Bugzilla – Bug 965582
VUL-0: CVE-2016-0775: python-pillow: Buffer overflow in FliDecode.c
Last modified: 2020-10-13 20:03:33 UTC
Quoting from RH BZ: "A buffer overflow vulnerability in FliDecode.c was reported, affecting all versions of python-pillow at least from 1.1.7 release. Vulnerable code: case 16: /* COPY chunk */ for (y = 0; y < state->ysize; y++) { UINT8* buf = (UINT8*) im->image[y]; memcpy(buf+x, data, state->xsize); data += state->xsize; } break; x is used in several internal temporary variable roles, but can take a value up to the width of the image from different chunk sizes. im->image[y] is a set of row pointers to segments of memory that are the size of the row. At the max y, this will write the contents of the line off the end of the memory buffer. This writes into python object storage in a region where there are function pointers. Reproducer and proposed fix can be found in original bug report: https://bugzilla.redhat.com/show_bug.cgi?id=1300660 " References: https://bugzilla.redhat.com/show_bug.cgi?id=1301621 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0775 http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-0775.html
bugbot adjusting priority
This is an autogenerated message for OBS integration: This bug (965582) was mentioned in https://build.opensuse.org/request/show/363563 Factory / python-Pillow
This is an autogenerated message for OBS integration: This bug (965582) was mentioned in https://build.opensuse.org/request/show/363590 42.1+13.2 / python-Pillow
openSUSE-SU-2016:0762-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 965579,965582 CVE References: CVE-2016-0740,CVE-2016-0775 Sources used: openSUSE Leap 42.1 (src): python-Pillow-2.9.0-6.1 openSUSE 13.2 (src): python-Pillow-2.8.1-3.6.1
all relevant packages submitted. handing over to security
Created attachment 671095 [details] fli_overflow.fli fli overflow file. testcase from testframework: from helper import unittest, PillowTestCase from PIL import Image TEST_FILE = "Tests/images/fli_overflow.fli" class TestFliOverflow(PillowTestCase): def test_fli_overflow(self): # this should not crash with a malloc error or access violation im = Image.open(TEST_FILE) im.load() if __name__ == '__main__': unittest.main()
SUSE-SU-2016:0924-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 965579,965582 CVE References: CVE-2016-0740,CVE-2016-0775 Sources used: SUSE OpenStack Cloud 5 (src): python-Pillow-2.7.0-9.1
SUSE-SU-2016:0935-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 965579,965582 CVE References: CVE-2016-0740,CVE-2016-0775 Sources used: SUSE OpenStack Cloud 6 (src): python-Pillow-2.7.0-3.1 SUSE Enterprise Storage 2.1 (src): python-Pillow-2.7.0-3.1
SUSE-SU-2016:1355-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 965579,965582 CVE References: CVE-2016-0740,CVE-2016-0775 Sources used: SUSE Enterprise Storage 1.0 (src): python-Pillow-2.7.0-7.1
SUSE-SU-2016:1569-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 965579,965582 CVE References: CVE-2016-0740,CVE-2016-0775 Sources used: SUSE Enterprise Storage 2 (src): python-Pillow-2.7.0-3.2
released
SUSE-SU-2020:2057-1: An update that fixes 8 vulnerabilities is now available. Category: security (important) Bug References: 1153191,1160152,1160153,1160192,1173413,1173416,1173418,965582 CVE References: CVE-2016-0775,CVE-2019-16865,CVE-2019-19911,CVE-2020-10177,CVE-2020-10378,CVE-2020-10994,CVE-2020-5312,CVE-2020-5313 JIRA References: Sources used: SUSE Enterprise Storage 5 (src): python-Pillow-2.8.1-3.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:2911-1: An update that fixes 15 vulnerabilities, contains two features is now available. Category: security (critical) Bug References: 1117080,1154434,1164140,1171823,1172450,1173413,1173416,1173418,1174583,1175484,965582 CVE References: CVE-2016-0775,CVE-2018-17954,CVE-2018-18623,CVE-2018-18624,CVE-2018-18625,CVE-2019-15043,CVE-2020-10177,CVE-2020-10378,CVE-2020-10744,CVE-2020-10994,CVE-2020-11110,CVE-2020-12052,CVE-2020-13379,CVE-2020-1733,CVE-2020-17376 JIRA References: SOC-11352,SOC-11389 Sources used: SUSE OpenStack Cloud 7 (src): ansible-2.2.3.0-17.2, crowbar-core-4.0+git.1600767499.0615a418f-9.69.3, crowbar-openstack-4.0+git.1599037255.25b759234-9.74.4, grafana-6.7.4-1.17.1, grafana-natel-discrete-panel-0.0.9-1.6.5, openstack-aodh-3.0.5~dev2-2.11.2, openstack-aodh-doc-3.0.5~dev2-2.11.1, openstack-barbican-3.0.1~dev9-2.12.4, openstack-barbican-doc-3.0.1~dev9-2.12.2, openstack-cinder-9.1.5~dev6-4.28.1, openstack-cinder-doc-9.1.5~dev6-4.28.1, openstack-gnocchi-3.0.7~dev1-2.8.2, openstack-heat-7.0.7~dev10-5.17.3, openstack-heat-doc-7.0.7~dev10-5.17.2, openstack-ironic-6.2.5~dev3-2.8.2, openstack-ironic-doc-6.2.5~dev3-2.8.2, openstack-magnum-3.3.2~dev7-14.14.4, openstack-magnum-doc-3.3.2~dev7-14.14.2, openstack-manila-3.0.1~dev30-4.17.2, openstack-manila-doc-3.0.1~dev30-4.17.1, openstack-monasca-agent-1.10.1~dev4-13.3, openstack-murano-3.0.1~dev21-7.5.3, openstack-murano-doc-3.0.1~dev21-7.5.1, openstack-neutron-9.4.2~dev21-7.43.2, openstack-neutron-doc-9.4.2~dev21-7.43.1, openstack-neutron-vpnaas-9.0.1~dev8-5.8.2, openstack-neutron-vpnaas-doc-9.0.1~dev8-5.8.2, openstack-nova-14.0.11~dev13-4.45.3, openstack-nova-doc-14.0.11~dev13-4.45.2, openstack-sahara-5.0.2~dev3-14.3, openstack-sahara-doc-5.0.2~dev3-14.1, python-Pillow-2.8.1-4.17.2, rubygem-crowbar-client-3.9.3-7.23.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.