Buffer Overflow

Create issue
Issue #25 new
Former user created an issue

Vulnerable software

PIL (Python Imaging Library) and Pillow libraries Version: all OS: Archlinux only

http://www.pythonware.com/products/pil/ https://github.com/collective/Pillow

Severity level

Severity: Medium Impact: Buffer Overflow Attack vector: remote

CVSS v2: Base Score: 4.3
Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) CVE: not assign

Software description

PIL is an open source Python library that is developed to handle images.

Vulnerability description

The specialists of Positive Research, the Positive Technologies company, detected a buffer overflow vulnerability in PIL and Pillow libraries.

Vulnerablity in libImaging/Storage.c file

Vulnerable code: 186 strcpy(im->mode, mode);

im->mode is an array of 5 bytes. If an attacker manages to load an image with YCbCr color space, it cause off-by-one error because of terminated NULL-byte.

Example of a vulnerable code: from PIL import Image Image.frombuffer('YCbCr',(1,1), '1')

Credits The vulnerability was detected by Pavel Toporkov, Positive Research Center (Positive Technologies Company)

Comments (2)

  1. Fredrik Lundh repo owner

    Thanks for the report! The mode array is followed by a set of integer fields in the struct, which would render a one-byte overwrite harmless under normal circumstances. Does archlinux's compiler store or initialize struct fields in an unusual order?

    (Feel free to contact me directly at fredrik.lundh at gmail.com if you have more details.)

  2. Log in to comment