST
RHEL7 is affected. However, the sample reproducer image was compressed in a format that our python-pillow does not support. For testing purposes, I've backported https://github.com/python-pillow/Pillow/commit/a130c45990578a1bb0a6a000ed1b110e27324910 and can see the crash.

Although I failed to do so, it may be possible to create an image that would trigger this image using a different, supported compression algorithm.
Comment 3 Stefan Cornelius 2016-01-18 08:01:26 EST
python-imaging on RHEL5 and 6 is not linked to and does not support libtiff > 4.0.0. Since this issue requires the libtiff 4.0.0 64bit changes and they don't ship the vulnerable image processing code, they are not vulnerable.
Comment 4 Stefan Cornelius 2016-02-03 15:07:08 EST
Acknowledgements:

Red Hat would like to thank the Pillow project for reporting this issue. Upstream acknowledges FourOne as the original reporter.

Note You need to log in before you can comment on or make changes to this bug.