Bugzilla – Bug 965579
VUL-0: CVE-2016-0740: python-pillow: Integer overflow resulting in buffer overflow when reading invalid tiff file
Last modified: 2016-08-31 16:21:44 UTC
Quoting from RH BZ: "It was reported that python-pillow 3.1.0 when linked against libtiff >= 4.0.0 may overflow a buffer when reading a specially crafted tiff file. libtiff >=4.0.0 changed the return type of TIFFScanlineSize from int32 to machine dependent int32|64. If the scanline is sized so that it overflows an int32, it may be interpreted as a negative number, which will then pass the size check in TiffDecode.c line 236. To do this, the logical scanline size has to be > 2gb. If the size of allocated buffer is 64k, any image data over 64k is written over the heap, causing a segfault. Original bug report (contains reproducer): https://bugzilla.redhat.com/show_bug.cgi?id=1298648" References: https://bugzilla.redhat.com/show_bug.cgi?id=1298874 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0740 http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-0740.html
bugbot adjusting priority
This is an autogenerated message for OBS integration: This bug (965579) was mentioned in https://build.opensuse.org/request/show/363563 Factory / python-Pillow
This is an autogenerated message for OBS integration: This bug (965579) was mentioned in https://build.opensuse.org/request/show/363590 42.1+13.2 / python-Pillow
openSUSE-SU-2016:0762-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 965579,965582 CVE References: CVE-2016-0740,CVE-2016-0775 Sources used: openSUSE Leap 42.1 (src): python-Pillow-2.9.0-6.1 openSUSE 13.2 (src): python-Pillow-2.8.1-3.6.1
all relevant packages submitted. handing over to security
Created attachment 671093 [details] tiff_adobe_deflate.tif tif sample from: https://github.com/python-pillow/Pillow/commit/a130c45990578a1bb0a6a000ed1b110e27324910
+def test_adobe_deflate_tiff(): + file = "Tests/images/tiff_adobe_deflate.tif" + im = Image.open(file) + + assert_equal(im.mode, "RGB") + assert_equal(im.size, (278, 374)) + assert_equal(im.tile, [('tiff_adobe_deflate', (0, 0, 278, 374), 0, + ('RGB', 'tiff_adobe_deflate', 4))]) + assert_no_exception(lambda: im.load()) is the testcase diff in there
SUSE-SU-2016:0924-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 965579,965582 CVE References: CVE-2016-0740,CVE-2016-0775 Sources used: SUSE OpenStack Cloud 5 (src): python-Pillow-2.7.0-9.1
SUSE-SU-2016:0935-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 965579,965582 CVE References: CVE-2016-0740,CVE-2016-0775 Sources used: SUSE OpenStack Cloud 6 (src): python-Pillow-2.7.0-3.1 SUSE Enterprise Storage 2.1 (src): python-Pillow-2.7.0-3.1
SUSE-SU-2016:1355-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 965579,965582 CVE References: CVE-2016-0740,CVE-2016-0775 Sources used: SUSE Enterprise Storage 1.0 (src): python-Pillow-2.7.0-7.1
SUSE-SU-2016:1569-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 965579,965582 CVE References: CVE-2016-0740,CVE-2016-0775 Sources used: SUSE Enterprise Storage 2 (src): python-Pillow-2.7.0-3.2
released