In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations. External References: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.0.html#security
Created python-pillow tracking bugs for this issue: Affects: fedora-32 [bug 1915421]
Created python-pillow tracking bugs for this issue: Affects: fedora-33 [bug 1915428]
Upstream patch: https://github.com/python-pillow/Pillow/commit/2f409261eb1228e166868f8f0b5da5cda52e55bf . Note that this patch says that it is for CVE-2020-35655 but the issue correponds to the upstream advisory and MITRE CVE for CVE-2020-35653[1][2]. 1. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.0.html#security 2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35653
Flaw summary: In src/PIL/PcxImagePlugin.py PcxImageFile's _open() method accepted a `stride` length via `stride = i16(s, 66)` where `s` points to user-controlled input data from a PCX file. This meant that an attacker who is able to provide a crafted file with an invalid stride length could cause an out-of-bounds read that could potentially lead to an impact to application availability, or less likely, an impact to data confidentiality depending on how pillow is used in the application.
The following Quay containers contain python-pillow 7.2.0 and hence are affected by the CVE (checked upstream 7.2.0 contains the same vulnerable code): - quay-registry-container - quay-builder-qemu-rhcos-container
This issue has been addressed in the following products: Red Hat Quay 3 Via RHSA-2021:3917 https://access.redhat.com/errata/RHSA-2021:3917
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-35653
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4149 https://access.redhat.com/errata/RHSA-2021:4149