Bug 1852836 (CVE-2020-10379) - CVE-2020-10379 python-pillow: two buffer overflows in libImaging/TiffDecode.c due to small buffers allocated in ImagingLibTiffDecode()
Summary: CVE-2020-10379 python-pillow: two buffer overflows in libImaging/TiffDecode.c...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-10379
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1852837 1852838
Blocks: 1852831
TreeView+ depends on / blocked
 
Reported: 2020-07-01 12:14 UTC by Marian Rehak
Modified: 2021-02-16 19:44 UTC (History)
8 users (show)

Fixed In Version: python-pillow 7.1.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-02-04 20:42:11 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:0420 0 None None None 2021-02-04 16:14:50 UTC

Description Marian Rehak 2020-07-01 12:14:31 UTC
In Pillow before 6.2.3 and 7.x before 7.0.1, there are two Buffer Overflows in libImaging/TiffDecode.c.

Pull Request:

https://github.com/python-pillow/Pillow/pull/4538

Upstream Advisory:

https://pillow.readthedocs.io/en/stable/releasenotes/7.1.0.html

Upstream Advisory:

https://pillow.readthedocs.io/en/stable/releasenotes/6.2.3.html

Comment 1 Marian Rehak 2020-07-01 12:14:59 UTC
Created python-pillow tracking bugs for this issue:

Affects: fedora-31 [bug 1852838]
Affects: fedora-32 [bug 1852837]

Comment 6 Riccardo Schirone 2020-07-06 14:22:49 UTC
The vulnerability was introduced with https://github.com/python-pillow/Pillow/commit/f0436a4ddc954541fa10a531e2d9ea0c5ae2065d and https://github.com/python-pillow/Pillow/commit/e91b851fdc1c914419543f485bdbaa010790719f, which add support for reading tiled TIFF images and add the realloc calls.

Comment 7 Riccardo Schirone 2020-07-06 14:26:16 UTC
Function ImagingLibTiffDecode() contains two buffer overflows due to missing checks on user-controlled sizes. Those sizes are used to realloc a buffer allocated in the heap, but they can be smaller than what expected by libtiff functions, used inside ImagingLibTiffDecode().

Comment 8 Riccardo Schirone 2020-07-06 14:40:19 UTC
Statement:

While python-pillow is listed as a dependency of Red Hat Quay, it is not used by the application.

This issue did not affect the versions of python-pillow as shipped with Red Hat Enterprise Linux 5, 6, 7, and 8 as they provide an older version of the code which does not include the vulnerable code.

Comment 9 errata-xmlrpc 2021-02-04 16:14:47 UTC
This issue has been addressed in the following products:

  Red Hat Quay 3

Via RHSA-2021:0420 https://access.redhat.com/errata/RHSA-2021:0420

Comment 10 Product Security DevOps Team 2021-02-04 20:42:11 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10379


Note You need to log in before you can comment on or make changes to this bug.