Bug 1298874 (CVE-2016-0740) - CVE-2016-0740 python-pillow: Integer overflow resulting in buffer overflow when reading invalid tiff file
Summary: CVE-2016-0740 python-pillow: Integer overflow resulting in buffer overflow wh...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2016-0740
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1298648
Blocks: 1298877
TreeView+ depends on / blocked
 
Reported: 2016-01-15 10:42 UTC by Adam Mariš
Modified: 2021-02-17 04:30 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-03-01 13:38:06 UTC


Attachments (Terms of Use)

Description Adam Mariš 2016-01-15 10:42:58 UTC
It was reported that python-pillow 3.1.0 when linked against libtiff >= 4.0.0 may overflow a buffer when reading a specially crafted tiff file. libtiff >=4.0.0 changed the return type of TIFFScanlineSize from int32 to machine dependent int32|64. If the scanline is sized so that it overflows an int32, it may be interpreted as a negative number, which will then pass the size check in TiffDecode.c line 236. To do this, the logical scanline size has to be > 2gb. If the size of allocated buffer is 64k, any image data over 64k is written over the heap, causing a segfault. 

Original bug report (contains reproducer):

https://bugzilla.redhat.com/show_bug.cgi?id=1298648

Comment 1 Stefan Cornelius 2016-01-18 09:49:33 UTC
Introduced via the following commit:
https://github.com/python-pillow/Pillow/commit/e782fe721e0156de9636e78cd881d9f9e7e6ce50

Comment 2 Stefan Cornelius 2016-01-18 12:28:40 UTC
RHEL7 is affected. However, the sample reproducer image was compressed in a format that our python-pillow does not support. For testing purposes, I've backported https://github.com/python-pillow/Pillow/commit/a130c45990578a1bb0a6a000ed1b110e27324910 and can see the crash.

Although I failed to do so, it may be possible to create an image that would trigger this image using a different, supported compression algorithm.

Comment 3 Stefan Cornelius 2016-01-18 13:01:26 UTC
python-imaging on RHEL5 and 6 is not linked to and does not support libtiff > 4.0.0. Since this issue requires the libtiff 4.0.0 64bit changes and they don't ship the vulnerable image processing code, they are not vulnerable.

Comment 4 Stefan Cornelius 2016-02-03 20:07:08 UTC
Acknowledgements:

Red Hat would like to thank the Pillow project for reporting this issue. Upstream acknowledges FourOne as the original reporter.


Note You need to log in before you can comment on or make changes to this bug.