rgbimg and imageop overflows

Warning

This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the Open Source Vulnerability Database.

Multiple integer overflows in the imageop module in Python 2.5.1 and earlier allow context-dependent attackers to cause a denial of service (application crash) and possibly obtain sensitive information (memory contents) via crafted arguments to (1) the tovideo() method, and unspecified other vectors related to (2) imageop.c, (3) rbgimgmodule.c, and other files, which trigger heap-based buffer overflows.

Reported again by Marc Schoenefeld in the Red Hat bugzilla at 2009-11-26.

Dates:

  • Disclosure date: 2007-09-16 (full-disclosure email)
  • Reported by: Slythers Bro (on the full-disclosure mailing list)

Fixed In

Python issue

[CVE-2007-4965] Integer overflow in imageop module.

  • Python issue: bpo-1179
  • Creation date: 2007-09-19
  • Reporter: Ismail Donmez

CVE-2007-4965

Multiple integer overflows in the imageop module in Python 2.5.1 and earlier allow context-dependent attackers to cause a denial of service (application crash) and possibly obtain sensitive information (memory contents) via crafted arguments to (1) the tovideo method, and unspecified other vectors related to (2) imageop.c, (3) rbgimgmodule.c, and other files, which trigger heap-based buffer overflows.

CVE-2009-4134

Buffer underflow in the rgbimg module in Python 2.5 allows remote attackers to cause a denial of service (application crash) via a large ZSIZE value in a black-and-white (aka B/W) RGB image that triggers an invalid pointer dereference.

CVE-2010-1449

Integer overflow in rgbimgmodule.c in the rgbimg module in Python 2.5 allows remote attackers to have an unspecified impact via a large image that triggers a buffer overflow. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-3143.12.

CVE-2010-1450

Multiple buffer overflows in the RLE decoder in the rgbimg module in Python 2.5 allow remote attackers to have an unspecified impact via an image file containing crafted data that triggers improper processing within the (1) longimagedata or (2) expandrow function.

Timeline

Timeline using the disclosure date 2007-09-16 as reference:

  • 2007-09-16: Disclosure date (full-disclosure email)
  • 2007-09-18 (+2 days): CVE-2007-4965 published
  • 2007-09-19 (+3 days): Python issue bpo-1179 reported by Ismail Donmez
  • 2008-08-19 (+338 days): commit 4df1b6d (branch 2.5)
  • 2008-08-19 (+338 days): commit 93ebfb1 (branch 2.6)
  • 2008-10-01: Python 2.6.0 released
  • 2008-12-19 (+460 days): Python 2.5.3 released
  • 2010-05-27 (+984 days): CVE-2009-4134 published
  • 2010-05-27 (+984 days): CVE-2010-1449 published
  • 2010-05-27 (+984 days): CVE-2010-1450 published