Bug 1852824 (CVE-2020-10177) - CVE-2020-10177 python-pillow: multiple out-of-bounds reads in libImaging/FliDecode.c
Summary: CVE-2020-10177 python-pillow: multiple out-of-bounds reads in libImaging/FliD...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-10177
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1852823 (view as bug list)
Depends On: 1852825 1852826 1854893 1854894
Blocks: 1852831
TreeView+ depends on / blocked
 
Reported: 2020-07-01 11:43 UTC by Marian Rehak
Modified: 2021-06-24 12:15 UTC (History)
8 users (show)

Fixed In Version: python-pillow 7.1.0
Clone Of:
Environment:
Last Closed: 2021-02-04 20:42:05 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:0420 0 None None None 2021-02-04 16:14:44 UTC

Description Marian Rehak 2020-07-01 11:43:53 UTC 
Pillow before 6.2.3 and 7.x before 7.0.1 has multiple out-of-bounds reads in libImaging/FliDecode.c.

Pull Request:

https://github.com/python-pillow/Pillow/pull/4538

Upstream Advisory:

https://pillow.readthedocs.io/en/stable/releasenotes/7.1.0.html

Upstream Advisory:

https://pillow.readthedocs.io/en/stable/releasenotes/6.2.3.html
Comment 1 Marian Rehak 2020-07-01 11:48:42 UTC 
Created python-pillow tracking bugs for this issue:

Affects: fedora-31 [bug 1852826]
Affects: fedora-32 [bug 1852825]
Comment 3 Jason Shepherd 2020-07-02 01:33:50 UTC 
Upstream Commit:

https://github.com/python-pillow/Pillow/commit/0da1eca7cfcea4ea67692ecec8dfd16837242da2
Comment 4 Tomas Hoger 2020-07-03 08:52:51 UTC 
*** Bug 1852823 has been marked as a duplicate of this bug. ***
Comment 7 errata-xmlrpc 2021-02-04 16:14:43 UTC 
This issue has been addressed in the following products:

  Red Hat Quay 3

Via RHSA-2021:0420 https://access.redhat.com/errata/RHSA-2021:0420
Comment 8 Product Security DevOps Team 2021-02-04 20:42:05 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10177
Note You need to log in before you can comment on or make changes to this bug.