CVE-2020-35653
Buffer Over-read vulnerability in pillow (PyPI)
What is CVE-2020-35653 About?
In Pillow before 8.1.0, a buffer over-read can occur in PcxDecode when decoding a crafted PCX file. This vulnerability is caused by trusting a user-supplied stride value for buffer calculations, which can lead to information disclosure or a denial of service and is easily exploitable with a malformed file.
Affected Software
Technical Details
The vulnerability is located in the PcxDecode component of Pillow, which handles PCX (PC Paintbrush Picture) image files. When decoding a crafted PCX file, the PcxDecode function directly uses a user-supplied 'stride' value in its buffer calculations without proper validation. The stride value dictates how many bytes to advance per row or block of pixels. If an attacker provides a manipulated or excessively large stride value, the function can attempt to read beyond the boundaries of an allocated buffer. This buffer over-read can lead to crashes (denial of service), or in some cases, the exposure of sensitive memory contents, potentially leading to information disclosure.
What is the Impact of CVE-2020-35653?
Successful exploitation may allow attackers to cause a denial of service by crashing the application, or potentially lead to information disclosure from adjacent memory regions. This could compromise system stability or expose sensitive data.
What is the Exploitability of CVE-2020-35653?
Exploitation is relatively straightforward and typically involves providing a specifically crafted PCX image file to an application using Pillow for image processing. Remote exploitation is possible if the application allows untrusted users to upload or process images. No authentication or elevated privileges are required, as the vulnerability is triggered during the decoding process. The primary risk factor is the acceptance of PCX formatted image files from untrusted sources, which directly increases the likelihood of an attacker supplying a malicious file.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-35653?
About the Fix from Resolved Security
Available Upgrade Options
- pillow
- <8.1.0 → Upgrade to 8.1.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-f5g8-5qq7-938w
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE
- https://nvd.nist.gov/vuln/detail/CVE-2020-35653
- https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-69.yaml
- https://pillow.readthedocs.io/en/stable/releasenotes/index.html
- https://pillow.readthedocs.io/en/stable/releasenotes/index.html
- https://github.com/python-pillow/Pillow/commit/2f409261eb1228e166868f8f0b5da5cda52e55bf
- https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html
- https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD
What are Similar Vulnerabilities to CVE-2020-35653?
Similar Vulnerabilities: CVE-2021-28676 , CVE-2021-28675 , CVE-2021-27921 , CVE-2020-10878 , CVE-2019-16785
