Bugzilla – Bug 1160150
VUL-0: CVE-2020-5310: python-Pillow: TIFF decoding integer overflow, related to realloc
Last modified: 2020-10-21 09:24:33 UTC
CVE-2020-5310 libImaging/TiffDecode.c in Pillow before 6.2.2 has a TIFF decoding integer overflow, related to realloc. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-5310 http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-5310.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5310 https://github.com/python-pillow/Pillow/commit/4e2def2539ec13e53a82e06c4b3daf00454100c4 https://pillow.readthedocs.io/en/stable/releasenotes/6.2.2.html
Upstream fix: https://github.com/python-pillow/Pillow/commit/4e2def2539ec13e53a82e06c4b3daf00454100c4 Please submit for: SUSE:SLE-12-SP3:Update:Products:SES5:Update SUSE:SLE-12-SP3:Update:Products:Cloud8:Update SUSE:SLE-12-SP4:Update:Products:Cloud9:Update
Looks like this CVE doesn't really affect SOC8 and SOC9. We have Pillow 4.2.1 / 5.2 in those products respectively. The problematic realloc()s were added here: https://github.com/python-pillow/Pillow/commit/f0436a4ddc954541fa10a531e2d9ea0c5ae2065d#diff-3263bc8c8967e8fb6699bb2171f35b76R250 (Pillow 5.3.0) and here: https://github.com/python-pillow/Pillow/commit/e91b851fdc1c914419543f485bdbaa010790719f#diff-3263bc8c8967e8fb6699bb2171f35b76R416 (Pillow 6.0.0) Looking at other distros e.g.: https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-5310.html patched versions were released for Pillow versions >=6.1.0 and marked as "not-affected" for versions <=5.1.0.
Debian (https://security-tracker.debian.org/tracker/CVE-2020-5310 ) didn't even release a fix for Pillow 5.4.1 even though the notes mention that the bug was introduced by the same commits I linked earlier (Pillow 5.3.0 / 6.0.0). Only Pillow 7.0.0 in unstable was fixed.