CVE-2021-34552
Buffer Overflow vulnerability in pillow (PyPI)
What is CVE-2021-34552 About?
Pillow through 8.2.0 and PIL through 1.1.7 contain a buffer overflow in `Convert.c` via controlled parameters to a `convert` function. This can lead to denial of service or arbitrary code execution, and exploitation difficulty is moderate, requiring crafted input.
Affected Software
Technical Details
The vulnerability in Pillow (through 8.2.0) and PIL (through 1.1.7) is a buffer overflow located in the Convert.c module. An attacker can leverage this flaw by passing specially crafted and controlled parameters directly into a convert function. These parameters, when improperly validated or handled, cause the function to write data beyond the allocated buffer memory. This memory corruption can lead to application crashes, effecting a denial of service (DoS), or, if the attacker can precisely control the overwritten data, it could potentially enable arbitrary code execution by corrupting critical program control structures or data pointers.
What is the Impact of CVE-2021-34552?
Successful exploitation may allow attackers to achieve arbitrary code execution, leading to full system compromise, or cause a denial of service by crashing the application.
What is the Exploitability of CVE-2021-34552?
Exploitation involves supplying malformed input parameters to a convert function within a vulnerable Pillow or PIL application. The complexity is moderate, as it requires knowledge of the convert function's expected parameter types and how to craft inputs that trigger the overflow without immediately crashing the program in an unexploitable way. Authentication is generally not required if the conversion process accepts unauthenticated input, making it a remote attack vector. Privilege levels would match that of the running application. The primary risk factor is any application that exposes image conversion functionalities to untrusted users or processes untrusted image data. Special conditions include precise manipulation of input parameters to achieve a controlled buffer overflow, which is a non-trivial task for reliable code execution.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-34552?
Available Upgrade Options
- pillow
- <8.3.0 → Upgrade to 8.3.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/advisories/GHSA-7534-mm45-c74v
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7V6LCG525ARIX6LX5QRYNAWVDD2MD2SV/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VUGBBT63VL7G4JNOEIPDJIOC34ZFBKNJ/
- https://pillow.readthedocs.io/en/stable/releasenotes/index.html
- https://security.gentoo.org/glsa/202211-10
- https://github.com/python-pillow/Pillow/pull/5567
- https://osv.dev/vulnerability/PYSEC-2021-331
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VUGBBT63VL7G4JNOEIPDJIOC34ZFBKNJ
- https://osv.dev/vulnerability/GHSA-7534-mm45-c74v
- https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html
What are Similar Vulnerabilities to CVE-2021-34552?
Similar Vulnerabilities: CVE-2020-10379 , CVE-2020-35654 , CVE-2021-25289 , CVE-2020-10177 , CVE-2018-19605
