Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2021-25289

Опубликовано: 28 фев. 2021
Источник: redhat
CVSS3: 9.8

Описание

An issue was discovered in Pillow before 8.1.1. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654.

A flaw was found in python-pillow. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. The previous fix for CVE-2020-35654 was insufficient due to incorrect error checking in TiffDecode.c. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Отчет

python-pillow as shipped with Red Hat Enterprise Linux 7 and 8 are not affected by this flaw as the flaw was introduced in a newer version than shipped.

Меры по смягчению последствий

Disable the invoice generation feature to mitigate this vulnerability in Red Hat Quay.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 7python-pillowNot affected
Red Hat Enterprise Linux 8python-pillowNot affected
Red Hat Enterprise Linux 9python-pillowNot affected
Red Hat Quay 3quay/quay-rhel8FixedRHSA-2021:391719.10.2021

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-120
https://bugzilla.redhat.com/show_bug.cgi?id=1934680python-pillow: insufficent fix for CVE-2020-35654 due to incorrect error checking in TiffDecode.c

9.8 Critical

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2021-25289

CVSS3: 9.8
ubuntu
почти 5 лет назад

An issue was discovered in Pillow before 8.1.1. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654.

nvd логотип

CVE-2021-25289

CVSS3: 9.8
nvd
почти 5 лет назад

An issue was discovered in Pillow before 8.1.1. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654.

debian логотип

CVE-2021-25289

CVSS3: 9.8
debian
почти 5 лет назад

An issue was discovered in Pillow before 8.1.1. TiffDecode has a heap- ...

github логотип

GHSA-57h3-9rgr-c24m

CVSS3: 9.8
github
почти 5 лет назад

Out of bounds write in Pillow

fstec логотип

BDU:2022-02667

CVSS3: 9.8
fstec
больше 4 лет назад

Уязвимость библиотеки для работы с изображениями Pillow, вызванная переполнением буфера в динамической памяти, позволяющая нарушителю оказать воздействие на конфиденциальность и целостность защищаемой информации

9.8 Critical

CVSS3