Описание
Potential buffer overflow in psd-tools
Impact
An issue was discovered in psd-tools before 1.9.4. The Cython implementation of RLE decoding did not check for malformed PSD input data during decoding to the PIL.Image or NumPy format, leading to a Buffer Overflow.
Patches
Users of psd-tools version v1.8.37 to v1.9.3 should upgrade to v1.9.4.
Workarounds
Without Cython present on installation, buffer overflow does not occur but IndexError will be thrown. However, already installed psd-tools with Cython extention should be upgraded.
References
https://github.com/psd-tools/psd-tools/pull/198
For more information
If you have any questions or comments about this advisory:
- Open an issue in psd-tools
Ссылки
- https://github.com/psd-tools/psd-tools/security/advisories/GHSA-22jr-vc7j-g762
- https://nvd.nist.gov/vuln/detail/CVE-2020-10571
- https://github.com/psd-tools/psd-tools/pull/198
- https://github.com/psd-tools/psd-tools/commit/fd51f8b4a52bc9c1c06d1035dfdf2cd920e87074
- https://github.com/psd-tools/psd-tools/releases/tag/v1.9.4
- https://github.com/pypa/advisory-database/tree/main/vulns/psd-tools/PYSEC-2020-91.yaml
Пакеты
psd-tools
>= 1.8.37, < 1.9.3
1.9.4
EPSS
9.3 Critical
CVSS4
9.8 Critical
CVSS3
CVE ID
Дефекты
Связанные уязвимости
An issue was discovered in psd-tools before 1.9.4. The Cython implementation of RLE decoding did not check for malicious data.
EPSS
9.3 Critical
CVSS4
9.8 Critical
CVSS3