DSA-3499

[oss-security] 20160202 CVE Request -- Buffer overflow in Python-Pillow and PIL

[oss-security] 20160222 Re: CVE Request -- Buffer overflow in Python-Pillow and PIL

http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html

https://github.com/python-pillow/Pillow/blob/c3cb690fed5d4bf0c45576759de55d054916c165/CHANGES.rst

https://github.com/python-pillow/Pillow/commit/5bdf54b5a76b54fb00bd05f2d733e0a4173eefc9#diff-8ff6909c159597e22288ad818938fd6b

https://github.com/python-pillow/Pillow/commit/ae453aa18b66af54e7ff716f4ccb33adca60afd4#diff-8ff6909c159597e22288ad818938fd6b

https://github.com/python-pillow/Pillow/pull/1706

GLSA-201612-52

According to the versions of the python-pillow package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - Pillow before 3.3.2 allows context-dependent attackers     to obtain sensitive information by using the 'crafted     image file' approach, related to an 'Integer Overflow'     issue affecting the Image.core.map_buffer in map.c     component.(CVE-2016-9189)

  - Buffer overflow in the ImagingPcdDecode function in     PcdDecode.c in Pillow before 3.1.1 and Python Imaging     Library (PIL) 1.1.7 and earlier allows remote attackers     to cause a denial of service (crash) via a crafted     PhotoCD file.(CVE-2016-2533)

  - Buffer overflow in the ImagingFliDecode function in     libImaging/FliDecode.c in Pillow before 3.1.1 allows     remote attackers to cause a denial of service (crash)     via a crafted FLI file.(CVE-2016-0775)

  - Buffer overflow in the ImagingLibTiffDecode function in     libImaging/TiffDecode.c in Pillow before 3.1.1 allows     remote attackers to overwrite memory via a crafted TIFF     file.(CVE-2016-0740)

  - Integer overflow in the ImagingResampleHorizontal     function in libImaging/Resample.c in Pillow before     3.1.1 allows remote attackers to have unspecified     impact via negative values of the new size, which     triggers a heap-based buffer overflow.(CVE-2016-4009)

  - PIL/IcnsImagePlugin.py in Python Imaging Library (PIL)     and Pillow before 2.3.2 and 2.5.x before 2.5.2 allows     remote attackers to cause a denial of service via a     crafted block size.(CVE-2014-3589)

  - Python Image Library (PIL) 1.1.7 and earlier and Pillow     2.3 might allow remote attackers to execute arbitrary     commands via shell metacharacters in unspecified     vectors related to CVE-2014-1932, possibly     JpegImagePlugin.py.(CVE-2014-3007)

  - The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py     scripts in Python Image Library (PIL) 1.1.7 and earlier     and Pillow before 2.3.1 uses the names of temporary     files on the command line, which makes it easier for     local users to conduct symlink attacks by listing the     processes.(CVE-2014-1933)

  - The (1) load_djpeg function in JpegImagePlugin.py, (2)     Ghostscript function in EpsImagePlugin.py, (3) load     function in IptcImagePlugin.py, and (4) _copy function     in Image.py in Python Image Library (PIL) 1.1.7 and     earlier and Pillow before 2.3.1 do not properly create     temporary files, which allow local users to overwrite     arbitrary files and obtain sensitive information via a     symlink attack on the temporary file.(CVE-2014-1932)

  - An issue was discovered in Pillow before 6.2.0. When     reading specially crafted invalid image files, the     library can either allocate very large amounts of     memory or take an extremely long period of time to     process the image.(CVE-2019-16865)

  - libImaging/FliDecode.c in Pillow before 6.2.2 has an     FLI buffer overflow.(CVE-2020-5313)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the python-pillow package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - A memory disclosure vulnerability was found in     python-pillow. Functions in map.c failed to check for     image overflow and check that an offset parameter was     within bounds, allowing a crafted image to cause a     crash or disclosure of memory.(CVE-2016-9189)

  - Buffer overflow in the ImagingPcdDecode function in     PcdDecode.c in Pillow before 3.1.1 and Python Imaging     Library (PIL) 1.1.7 and earlier allows remote attackers     to cause a denial of service (crash) via a crafted     PhotoCD file.(CVE-2016-2533)

  - Buffer overflow in the ImagingFliDecode function in     libImaging/FliDecode.c in Pillow before 3.1.1 allows     remote attackers to cause a denial of service (crash)     via a crafted FLI file.(CVE-2016-0775)

  - Buffer overflow in the ImagingLibTiffDecode function in     libImaging/TiffDecode.c in Pillow before 3.1.1 allows     remote attackers to overwrite memory via a crafted TIFF     file.(CVE-2016-0740)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the python-pillow package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Buffer overflow in the ImagingFliDecode function in     libImaging/FliDecode.c in Pillow before 3.1.1 allows     remote attackers to cause a denial of service (crash)     via a crafted FLI file.(CVE-2016-0775)

  - Buffer overflow in the ImagingLibTiffDecode function in     libImaging/TiffDecode.c in Pillow before 3.1.1 allows     remote attackers to overwrite memory via a crafted TIFF     file.(CVE-2016-0740)

  - Buffer overflow in the ImagingPcdDecode function in     PcdDecode.c in Pillow before 3.1.1 and Python Imaging     Library (PIL) 1.1.7 and earlier allows remote attackers     to cause a denial of service (crash) via a crafted     PhotoCD file.(CVE-2016-2533)

  - PIL/IcnsImagePlugin.py in Python Imaging Library (PIL)     and Pillow before 2.3.2 and 2.5.x before 2.5.2 allows     remote attackers to cause a denial of service via a     crafted block size.(CVE-2014-3589)

  - Pillow before 2.7.0 allows remote attackers to cause a     denial of service via a compressed text chunk in a PNG     image that has a large size when it is     decompressed.(CVE-2014-9601)

  - Pillow before 3.3.2 allows context-dependent attackers     to execute arbitrary code by using the 'crafted image     file' approach, related to an 'Insecure Sign Extension'     issue affecting the ImagingNew in Storage.c     component.(CVE-2016-9190)

  - Pillow before 3.3.2 allows context-dependent attackers     to obtain sensitive information by using the 'crafted     image file' approach, related to an 'Integer Overflow'     issue affecting the Image.core.map_buffer in map.c     component.(CVE-2016-9189)

  - Python Image Library (PIL) 1.1.7 and earlier and Pillow     2.3 might allow remote attackers to execute arbitrary     commands via shell metacharacters in unspecified     vectors related to CVE-2014-1932, possibly     JpegImagePlugin.py.(CVE-2014-3007)

  - The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py     scripts in Python Image Library (PIL) 1.1.7 and earlier     and Pillow before 2.3.1 uses the names of temporary     files on the command line, which makes it easier for     local users to conduct symlink attacks by listing the     processes.(CVE-2014-1933)

  - The (1) load_djpeg function in JpegImagePlugin.py, (2)     Ghostscript function in EpsImagePlugin.py, (3) load     function in IptcImagePlugin.py, and (4) _copy function     in Image.py in Python Image Library (PIL) 1.1.7 and     earlier and Pillow before 2.3.1 do not properly create     temporary files, which allow local users to overwrite     arbitrary files and obtain sensitive information via a     symlink attack on the temporary file.(CVE-2014-1932)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the python-pillow package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Pillow before 2.7.0 allows remote attackers to cause a     denial of service via a compressed text chunk in a PNG     image that has a large size when it is     decompressed.(CVE-2014-9601)

  - The (1) load_djpeg function in JpegImagePlugin.py, (2)     Ghostscript function in EpsImagePlugin.py, (3) load     function in IptcImagePlugin.py, and (4) _copy function     in Image.py in Python Image Library (PIL) 1.1.7 and     earlier and Pillow before 2.3.1 do not properly create     temporary files, which allow local users to overwrite     arbitrary files and obtain sensitive information via a     symlink attack on the temporary file.(CVE-2014-1932)

  - The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py     scripts in Python Image Library (PIL) 1.1.7 and earlier     and Pillow before 2.3.1 uses the names of temporary     files on the command line, which makes it easier for     local users to conduct symlink attacks by listing the     processes.(CVE-2014-1933)

  - Python Image Library (PIL) 1.1.7 and earlier and Pillow     2.3 might allow remote attackers to execute arbitrary     commands via shell metacharacters in unspecified     vectors related to CVE-2014-1932, possibly     JpegImagePlugin.py.(CVE-2014-3007)

  - PIL/IcnsImagePlugin.py in Python Imaging Library (PIL)     and Pillow before 2.3.2 and 2.5.x before 2.5.2 allows     remote attackers to cause a denial of service via a     crafted block size.(CVE-2014-3589)

  - Buffer overflow in the ImagingLibTiffDecode function in     libImaging/TiffDecode.c in Pillow before 3.1.1 allows     remote attackers to overwrite memory via a crafted TIFF     file.(CVE-2016-0740)

  - Buffer overflow in the ImagingFliDecode function in     libImaging/FliDecode.c in Pillow before 3.1.1 allows     remote attackers to cause a denial of service (crash)     via a crafted FLI file.(CVE-2016-0775)

  - Buffer overflow in the ImagingPcdDecode function in     PcdDecode.c in Pillow before 3.1.1 and Python Imaging     Library (PIL) 1.1.7 and earlier allows remote attackers     to cause a denial of service (crash) via a crafted     PhotoCD file.(CVE-2016-2533)

  - Pillow before 3.3.2 allows context-dependent attackers     to obtain sensitive information by using the 'crafted     image file' approach, related to an 'Integer Overflow'     issue affecting the Image.core.map_buffer in map.c     component.(CVE-2016-9189)

  - Pillow before 3.3.2 allows context-dependent attackers     to execute arbitrary code by using the 'crafted image     file' approach, related to an 'Insecure Sign Extension'     issue affecting the ImagingNew in Storage.c     component.(CVE-2016-9190)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the python-pillow package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Buffer overflow in the ImagingPcdDecode function in     PcdDecode.c in Pillow before 3.1.1 and Python Imaging     Library (PIL) 1.1.7 and earlier allows remote attackers     to cause a denial of service (crash) via a crafted     PhotoCD file.(CVE-2016-2533)

  - Pillow before 3.3.2 allows context-dependent attackers     to obtain sensitive information by using the 'crafted     image file' approach, related to an 'Integer Overflow'     issue affecting the Image.core.map_buffer in map.c     component.(CVE-2016-9189)

  - Buffer overflow in the ImagingFliDecode function in     libImaging/FliDecode.c in Pillow before 3.1.1 allows     remote attackers to cause a denial of service (crash)     via a crafted FLI file.(CVE-2016-0775)

  - Buffer overflow in the ImagingLibTiffDecode function in     libImaging/TiffDecode.c in Pillow before 3.1.1 allows     remote attackers to overwrite memory via a crafted TIFF     file.(CVE-2016-0740)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201612-52 (Pillow: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Pillow. Please review       the CVE identifiers referenced below for details.
  Impact :

    A local attacker could perform symlink attacks to overwrite arbitrary       files with the privileges of the user running the application, or obtain       sensitive information.
    A remote attackers could execute arbitrary code with the privileges of       the process, or cause a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

USN-3090-1 fixed vulnerabilities in Pillow. The patch to fix CVE-2014-9601 caused a regression which resulted in failures when processing certain png images. This update temporarily reverts the security fix for CVE-2014-9601 pending further investigation.

We apologize for the inconvenience.

It was discovered that a flaw in processing a compressed text chunk in a PNG image could cause the image to have a large size when decompressed, potentially leading to a denial of service.
(CVE-2014-9601)

Andrew Drake discovered that Pillow incorrectly validated input. A remote attacker could use this to cause Pillow to crash, resulting in a denial of service. (CVE-2014-3589)

Eric Soroos discovered that Pillow incorrectly handled certain malformed FLI, Tiff, and PhotoCD files. A remote attacker could use this issue to cause Pillow to crash, resulting in a denial of service.
(CVE-2016-0740, CVE-2016-0775, CVE-2016-2533).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that a flaw in processing a compressed text chunk in a PNG image could cause the image to have a large size when decompressed, potentially leading to a denial of service.
(CVE-2014-9601)

Andrew Drake discovered that Pillow incorrectly validated input. A remote attacker could use this to cause Pillow to crash, resulting in a denial of service. (CVE-2014-3589)

Eric Soroos discovered that Pillow incorrectly handled certain malformed FLI, Tiff, and PhotoCD files. A remote attacker could use this issue to cause Pillow to crash, resulting in a denial of service.
(CVE-2016-0740, CVE-2016-0775, CVE-2016-2533).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Eric Soroos discovered that the Python Imaging Library incorrectly handled certain malformed FLI or PhotoCD files. A remote attacker could use this issue to cause Python Imaging Library to crash, resulting in a denial of service. (CVE-2016-0775, CVE-2016-2533)

Andrew Drake discovered that the Python Imaging Libray incorrectly validated input. A remote attacker could use this to cause Python Imaging Library to crash, resulting in a denial of service.
(CVE-2014-3589).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple security vulnerabilities have been found in Pillow, a Python imaging library, which may result in denial of service or the execution of arbitrary code if a malformed FLI, PCD or Tiff files is processed.

ID	Name	Product	Family	Severity
135635	EulerOS Virtualization 3.0.2.2 : python-pillow (EulerOS-SA-2020-1473)	Nessus	Huawei Local Security Checks	critical
134533	EulerOS Virtualization for ARM 64 3.0.2.0 : python-pillow (EulerOS-SA-2020-1244)	Nessus	Huawei Local Security Checks	medium
132189	EulerOS 2.0 SP3 : python-pillow (EulerOS-SA-2019-2654)	Nessus	Huawei Local Security Checks	high
131591	EulerOS 2.0 SP2 : python-pillow (EulerOS-SA-2019-2437)	Nessus	Huawei Local Security Checks	high
130688	EulerOS 2.0 SP5 : python-pillow (EulerOS-SA-2019-2226)	Nessus	Huawei Local Security Checks	medium
96227	GLSA-201612-52 : Pillow: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
93827	Ubuntu 14.04 LTS : Pillow regression (USN-3090-2)	Nessus	Ubuntu Local Security Checks	medium
93775	Ubuntu 14.04 LTS : Pillow vulnerabilities (USN-3090-1)	Nessus	Ubuntu Local Security Checks	medium
93559	Ubuntu 12.04 LTS : python-imaging vulnerabilities (USN-3080-1)	Nessus	Ubuntu Local Security Checks	medium
89005	Debian DSA-3499-1 : pillow - security update	Nessus	Debian Local Security Checks	medium

CVE-2016-2533

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

critical

medium

high

high

medium

critical

medium

medium

medium

medium