Vulnerabilities

1 via 2 paths

Dependencies

25

Source

GitHub

Commit

7319eb37

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0

critical severity
new

Heap-based Buffer Overflow

  • Vulnerable module: pillow
  • Introduced through: pillow@9.5.0 and matplotlib@3.5.3

Detailed paths

  • Introduced through: TheGroundZero/openvasreporting@TheGroundZero/openvasreporting#7319eb37e2653a6f8725236dd79de97c4e6d9827 pillow@9.5.0
    Remediation: Upgrade to pillow@10.0.1.
  • Introduced through: TheGroundZero/openvasreporting@TheGroundZero/openvasreporting#7319eb37e2653a6f8725236dd79de97c4e6d9827 matplotlib@3.5.3 pillow@9.5.0
    Remediation: Upgrade to matplotlib@3.5.3.

Overview

Pillow is a PIL (Python Imaging Library) fork.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow when the ReadHuffmanCodes() function is used. An attacker can craft a special WebP lossless file that triggers the ReadHuffmanCodes() function to allocate the HuffmanCode buffer with a size that comes from an array of precomputed sizes: kTableSize. The color_cache_bits value defines which size to use. The kTableSize array only takes into account sizes for 8-bit first-level table lookups but not second-level table lookups. libwebp allows codes that are up to 15-bit (MAX_ALLOWED_CODE_LENGTH). When BuildHuffmanTable() attempts to fill the second-level tables it may write data out-of-bounds. The OOB write to the undersized array happens in ReplicateValue.

Notes:

This is only exploitable if the color_cache_bits value defines which size to use.

This vulnerability was also published on libwebp CVE-2023-5129

Changelog:

2023-09-12: Initial advisory publication

2023-09-27: Advisory details updated, including CVSS, references

2023-09-27: CVE-2023-5129 rejected as a duplicate of CVE-2023-4863

Remediation

Upgrade Pillow to version 10.0.1 or higher.

References