CVE-2020-35655
Buffer Over-read vulnerability in pillow (PyPI)
What is CVE-2020-35655 About?
This vulnerability in Pillow's SGIRleDecode component allows a 4-byte buffer over-read when decoding crafted SGI RLE image files. This flaw occurs due to mishandled offsets and length tables, potentially leading to denial of service or information disclosure. Exploitation requires providing a specially malformed SGI RLE file and is moderately complex.
Affected Software
Technical Details
The vulnerability lies within the SGIRleDecode component of Pillow, which is responsible for decoding SGI RLE (Run-Length Encoded) image files. An attacker can craft a malicious SGI RLE image file where the internal offsets and length tables are manipulated. When Pillow attempts to decode this file, these mishandled tables cause the SGIRleDecode function to read 4 bytes beyond the allocated buffer. This 'buffer over-read' can lead to application crashes (denial of service). In some scenarios, it might also lead to the disclosure of 4 bytes of data from adjacent memory regions, which could contain sensitive information or memory layout details, potentially aiding further exploitation attempts such as bypassing Address Space Layout Randomization (ASLR).
What is the Impact of CVE-2020-35655?
Successful exploitation may allow attackers to cause application crashes, resulting in a denial of service, or potentially facilitate information disclosure.
What is the Exploitability of CVE-2020-35655?
Exploitation complexity is moderate, as it requires the careful creation of a malformed SGI RLE image file to trigger the specific buffer over-read. No authentication or elevated privileges are necessary. The vulnerability can be exploited remotely if the target application processes untrusted SGI RLE image files, for example, via image submission features. The main prerequisite is that the target system uses a vulnerable version of Pillow and processes such image types. Systems handling user-generated or external SGI RLE images are particularly susceptible, especially if their input validation is insufficient to detect the crafted file structure.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-35655?
About the Fix from Resolved Security
Available Upgrade Options
- pillow
- >=4.3.0, <8.1.0 → Upgrade to 8.1.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2020-35655
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE
- https://osv.dev/vulnerability/GHSA-hf64-x4gq-p99h
- https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-71.yaml
- https://pillow.readthedocs.io/en/stable/releasenotes/index.html
- https://github.com/advisories/GHSA-hf64-x4gq-p99h
- https://pillow.readthedocs.io/en/stable/releasenotes/index.html
- https://github.com/python-pillow/Pillow/commit/2f409261eb1228e166868f8f0b5da5cda52e55bf
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD/
What are Similar Vulnerabilities to CVE-2020-35655?
Similar Vulnerabilities: CVE-2021-25287 , CVE-2020-10378 , CVE-2021-25288 , CVE-2020-10994 , CVE-2018-19702
