EIQ-2021-0002


ID

EIQ-2021-0002

CVE

CVE-2020-35653

CVE-2020-35654

Description

Pillow is vulnerable to buffer overflow

Date

25 Jan 2021

Severity

2 - MEDIUM

CVSSv3 score

7.1

8.8

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.10.0

Assessment

Pillow is a fork of PIL (Python Image Library).
Pillow versions 8.0.1 and earlier are vulnerable to (heap) buffer overflow when processing images with the PCX image decoder and with LibTIFF in the following scenarios:

  • The PCX image decoder calculates row buffer by using the reported image stride, instead of the image size.

  • LibTIFF versions 4.1.0 and earlier cause an OOB Write out-of-bounds write error in TiffDecode.c when reading corrupt or malformed YCbCr files.

Mitigation

Pillow 8.1.0 addresses these vulnerabilities.

Affected versions

2.9.1 and earlier.

Notes

For more information, see

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/information.svg    This section is not visible to users accessing the public docs, it's for internal reference   images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/information.svg

See also:

< Back to all security issues and mitigation actions

In release notes 2.9.1

In release notes 2.9.2

In release notes 2.10.0