CVE-2016-9189 — Integer Overflow or Wraparound in Pillow

CWE-190 — Integer Overflow or Wraparound11 documents8 sources

Severity

5.5MEDIUMNVD

OSV5.0

EPSS

0.4%

top 41.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Pillow Debian Linux

Timeline

PublishedNov 4

Latest updateJul 24

Description

Pillow before 3.3.2 allows context-dependent attackers to obtain sensitive information by using the "crafted image file" approach, related to an "Integer Overflow" issue affecting the Image.core.map_buffer in map.c component.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages4 packages

▶PyPIpython/pillow< 3.3.2

▶Debianpython/pillow< 3.4.2-1+3

▶Ubuntupython/pillow< 2.3.0-1ubuntu3.4+1

▶NVDpython/pillow3.3.1

Also affects: Debian Linux 8.0

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Pillow Integer overflow in Map.c↗2018-07-24

▶

GHSA

Pillow Integer overflow in Map.c↗2018-07-24

▶

OSV

pillow vulnerabilities↗2017-03-13

▶

CVEList

CVE-2016-9189: Pillow before 3↗2016-11-04

▶

OSV

CVE-2016-9189: Pillow before 3↗2016-11-04

▶

📋Vendor Advisories

Ubuntu

Pillow vulnerabilities↗2017-03-13

▶

Ubuntu

Python Imaging Library vulnerabilities↗2017-03-13

▶

Red Hat

python-pillow: Integer overflows leading to memory disclosure in PyImaging_MapBuffer (Map.c)↗2016-10-03

▶

Debian

CVE-2016-9189: pillow - Pillow before 3.3.2 allows context-dependent attackers to obtain sensitive infor...↗2016

▶

💬Community

Bugzilla

CVE-2016-9189 python-pillow: Integer overflows leading to memory disclosure in PyImaging_MapBuffer (Map.c)↗2016-10-05

▶