oss-sec mailing list archives
Re: CVE Request -- Buffer overflow in Python-Pillow and PIL
From: cve-assign () mitre org
Date: Mon, 22 Feb 2016 08:09:22 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
There is a buffer overflow in PcdDecode.c, where the decoder writes assuming 4 bytes per pixel into a 3 byte per pixel wide buffer, allowing writing 768 bytes off the end of the buffer. This overwrites objects in Python's stack, leading to a crash. https://github.com/python-pillow/Pillow/pull/1706
The shuffle buffer is initialized to 24bpp, and the pcd decoder offsets 32bpp. https://github.com/python-pillow/Pillow/commits/master/libImaging/PcdDecode.c https://github.com/python-pillow/Pillow/commit/ae453aa18b66af54e7ff716f4ccb33adca60afd4 https://github.com/python-pillow/Pillow/commits/3.1.x/libImaging/PcdDecode.c https://github.com/python-pillow/Pillow/commit/5bdf54b5a76b54fb00bd05f2d733e0a4173eefc9 http://www.pythonware.com/products/pil/ http://effbot.org/downloads/Imaging-1.1.7.tar.gz
Use CVE-2016-2533 for the issue in Python-Pillow before 3.1.1, and in PIL 1.1.7 and earlier. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWywf+AAoJEL54rhJi8gl5j6cP/iiw4DS9vVwXkNhF3pUswbPd yZiMUUwHpVIj+v1ezok6HOc/bRVZzndnhDbQq1i41XbQuY7372t0lntXodsurJeW SIPaOYc8EG3U8MZecjtOlE/c1RHX6F7dfC0xRa/Pw5fl8NW1uaLqt3H/CAJaZjdO BEN9z6n8G7SGEg1pQz2y2eDO5Aj5mxhj36MudmaOfiGeH+QVzU/Zbaab6OwC/+QI topn6yVN2xrCE7mdZEzCSYtomMBD4V6LF3dWqNX9W9VA5epBzdi08erIiANPYQmY H7IuSiXD8slJg3rlqYJpGzB1rH/O1eQLKc2l+tWxdaSqPeHAce0EXLz/ToH27NWa aJCUOHcyjKXmQZjtAGH6WzubMWXYxYa0SJ7Eu1N+mrV410SxrA1H/R7+nfXmtaDB PaffvhOVo0bYcZQHdW4tUxgVASu/ug1euDR2joWhTMQiUXpNOcmRr7Q7CKx5phXa dI63MhmozSkQAI6oex1Fc5DQ5a/hdcn+SKNlefk5DMh0q3soNwfrWw3UZuGcy4fW G0slb1Z4Bpa1YoLwVnv3WFiYOPX4LHj/sgfe26pV9lbSG/ZlilSuSsfMUiD2Jqmt rBxLVNj0yk3lMFw71Map8c18UTgj0VFzLtptfilvTdRuY2PMZUzR6qeX6uJVEFqn erSrFhvQDHOx5YtXBj8p =bQgu -----END PGP SIGNATURE-----
Current thread:
- CVE Request -- Buffer overflow in Python-Pillow and PIL Eric Soroos (Feb 02)
- Re: CVE Request -- Buffer overflow in Python-Pillow and PIL Stefan Cornelius (Feb 22)
- Re: CVE Request -- Buffer overflow in Python-Pillow and PIL cve-assign (Feb 22)