Bug 1915424 (CVE-2020-35654) - CVE-2020-35654 python-pillow: decoding crafted YCbCr files could result in heap-based buffer overflow
Summary: CVE-2020-35654 python-pillow: decoding crafted YCbCr files could result in he...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-35654
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1915425 1915427 1915429
Blocks: 1915433
TreeView+ depends on / blocked
 
Reported: 2021-01-12 16:06 UTC by Michael Kaplan
Modified: 2021-10-19 14:08 UTC (History)
11 users (show)

Fixed In Version: python-pillow 8.1.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in python-pillow. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-10-19 14:08:33 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3917 0 None None None 2021-10-19 12:10:32 UTC

Description Michael Kaplan 2021-01-12 16:06:02 UTC
In Pillow before 8.1.0, TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode.

External References: 

https://pillow.readthedocs.io/en/stable/releasenotes/8.1.0.html#security

Comment 1 Michael Kaplan 2021-01-12 16:06:20 UTC
Created python-pillow tracking bugs for this issue:

Affects: fedora-32 [bug 1915425]

Comment 2 Michael Kaplan 2021-01-12 16:07:59 UTC
Created python-pillow tracking bugs for this issue:

Affects: fedora-33 [bug 1915427]

Comment 4 Petr Viktorin 2021-01-13 13:30:00 UTC
If Pillow can be removed from the Printing stack dependencies, it should be removed from RHEL9.

Anyway, the fixed Pillow 8.1.0 is in Rawhide and ELN. The next build should pick it up.

Comment 5 Petr Viktorin 2021-01-13 13:30:54 UTC
Sorry, wrong bug. This one should stay open.

Comment 6 Todd Cullum 2021-01-13 23:42:19 UTC
Statement:

python-pillow as shipped with Red Hat Enterprise Linux 7 and 8 are not affected by this flaw as the flaw was introduced in a newer version than shipped.

Comment 8 Mark Cooper 2021-01-29 02:03:12 UTC
The following Quay containers contain python-pillow 7.2.0 and hence are affected by the CVE (checked upstream 7.2.0 contains the same vulnerable code):
 - quay-registry-container
 - quay-builder-qemu-rhcos-container

Comment 10 Lumír Balhar 2021-02-18 08:23:09 UTC
I can confirm that the pillow in RHEL 8 is not vulnerable:

# python3 image_load.py crash-2020-10-test.tif 
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data.  Expecting to read 16908288 bytes but only got 0. Skipping tag 0
  " Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data.  Expecting to read 67895296 bytes but only got 0. Skipping tag 0
  " Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data.  Expecting to read 1572864 bytes but only got 0. Skipping tag 42
  " Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data.  Expecting to read 116647 bytes but only got 4867. Skipping tag 42738
  " Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data.  Expecting to read 3468830728 bytes but only got 4851. Skipping tag 279
  " Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data.  Expecting to read 2198732800 bytes but only got 0. Skipping tag 0
  " Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data.  Expecting to read 67239937 bytes but only got 4125. Skipping tag 0
  " Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data.  Expecting to read 33947764 bytes but only got 0. Skipping tag 139
  " Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data.  Expecting to read 17170432 bytes but only got 0. Skipping tag 0
  " Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data.  Expecting to read 80478208 bytes but only got 0. Skipping tag 1
  " Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data.  Expecting to read 787460 bytes but only got 4882. Skipping tag 20
  " Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data.  Expecting to read 1075 bytes but only got 0. Skipping tag 256
  " Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data.  Expecting to read 120586240 bytes but only got 0. Skipping tag 194
  " Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data.  Expecting to read 65536 bytes but only got 0. Skipping tag 3
  " Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data.  Expecting to read 198656 bytes but only got 0. Skipping tag 279
  " Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data.  Expecting to read 206848 bytes but only got 0. Skipping tag 64512
  " Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data.  Expecting to read 130968 bytes but only got 4882. Skipping tag 256
  " Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data.  Expecting to read 77848 bytes but only got 4689. Skipping tag 64270
  " Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data.  Expecting to read 262156 bytes but only got 0. Skipping tag 257
  " Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data.  Expecting to read 33624064 bytes but only got 0. Skipping tag 49152
  " Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data.  Expecting to read 67178752 bytes but only got 4627. Skipping tag 50688
  " Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data.  Expecting to read 33632768 bytes but only got 0. Skipping tag 56320
  " Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data.  Expecting to read 134386688 bytes but only got 4115. Skipping tag 2048
  " Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data.  Expecting to read 33912832 bytes but only got 0. Skipping tag 7168
  " Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data.  Expecting to read 151966208 bytes but only got 4627. Skipping tag 10240
  " Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data.  Expecting to read 119032832 bytes but only got 3859. Skipping tag 256
  " Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data.  Expecting to read 46535680 bytes but only got 0. Skipping tag 256
  " Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data.  Expecting to read 35651584 bytes but only got 0. Skipping tag 42
  " Skipping tag %s" % (size, len(data), tag))
/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py:739: UserWarning: Possibly corrupt EXIF data.  Expecting to read 524288 bytes but only got 0. Skipping tag 0
  " Skipping tag %s" % (size, len(data), tag))
_TIFFVSetField: tempfile.tif: Null count for "Tag 769" (type 1, writecount -3, passcount 1).
_TIFFVSetField: tempfile.tif: Null count for "Tag 42754" (type 1, writecount -3, passcount 1).
_TIFFVSetField: tempfile.tif: Null count for "Tag 769" (type 1, writecount -3, passcount 1).
_TIFFVSetField: tempfile.tif: Null count for "Tag 42754" (type 1, writecount -3, passcount 1).
ZIPDecode: Decoding error at scanline 0, incorrect header check.
ZIPDecode: Decoding error at scanline 0, invalid stored block lengths.
ZIPDecode: Decoding error at scanline 0, incorrect data check.
ZIPDecode: Decoding error at scanline 0, invalid stored block lengths.
ZIPDecode: Decoding error at scanline 0, invalid distance too far back.
ZIPDecode: Decoding error at scanline 0, invalid distance code.
ZIPDecode: ZLib error: .
Traceback (most recent call last):
  File "image_load.py", line 6, in <module>
    im.load()
  File "/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py", line 1053, in load
    return self._load_libtiff()
  File "/usr/lib64/python3.6/site-packages/PIL/TiffImagePlugin.py", line 1145, in _load_libtiff
    raise IOError(err)
OSError: -2

Comment 14 errata-xmlrpc 2021-10-19 12:10:30 UTC
This issue has been addressed in the following products:

  Red Hat Quay 3

Via RHSA-2021:3917 https://access.redhat.com/errata/RHSA-2021:3917

Comment 15 Product Security DevOps Team 2021-10-19 14:08:33 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-35654


Note You need to log in before you can comment on or make changes to this bug.