CVE-2021-25290
Negative-offset memcpy with Invalid Size vulnerability in pillow (PyPI)
What is CVE-2021-25290 About?
This vulnerability resides in Pillow before 8.1.1, specifically in `TiffDecode.c`, involving a negative-offset `memcpy` with an invalid size. This flaw can lead to out-of-bounds memory access, resulting in denial of service or information disclosure. Exploitation requires a specially crafted TIFF file and has moderate complexity.
Affected Software
Technical Details
The vulnerability occurs in TiffDecode.c within Pillow when processing TIFF images. It is characterized by a memcpy operation that attempts to copy data using a negative offset and/or an invalid size parameter. This indicates a miscalculation in memory indexing or buffer length determination. A negative offset memcpy can cause the memory operation to write or read before the start of an allocated buffer, leading to an out-of-bounds access. An attacker could craft a TIFF file such that when it's decoded, this flawed memcpy is triggered, resulting in memory corruption, application crashes (denial of service), or unintended information disclosure from adjacent memory regions.
What is the Impact of CVE-2021-25290?
Successful exploitation may allow attackers to cause a denial of service by crashing the application or disclose sensitive information from unintended memory locations.
What is the Exploitability of CVE-2021-25290?
Exploitation involves supplying a malicious TIFF image file to an application that uses a vulnerable Pillow version. The complexity is moderate, as it requires an understanding of how TIFF headers and data are parsed, and how to trigger the specific negative-offset memcpy call. No authentication or privilege is needed; thus, it presents a remote attack vector if the target accepts untrusted TIFF files. The primary risk factor is the automatic processing of user-supplied image data. Special conditions include precise manipulation of TIFF file structures to induce the erroneous offset or size calculation during the memcpy operation, which can be challenging to achieve consistently for exploit reliability.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-25290?
Available Upgrade Options
- pillow
- <8.1.1 → Upgrade to 8.1.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
- https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
- https://github.com/advisories/GHSA-8xjq-8fcg-g5hw
- https://github.com/python-pillow/Pillow/commit/e25be1e33dc526bfd1094bc778a54d8e29bf66c9
- https://osv.dev/vulnerability/PYSEC-2021-36
- https://nvd.nist.gov/vuln/detail/CVE-2021-25290
- https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html
- https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html
- https://github.com/python-pillow/Pillow/commit/86f02f7c70862a0954bfe8133736d352db978eaa
- https://security.gentoo.org/glsa/202107-33
What are Similar Vulnerabilities to CVE-2021-25290?
Similar Vulnerabilities: CVE-2021-25293 , CVE-2020-10177 , CVE-2019-17546 , CVE-2019-14493 , CVE-2018-19605
