In Pillow before 6.2.3 and 7.x before 7.0.1, there are two Buffer Overflows in libImaging/TiffDecode.c. Pull Request: https://github.com/python-pillow/Pillow/pull/4538 Upstream Advisory: https://pillow.readthedocs.io/en/stable/releasenotes/7.1.0.html Upstream Advisory: https://pillow.readthedocs.io/en/stable/releasenotes/6.2.3.html
Created python-pillow tracking bugs for this issue: Affects: fedora-31 [bug 1852838] Affects: fedora-32 [bug 1852837]
Upstream commit: https://github.com/python-pillow/Pillow/commit/46f4a349b88915787fea3fb91348bb1665831bbb
The vulnerability was introduced with https://github.com/python-pillow/Pillow/commit/f0436a4ddc954541fa10a531e2d9ea0c5ae2065d and https://github.com/python-pillow/Pillow/commit/e91b851fdc1c914419543f485bdbaa010790719f, which add support for reading tiled TIFF images and add the realloc calls.
Function ImagingLibTiffDecode() contains two buffer overflows due to missing checks on user-controlled sizes. Those sizes are used to realloc a buffer allocated in the heap, but they can be smaller than what expected by libtiff functions, used inside ImagingLibTiffDecode().
Statement: While python-pillow is listed as a dependency of Red Hat Quay, it is not used by the application. This issue did not affect the versions of python-pillow as shipped with Red Hat Enterprise Linux 5, 6, 7, and 8 as they provide an older version of the code which does not include the vulnerable code.
This issue has been addressed in the following products: Red Hat Quay 3 Via RHSA-2021:0420 https://access.redhat.com/errata/RHSA-2021:0420
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10379