This content cannot be displayed without JavaScript.
Please enable JavaScript and reload the page.

EIQ-2021-0002

ID	EIQ-2021-0002
CVE	CVE-2020-35653 CVE-2020-35654
Description	Pillow is vulnerable to buffer overflow
Date	25 Jan 2021
Severity	2 - MEDIUM
CVSSv3 score	7.1 8.8
Status	2.10.0
Assessment	Pillow is a fork of PIL (Python Image Library). Pillow versions 8.0.1 and earlier are vulnerable to (heap) buffer overflow when processing images with the PCX image decoder and with LibTIFF in the following scenarios: The PCX image decoder calculates row buffer by using the reported image stride, instead of the image size. LibTIFF versions 4.1.0 and earlier cause an `OOB Write` out-of-bounds write error in `TiffDecode.c` when reading corrupt or malformed YCbCr files.
Mitigation	Pillow 8.1.0 addresses these vulnerabilities.
Affected versions	2.9.1 and earlier.
Notes	For more information, see CVE-2020-35653 on mitre.org CVE-2020-35654 on mitre.org CWE 119: Improper Restriction of Operations within the Bounds of a Memory Buffer SNYK-PYTHON-PILLOW-1055461 SNYK-PYTHON-PILLOW-1059090 Security fixes in Pillow release notes 8.1.0 GitHub PR with the fix GitHub PR with the fix This section is not visible to users accessing the public docs, it's for internal reference See also: Slack convo in the engineering-release channel Slack convo in the psirt-ops channel

< Back to all security issues and mitigation actions

In release notes 2.9.1

In release notes 2.9.2

In release notes 2.10.0