CVE-2020-35654
Heap-based Buffer Overflow vulnerability in pillow (PyPI)
What is CVE-2020-35654 About?
This vulnerability is a heap-based buffer overflow in `TiffDecode` in Pillow before 8.1.0 when decoding crafted YCbCr files. Successful exploitation could lead to arbitrary code execution or denial of service. The exploitability is moderate, requiring specific malformed input.
Affected Software
Technical Details
The vulnerability occurs in the TiffDecode component of Pillow when handling YCbCr TIFF files that are specially crafted. The root cause is a heap-based buffer overflow, typically triggered by certain interpretation conflicts that arise when LibTIFF processes these files in RGBA mode. This conflict causes the application to write data beyond the allocated buffer on the heap. An attacker can control the input data to overflow the buffer, potentially overwriting adjacent memory regions. This could lead to crashes (denial of service), or, under carefully controlled conditions, allow for arbitrary code execution by corrupting critical program data structures or function pointers residing on the heap.
What is the Impact of CVE-2020-35654?
Successful exploitation may allow attackers to achieve arbitrary code execution, facilitate information disclosure, or cause a denial of service by crashing the application due to memory corruption.
What is the Exploitability of CVE-2020-35654?
Exploitation involves providing a specially crafted YCbCr TIFF image file to an application using vulnerable versions of Pillow. The complexity is moderate to high, as it requires detailed knowledge of TIFF file format specifications, YCbCr color spaces, and specific memory layout within the TiffDecode process to achieve reliable code execution. No authentication or elevated privileges are required, making it a remote attack if the service processes untrusted image uploads. The primary risk factor is the acceptance and processing of user-supplied TIFF images. Special conditions include the precise crafting of header fields and pixel data to trigger the interpretation conflict and subsequent buffer overflow, which can be challenging to achieve for arbitrary code execution.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-35654?
Available Upgrade Options
- pillow
- <8.1.0 → Upgrade to 8.1.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZ
- https://github.com/advisories/GHSA-vqcj-wrf2-7v73
- https://github.com/python-pillow/Pillow/commit/eb8c1206d6b170d4e798a00db7432e023853da5c
- https://pillow.readthedocs.io/en/stable/releasenotes/index.html
- https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-70.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD
- https://nvd.nist.gov/vuln/detail/CVE-2020-35654
- https://osv.dev/vulnerability/GHSA-vqcj-wrf2-7v73
- https://github.com/python-pillow/Pillow
What are Similar Vulnerabilities to CVE-2020-35654?
Similar Vulnerabilities: CVE-2021-25289 , CVE-2020-10379 , CVE-2020-10177 , CVE-2021-34552 , CVE-2018-19605
