Bug 1774066 (CVE-2019-16865) - CVE-2019-16865 python-pillow: reading specially crafted image files leads to allocation of large amounts of memory and denial of service
Summary: CVE-2019-16865 python-pillow: reading specially crafted image files leads to ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-16865
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1774067 1774069 1776555 1790813 1790814 1803803 1803829 1804105
Blocks: 1774068
TreeView+ depends on / blocked
 
Reported: 2019-11-19 13:53 UTC by Guilherme de Almeida Suckevicz
Modified: 2020-03-12 01:30 UTC (History)
18 users (show)

Fixed In Version: python-pillow 6.2.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered in the way the python-pillow may allocate a large amount of memory or require a long time while processing specially crafted image files, possibly causing a denial of service. Applications that use the library to process untrusted files may be vulnerable to this flaw.
Clone Of:
Environment:
Last Closed: 2020-02-21 03:49:38 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:0566 0 None None None 2020-02-20 22:16:46 UTC
Red Hat Product Errata RHSA-2020:0578 0 None None None 2020-02-24 13:30:05 UTC
Red Hat Product Errata RHSA-2020:0580 0 None None None 2020-02-24 12:56:47 UTC

Internal Links: 1807387

Description Guilherme de Almeida Suckevicz 2019-11-19 13:53:17 UTC
An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image.

References:
https://pillow.readthedocs.io/en/latest/releasenotes/6.2.0.html
http://www.cvedetails.com/cve/CVE-2019-16865/

Comment 1 Guilherme de Almeida Suckevicz 2019-11-19 13:53:30 UTC
Created python-pillow tracking bugs for this issue:

Affects: fedora-all [bug 1774067]

Comment 2 Guilherme de Almeida Suckevicz 2019-11-19 13:54:13 UTC
Created python-pillow tracking bugs for this issue:

Affects: openstack-rdo [bug 1774069]

Comment 9 errata-xmlrpc 2020-02-20 22:16:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:0566 https://access.redhat.com/errata/RHSA-2020:0566

Comment 10 Product Security DevOps Team 2020-02-21 03:49:38 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-16865

Comment 11 errata-xmlrpc 2020-02-24 12:56:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0580 https://access.redhat.com/errata/RHSA-2020:0580

Comment 12 errata-xmlrpc 2020-02-24 13:30:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0578 https://access.redhat.com/errata/RHSA-2020:0578


Note You need to log in before you can comment on or make changes to this bug.