In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled. External References: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.0.html#security
Created python-pillow tracking bugs for this issue: Affects: fedora-32 [bug 1915435] Affects: fedora-33 [bug 1915434]
Upstream commit: https://github.com/python-pillow/Pillow/commit/120eea2e4547a7d1826afdf01563035844f0b7d5
Flaw summary: In `ImagingSgiRleDecode()` of `src/libImaging/SgiRleDecode.c`, it's possible for a call to `malloc()` to request 4 bytes less than necessary, which can lead to a heap buffer overflow -> out-of-bounds read subsequently. The upstream patch moves length checks above the call to `malloc()` and exits `ImagingSgiRleDecode()` with an error code to avoid passing an improper length to `malloc()`. An attacker who is able to submit a crafted SGI RLE file to an application using python-pillow to decode it, could trigger an out-of-bounds read.
The following Quay containers contain python-pillow 7.2.0 and hence are affected by the CVE (checked upstream 7.2.0 contains the same vulnerable code): - quay-registry-container - quay-builder-qemu-rhcos-container
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4149 https://access.redhat.com/errata/RHSA-2021:4149