Bug 1852814 (CVE-2020-11538) - CVE-2020-11538 python-pillow: out-of-bounds reads/writes in the parsing of SGI image files in expandrow/expandrow2
Summary: CVE-2020-11538 python-pillow: out-of-bounds reads/writes in the parsing of SG...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-11538
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1852815 1852816 1854807 1854808 1854809 1854810
Blocks: 1852831
TreeView+ depends on / blocked
 
Reported: 2020-07-01 11:16 UTC by Marian Rehak
Modified: 2021-02-16 19:44 UTC (History)
9 users (show)

Fixed In Version: python-pillow 7.1.0
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds read/write flaw was found in python-pillow, in the way SGI RLE images are decoded. An application that uses python-pillow to decode untrusted images may be vulnerable. This flaw allows an attacker to crash the application or potentially execute code on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2020-07-28 19:28:34 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:3185 0 None None None 2020-07-28 13:37:36 UTC
Red Hat Product Errata RHSA-2020:3299 0 None None None 2020-08-04 07:39:41 UTC
Red Hat Product Errata RHSA-2020:3302 0 None None None 2020-08-04 10:28:05 UTC
Red Hat Product Errata RHSA-2021:0420 0 None None None 2021-02-04 16:14:39 UTC

Description Marian Rehak 2020-07-01 11:16:36 UTC
In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads/writes exist in the parsing of SGI image files, a different issue than CVE-2020-5311.

Pull Request:

https://github.com/python-pillow/Pillow/pull/4538

Upstream Advisory:

https://pillow.readthedocs.io/en/stable/releasenotes/7.1.0.html

Comment 1 Marian Rehak 2020-07-01 11:17:23 UTC
Created python-pillow tracking bugs for this issue:

Affects: fedora-31 [bug 1852815]
Affects: fedora-32 [bug 1852816]

Comment 4 Riccardo Schirone 2020-07-08 08:57:47 UTC
Statement:

This issue did not affect the versions of python-pillow and python-imaging as shipped with Red Hat Enterprise Linux 5, 6, and 7 as they did not include the SGI RLE image decoder, where the flaw lies.

Comment 5 Riccardo Schirone 2020-07-08 09:02:33 UTC
Valgrind report:
```
==10235== Invalid write of size 2                                                              
==10235==    at 0x82BBAD0: expandrow2 (SgiRleDecode.c:87)
==10235==    by 0x82BBAD0: ImagingSgiRleDecode (SgiRleDecode.c:176)
==10235==    by 0x8294057: _decode (decode.c:130)            
==10235==    by 0x5488431: _PyCFunction_FastCallDict (in /usr/lib64/libpython3.6m.so.1.0)
==10235==    by 0x5488A4F: ??? (in /usr/lib64/libpython3.6m.so.1.0)   
==10235==    by 0x54B14C3: _PyEval_EvalFrameDefault (in /usr/lib64/libpython3.6m.so.1.0)
==10235==    by 0x5463A39: ??? (in /usr/lib64/libpython3.6m.so.1.0)  
==10235==    by 0x5488B35: ??? (in /usr/lib64/libpython3.6m.so.1.0)      
==10235==    by 0x54B14C3: _PyEval_EvalFrameDefault (in /usr/lib64/libpython3.6m.so.1.0)
==10235==    by 0x5493396: PyEval_EvalCodeEx (in /usr/lib64/libpython3.6m.so.1.0)
==10235==    by 0x54940EA: PyEval_EvalCode (in /usr/lib64/libpython3.6m.so.1.0)
==10235==    by 0x5533961: ??? (in /usr/lib64/libpython3.6m.so.1.0)
==10235==    by 0x540B632: PyRun_FileExFlags (in /usr/lib64/libpython3.6m.so.1.0)
==10235==  Address 0xbee2f80 is 0 bytes after a block of size 3,840 alloc'd
==10235==    at 0x4C331EA: calloc (vg_replace_malloc.c:762)
==10235==    by 0x82BB8D1: ImagingSgiRleDecode (SgiRleDecode.c:138)
==10235==    by 0x8294057: _decode (decode.c:130)
==10235==    by 0x5488431: _PyCFunction_FastCallDict (in /usr/lib64/libpython3.6m.so.1.0)
==10235==    by 0x5488A4F: ??? (in /usr/lib64/libpython3.6m.so.1.0)
==10235==    by 0x54B14C3: _PyEval_EvalFrameDefault (in /usr/lib64/libpython3.6m.so.1.0)
==10235==    by 0x5463A39: ??? (in /usr/lib64/libpython3.6m.so.1.0)
==10235==    by 0x5488B35: ??? (in /usr/lib64/libpython3.6m.so.1.0)
==10235==    by 0x54B14C3: _PyEval_EvalFrameDefault (in /usr/lib64/libpython3.6m.so.1.0)
==10235==    by 0x5493396: PyEval_EvalCodeEx (in /usr/lib64/libpython3.6m.so.1.0)
==10235==    by 0x54940EA: PyEval_EvalCode (in /usr/lib64/libpython3.6m.so.1.0)
==10235==    by 0x5533961: ??? (in /usr/lib64/libpython3.6m.so.1.0)
==10235== 
```

Comment 6 Riccardo Schirone 2020-07-08 09:03:41 UTC
An heap-based out-of-bounds read/write is present in function expandrow2() as called by ImagingSgiRleDecode.

Comment 9 errata-xmlrpc 2020-07-28 13:37:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3185 https://access.redhat.com/errata/RHSA-2020:3185

Comment 10 Product Security DevOps Team 2020-07-28 19:28:34 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-11538

Comment 11 errata-xmlrpc 2020-08-04 07:39:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:3299 https://access.redhat.com/errata/RHSA-2020:3299

Comment 12 errata-xmlrpc 2020-08-04 10:28:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:3302 https://access.redhat.com/errata/RHSA-2020:3302

Comment 13 Mark Cooper 2021-02-04 00:59:56 UTC
Set Quay affects to Low to match CVE-2020-10379 and given:

While python-pillow is listed as a dependency of Red Hat Quay, it is not used by the application.

Comment 14 errata-xmlrpc 2021-02-04 16:14:37 UTC
This issue has been addressed in the following products:

  Red Hat Quay 3

Via RHSA-2021:0420 https://access.redhat.com/errata/RHSA-2021:0420


Note You need to log in before you can comment on or make changes to this bug.