Bug 1789532 (CVE-2020-5313) - CVE-2020-5313 python-pillow: out-of-bounds read in ImagingFliDecode when loading FLI images
Summary: CVE-2020-5313 python-pillow: out-of-bounds read in ImagingFliDecode when load...
Keywords:
Status: NEW
Alias: CVE-2020-5313
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1799351 1799352 1789541 1789542
Blocks: 1789544
TreeView+ depends on / blocked
 
Reported: 2020-01-09 18:47 UTC by Pedro Sampaio
Modified: 2020-02-12 09:35 UTC (History)
19 users (show)

Fixed In Version: python-pillow 6.2.2
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds read was discovered in python-pillow in the way it decodes FLI images. An application that uses python-pillow to load untrusted images may be vulnerable to this flaw, which can allow an attacker to read the memory of the application they should be not allowed to read.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Pedro Sampaio 2020-01-09 18:47:24 UTC
libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow. 

Upstream patch:

https://github.com/python-pillow/Pillow/commit/a09acd0decd8a87ccce939d5ff65dab59e7d365b

References:

https://pillow.readthedocs.io/en/stable/releasenotes/6.2.2.html

Comment 1 Pedro Sampaio 2020-01-09 19:04:07 UTC
Created python-pillow tracking bugs for this issue:

Affects: fedora-all [bug 1789541]


Created python3-pillow tracking bugs for this issue:

Affects: epel-7 [bug 1789542]

Comment 2 Jason Shepherd 2020-01-10 02:23:11 UTC
While Red Hat Quay includes the python-pillow it's not used, therefore this issue is rated moderate for Red Hat Quay.

Comment 4 Riccardo Schirone 2020-02-06 13:44:56 UTC
Function ImagingFliDecode() in FliDecode.c uses a buffer `buf` of `bytes` bytes as input. However, it tries to read 2 bytes from the buffer+4 when it was only checked that the buffer contained at least 4 bytes. If the size of the buffer is 4, for example, the additional 2 bytes would be read from the memory after the allocated buffer. This can result in an out-of-bound read, which could be used to leak some memory data from the program or, at most, make it crash.


Note You need to log in before you can comment on or make changes to this bug.