Pillow between 2.5.0 and 3.1.1 may overflow a buffer when reading
rewriting a specially crafted Jpeg2000 file.
This occurs specifically in the function *j2k_encode_entry*, at the line:
state->buffer = malloc (tile_width * tile_height * components * prec / 8);
If this buffer is smaller than expected, the jpeg2k encoding functions
will write outside the allocation and onto the heap, corrupting
Reproducer and proposed fix can be found in original bug report:
Name: the Pillow project
Upstream: Alyssa Besseling
Created python-pillow tracking bugs for this issue:
Affects: fedora-all [bug 1327131]
This is public for some time:
This bug doesn't affect RHEL5, 6 or 7:
The vulnerability was introduced to python-pillow in 2.5.0 in the new source file libImaging/Jpeg2KEncode.c and then fixed after 3.1.1 (see Andrej's comment above).
RHEL7 presently ships python-pillow 2.0.0 which does not include the affected code. Repros fail as there is no support for .jpc/jpeg2k formatted images.
RHEL5 and 6 are using python-imaging, from which python-pillow was later forked. python-imaging never contained the affected code.