CVE-2021-25289
Heap-based Buffer Overflow vulnerability in pillow (PyPI)
What is CVE-2021-25289 About?
This vulnerability is a heap-based buffer overflow in `TiffDecode` in Pillow before 8.1.1, triggered when decoding crafted YCbCr files due to LibTIFF interpretation conflicts in RGBA mode. It can lead to arbitrary code execution or denial of service and complicates exploitation, being an incomplete fix for a prior CVE.
Affected Software
Technical Details
The vulnerability involves a heap-based buffer overflow within Pillow's TiffDecode component, impacting versions before 8.1.1. It occurs when opening and processing specially crafted YCbCr TIFF files. The core issue is an interpretation conflict with LibTIFF in RGBA mode, leading to incorrect buffer size calculations or memory writes that exceed the bounds of allocated heap memory. This flaw is noted as an incomplete fix for CVE-2020-35654, indicating persistence of the underlying memory management problem. An attacker could exploit this by crafting a malformed TIFF file that causes sensitive data to be overwritten on the heap, potentially leading to arbitrary code execution or a denial of service through application crashes.
What is the Impact of CVE-2021-25289?
Successful exploitation may allow attackers to achieve arbitrary code execution, disclose sensitive information, or cause a denial of service by corrupting memory and crashing the application.
What is the Exploitability of CVE-2021-25289?
Exploitation requires presenting a custom-designed YCbCr TIFF file to a vulnerable application. The complexity is high due to the necessity of precisely understanding the specific interpretation conflicts between Pillow and LibTIFF, as well as the heap memory layout to achieve reliable code execution. No authentication or privileged access is typically required, making it a remote attack vector if the application processes untrusted image files. The fact that it's an incomplete fix for a previous CVE suggests that attackers might leverage knowledge from the prior vulnerability's research. Risk factors include applications that automatically process or display user-submitted TIFF files. Special conditions involve finely tuned TIFF file structures to trigger the specific conditions that cause the heap overflow.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-25289?
Available Upgrade Options
- pillow
- <8.1.1 → Upgrade to 8.1.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
- https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
- https://github.com/advisories/GHSA-57h3-9rgr-c24m
- https://nvd.nist.gov/vuln/detail/CVE-2021-25289
- https://github.com/python-pillow/Pillow
- https://github.com/python-pillow/Pillow/commit/cbfdde7b1f2295059a20a539ee9960f0bec7b299
- https://github.com/python-pillow/Pillow/commit/3fee28eb9479bf7d59e0fa08068f9cc4a6e2f04c
- https://security.gentoo.org/glsa/202107-33
- https://security.gentoo.org/glsa/202107-33
- https://osv.dev/vulnerability/PYSEC-2021-35
What are Similar Vulnerabilities to CVE-2021-25289?
Similar Vulnerabilities: CVE-2020-35654 , CVE-2020-10379 , CVE-2021-34552 , CVE-2020-10177 , CVE-2018-19605
