EIQ-2021-0002#

ID

EIQ-2021-0002

CVE

CVE-2020-35653

CVE-2020-35654

Description

Pillow is vulnerable to buffer overflow

Date

25 Jan 2021

Severity

2 - MEDIUM

CVSSv3 score

7.1

8.8

Status

⏲ Planned for 2.10.0

Assessment

Pillow is a fork of PIL (Python Image Library).

Pillow versions 8.0.1 and earlier are vulnerable to (heap) buffer overflow when processing images with the PCX image decoder and with LibTIFF in the following scenarios:

  • The PCX image decoder calculates row buffer by using the reported image stride, instead of the image size.

  • LibTIFF versions 4.1.0 and earlier cause an OOB Write out-of-bounds write error in TiffDecode.c when reading corrupt or malformed YCbCr files.

Mitigation

Pillow 8.1.0 addresses these vulnerabilities.

Affected versions

2.9.1 and earlier.

Notes

For more information, see