Bug 1789532 (CVE-2020-5313) - CVE-2020-5313 python-pillow: out-of-bounds read in ImagingFliDecode when loading FLI images
Summary: CVE-2020-5313 python-pillow: out-of-bounds read in ImagingFliDecode when load...
Alias: CVE-2020-5313
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1789541 1789542 1799351 1799352 1857524
Blocks: 1789544
TreeView+ depends on / blocked
Reported: 2020-01-09 18:47 UTC by Pedro Sampaio
Modified: 2021-02-04 16:14 UTC (History)
19 users (show)

Fixed In Version: python-pillow 6.2.2
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds read was discovered in python-pillow in the way it decodes FLI images. An application that uses python-pillow to load untrusted images may be vulnerable to this flaw, which can allow an attacker to read the memory of the application they should be not allowed to read.
Clone Of:
Last Closed: 2020-07-28 19:28:00 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:3185 0 None None None 2020-07-28 13:37:35 UTC
Red Hat Product Errata RHSA-2020:3887 0 None None None 2020-09-29 19:36:10 UTC
Red Hat Product Errata RHSA-2021:0420 0 None None None 2021-02-04 16:14:17 UTC

Description Pedro Sampaio 2020-01-09 18:47:24 UTC
libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow. 

Upstream patch:




Comment 1 Pedro Sampaio 2020-01-09 19:04:07 UTC
Created python-pillow tracking bugs for this issue:

Affects: fedora-all [bug 1789541]

Created python3-pillow tracking bugs for this issue:

Affects: epel-7 [bug 1789542]

Comment 2 Jason Shepherd 2020-01-10 02:23:11 UTC
While Red Hat Quay includes the python-pillow it's not used, therefore this issue is rated moderate for Red Hat Quay.

Comment 4 Riccardo Schirone 2020-02-06 13:44:56 UTC
Function ImagingFliDecode() in FliDecode.c uses a buffer `buf` of `bytes` bytes as input. However, it tries to read 2 bytes from the buffer+4 when it was only checked that the buffer contained at least 4 bytes. If the size of the buffer is 4, for example, the additional 2 bytes would be read from the memory after the allocated buffer. This can result in an out-of-bound read, which could be used to leak some memory data from the program or, at most, make it crash.

Comment 8 errata-xmlrpc 2020-07-28 13:37:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3185 https://access.redhat.com/errata/RHSA-2020:3185

Comment 9 Product Security DevOps Team 2020-07-28 19:28:00 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 10 errata-xmlrpc 2020-09-29 19:35:54 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:3887 https://access.redhat.com/errata/RHSA-2020:3887

Comment 11 errata-xmlrpc 2021-02-04 16:14:15 UTC
This issue has been addressed in the following products:

  Red Hat Quay 3

Via RHSA-2021:0420 https://access.redhat.com/errata/RHSA-2021:0420

Note You need to log in before you can comment on or make changes to this bug.