Multiple memory corruption vulnerabilities

[cneckar]

While performing a security assessment for a client, we identified a number of potential memory corruption vulnerabilities within the native extensions included with Pillow. Given that these vulnerabilities may currently expose exploitable conditions within our client's environment, we would like to report the details privately.

Could a project member please limit the visibility of this issue so that it is not available to the public?

Alternatively, we can provide vulnerability details via e-mail if that is preferable.

Thank you,
Cris Neckar
Divergent Security

[hugovk]

Hi Cris,

Thanks for getting in touch. We can't make this issue private, but please email [email protected]

https://github.com/python-pillow/Pillow/blob/master/.github/CONTRIBUTING.md#security-vulnerabilities

Edit: you can also email [email protected] (#1713 (comment))

[cneckar]

@hugovk, thanks for the info. I will send details today.

[wiredfool]

Security@ is better, since it skips the step of @aclark4life forwarding it to me.

[cneckar]

@wiredfool [email protected] correct?

[wiredfool]

I was going to say yes, but apparently it's not doing that right now.

[aclark4life]

Should be working, check your spam folder? I'll forward just in case.

[aclark4life]

Oh, I think see what happened: I forgot I had to maintain a [email protected] group in Google Apps; since python-pillow.org is a domain alias for aclark.net, mail sent to [email protected] is delivered to [email protected]. When I recently removed that group, I still got the security mail because I receive all mail via catch-all. I think I fixed it, will send another test. I've also marked the group "Pillow Security" for future forgetfulness-proofing.

[cneckar]

Just wanted to follow-up quickly and make sure that all of the details got
to the right people. Is there anything else that you need from us?

We are also more than happy to help in any way we can.

Thanks!
Cris Neckar
Divergent Security, LLC

On Wed, Sep 7, 2016 at 4:43 AM, Alex Clark [email protected] wrote:

Oh, I think see what happened: I forgot I had to maintain a
[email protected] group in Google Apps; since python-pillow.org is a
domain alias for aclark.net, mail sent to [email protected] is
delivered to [email protected]. When I recently removed that group, I
still got the security mail because I receive all mail via catch-all. I
think I fixed it, will send another test. I've also marked the group
"Pillow Security" for future forgetfulness-proofing.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#2105 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AKwLDg5LQ4mzCQwBobO8nYRwe7hp89mXks5qnqNegaJpZM4J2F1X
.

[wiredfool]

Yep, I've got it, we'll definitely have something by the next release, scheduled for Oct 1. I'll probably issue a source only point release for 3.3.x as well.

[cneckar]

Perfect! Thanks for the update.

On Tue, Sep 20, 2016 at 9:27 AM, wiredfool [email protected] wrote:

Yep, I've got it, we'll definitely have something by the next release,
scheduled for Oct 1. I'll probably issue a source only point release for
3.3.x as well.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#2105 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AKwLDtltSIxokunOBU6l7kii_YyavOpfks5qsAmAgaJpZM4J2F1X
.

[homm]

Fixed and released, right?

[wiredfool]

Yep, in both 3.4.0 and 3.3.2

[hugovk]

For future reference, here's the PR: #2146