Fluid Attacks Database

Description

Pillow Integer overflow in Map.c Pillow before 3.3.2 allows context-dependent attackers to obtain sensitive information by using the "crafted image file" approach, related to an "Integer Overflow" issue affecting the Image.core.map_buffer in map.c component.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	pillow	>=0 <3.3.2	3.3.2
debian 12	pillow	>=0 <3.4.2-1	3.4.2-1
debian 11	pillow	>=0 <3.4.2-1	3.4.2-1
debian 13	pillow	>=0 <3.4.2-1	3.4.2-1
debian 14	pillow	>=0 <3.4.2-1	3.4.2-1
rpm rhel6	python-imaging	-	-
rpm rhel5	python-imaging	-	-
rpm rhel7	python-pillow	-	-

Aliases

1. CVE-2016-91892. NVD-2016-91893. OSV-2016-91894. OSV-DEBIAN-2016-91895. GHSA-rwr3-c2q8-gm566. GCVE-2016-91897. security.gentoo.org8. SECURITY-TRACKER-CVE-2016-9189

References

1. https://github.com/python-pillow/Pillow/issues/21052. https://github.com/python-pillow/Pillow/pull/2146/commits/c50ebe6459a131a1ea8ca531f10da616d3ceaa0f3. https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2016-8.yaml4. https://github.com/python-pillow/Pillow5. http://pillow.readthedocs.io/en/3.4.x/releasenotes/3.3.2.html6. http://www.debian.org/security/2016/dsa-37107. http://www.securityfocus.com/bid/94234

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.