libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer overflow. Upstream patch: https://github.com/python-pillow/Pillow/commit/a79b65c47c7dc6fe623aadf09aa6192fc54548f3 References: https://pillow.readthedocs.io/en/stable/releasenotes/6.2.2.html
Created python-pillow tracking bugs for this issue: Affects: fedora-all [bug 1789541] Created python3-pillow tracking bugs for this issue: Affects: epel-7 [bug 1789542]
While Red Hat Quay includes the python-pillow it's not used, therefore this issue is rated moderate for Red Hat Quay.
Statement: This issue did not affect the versions of python-pillow and python-imaging as shipped with Red Hat Enterprise Linux 6, and 7 as they did not include the SGI RLE image decoder, where the flaw lies.
Function expandrow() is called by ImagingSgiRleDecode() in SgiRleDecode.c to load and decode an input image. While reading compressed rows of the input image, expandrow() does not consider the image size, thus it is possible to overwrite past the end of the output buffer. This flaw could be used by an attacker to overwrite heap metadata and potentially execute code.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:0566 https://access.redhat.com/errata/RHSA-2020:0566
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-5311
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:0580 https://access.redhat.com/errata/RHSA-2020:0580
This issue has been addressed in the following products: Red Hat Quay 3 Via RHSA-2021:0420 https://access.redhat.com/errata/RHSA-2021:0420