EIQ-2021-0002#

ID	EIQ-2021-0002
CVE	CVE-2020-35653 CVE-2020-35654
Description	Pillow is vulnerable to buffer overflow
Date	25 Jan 2021
Severity	2 - MEDIUM
CVSSv3 score	7.1 8.8
Status	⏲ Planned for 2.10.0
Assessment	Pillow is a fork of PIL (Python Image Library). Pillow versions 8.0.1 and earlier are vulnerable to (heap) buffer overflow when processing images with the PCX image decoder and with LibTIFF in the following scenarios: The PCX image decoder calculates row buffer by using the reported image stride, instead of the image size. LibTIFF versions 4.1.0 and earlier cause an OOB Write out-of-bounds write error in TiffDecode.c when reading corrupt or malformed YCbCr files.
Mitigation	Pillow 8.1.0 addresses these vulnerabilities.
Affected versions	2.9.1 and earlier.
Notes	For more information, see CVE-2020-35653 on mitre.org CVE-2020-35654 on mitre.org CWE 119: Improper Restriction of Operations within the Bounds of a Memory Buffer SNYK-PYTHON-PILLOW-1055461 SNYK-PYTHON-PILLOW-1059090 Security fixes in Pillow release notes 8.1.0 GitHub PR with the fix GitHub PR with the fix