In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads/writes exist in the parsing of SGI image files, a different issue than CVE-2020-5311. Pull Request: https://github.com/python-pillow/Pillow/pull/4538 Upstream Advisory: https://pillow.readthedocs.io/en/stable/releasenotes/7.1.0.html
Created python-pillow tracking bugs for this issue: Affects: fedora-31 [bug 1852815] Affects: fedora-32 [bug 1852816]
Upstream commit: https://github.com/python-pillow/Pillow/commit/2ef59fdbaeb756bc512ab3f2ad15ac45665b303d
Statement: This issue did not affect the versions of python-pillow and python-imaging as shipped with Red Hat Enterprise Linux 5, 6, and 7 as they did not include the SGI RLE image decoder, where the flaw lies.
Valgrind report: ``` ==10235== Invalid write of size 2 ==10235== at 0x82BBAD0: expandrow2 (SgiRleDecode.c:87) ==10235== by 0x82BBAD0: ImagingSgiRleDecode (SgiRleDecode.c:176) ==10235== by 0x8294057: _decode (decode.c:130) ==10235== by 0x5488431: _PyCFunction_FastCallDict (in /usr/lib64/libpython3.6m.so.1.0) ==10235== by 0x5488A4F: ??? (in /usr/lib64/libpython3.6m.so.1.0) ==10235== by 0x54B14C3: _PyEval_EvalFrameDefault (in /usr/lib64/libpython3.6m.so.1.0) ==10235== by 0x5463A39: ??? (in /usr/lib64/libpython3.6m.so.1.0) ==10235== by 0x5488B35: ??? (in /usr/lib64/libpython3.6m.so.1.0) ==10235== by 0x54B14C3: _PyEval_EvalFrameDefault (in /usr/lib64/libpython3.6m.so.1.0) ==10235== by 0x5493396: PyEval_EvalCodeEx (in /usr/lib64/libpython3.6m.so.1.0) ==10235== by 0x54940EA: PyEval_EvalCode (in /usr/lib64/libpython3.6m.so.1.0) ==10235== by 0x5533961: ??? (in /usr/lib64/libpython3.6m.so.1.0) ==10235== by 0x540B632: PyRun_FileExFlags (in /usr/lib64/libpython3.6m.so.1.0) ==10235== Address 0xbee2f80 is 0 bytes after a block of size 3,840 alloc'd ==10235== at 0x4C331EA: calloc (vg_replace_malloc.c:762) ==10235== by 0x82BB8D1: ImagingSgiRleDecode (SgiRleDecode.c:138) ==10235== by 0x8294057: _decode (decode.c:130) ==10235== by 0x5488431: _PyCFunction_FastCallDict (in /usr/lib64/libpython3.6m.so.1.0) ==10235== by 0x5488A4F: ??? (in /usr/lib64/libpython3.6m.so.1.0) ==10235== by 0x54B14C3: _PyEval_EvalFrameDefault (in /usr/lib64/libpython3.6m.so.1.0) ==10235== by 0x5463A39: ??? (in /usr/lib64/libpython3.6m.so.1.0) ==10235== by 0x5488B35: ??? (in /usr/lib64/libpython3.6m.so.1.0) ==10235== by 0x54B14C3: _PyEval_EvalFrameDefault (in /usr/lib64/libpython3.6m.so.1.0) ==10235== by 0x5493396: PyEval_EvalCodeEx (in /usr/lib64/libpython3.6m.so.1.0) ==10235== by 0x54940EA: PyEval_EvalCode (in /usr/lib64/libpython3.6m.so.1.0) ==10235== by 0x5533961: ??? (in /usr/lib64/libpython3.6m.so.1.0) ==10235== ```
An heap-based out-of-bounds read/write is present in function expandrow2() as called by ImagingSgiRleDecode.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:3185 https://access.redhat.com/errata/RHSA-2020:3185
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-11538
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:3299 https://access.redhat.com/errata/RHSA-2020:3299
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:3302 https://access.redhat.com/errata/RHSA-2020:3302
Set Quay affects to Low to match CVE-2020-10379 and given: While python-pillow is listed as a dependency of Red Hat Quay, it is not used by the application.
This issue has been addressed in the following products: Red Hat Quay 3 Via RHSA-2021:0420 https://access.redhat.com/errata/RHSA-2021:0420