CVE-2016-2533 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Pillow

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122 — Heap-based Buffer Overflow CWE-787 — Out-of-bounds Write13 documents8 sources

Severity

6.5MEDIUMNVD

OSV5.0

EPSS

2.2%

top 15.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Pillow Python Imaging Project Python Imaging Debian Linux

Timeline

PublishedApr 13

Latest updateJul 24

Description

Buffer overflow in the ImagingPcdDecode function in PcdDecode.c in Pillow before 3.1.1 and Python Imaging Library (PIL) 1.1.7 and earlier allows remote attackers to cause a denial of service (crash) via a crafted PhotoCD file.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

▶PyPIpython/pillow< 3.1.1

▶Debianpython/pillow< 3.1.1-1+3

▶Ubuntupython/pillow< 2.3.0-1ubuntu3.3+1

▶NVDpython/pillow3.1.0

▶NVDpython_imaging_project/python_imaging1.1.7

Also affects: Debian Linux 7.0, 8.0

🔴Vulnerability Details

OSV

Pillow buffer overflow in ImagingPcdDecode↗2018-07-24

▶

GHSA

Pillow buffer overflow in ImagingPcdDecode↗2018-07-24

▶

OSV

Pillow regression↗2016-09-30

▶

OSV

Pillow vulnerabilities↗2016-09-27

▶

CVEList

CVE-2016-2533: Buffer overflow in the ImagingPcdDecode function in PcdDecode↗2016-04-13

▶

📋Vendor Advisories

Ubuntu

Pillow regresssion↗2016-09-30

▶

Ubuntu

Pillow vulnerabilities↗2016-09-27

▶

Ubuntu

Python Imaging Library vulnerabilities↗2016-09-15

▶

Debian

CVE-2016-2533: pillow - Buffer overflow in the ImagingPcdDecode function in PcdDecode.c in Pillow before...↗2016

▶

Red Hat

python-pillow: Buffer overflow in PCD decoding↗2014-03-24

▶

💬Community

Bugzilla

CVE-2016-2533 python-pillow: Buffer overflow in PCD decoding↗2016-02-03

▶