Vulnerability Name:

CVE-2016-0775 (CCN-112523)

Assigned:2015-12-16
Published:2015-12-16
Updated:2017-07-01
Summary:Buffer overflow in the ImagingFliDecode function in libImaging/FliDecode.c in Pillow before 3.1.1 allows remote attackers to cause a denial of service (crash) via a crafted FLI file.
CVSS v3 Severity:6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
6.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)
5.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
6.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-119
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2016-0775

Source: DEBIAN
Type: UNKNOWN
DSA-3499

Source: XF
Type: UNKNOWN
pillow-cve20160775-bo(112523)

Source: CCN
Type: Pillow GIT Repository
3.2.0 (unreleased)

Source: CONFIRM
Type: UNKNOWN
https://github.com/python-pillow/Pillow/blob/c3cb690fed5d4bf0c45576759de55d054916c165/CHANGES.rst

Source: CONFIRM
Type: UNKNOWN
https://github.com/python-pillow/Pillow/commit/893a40850c2d5da41537958e40569c029a6e127b

Source: GENTOO
Type: UNKNOWN
GLSA-201612-52

Vulnerable Configuration:Configuration 1:
  • cpe:/a:python:pillow:*:*:*:*:*:*:*:* (Version <= 3.1.0)

    • Configuration 2:
  • cpe:/o:debian:debian_linux:7.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:python:pillow:3.1.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20160775
    V
    		CVE-2016-0775
    2022-06-30
    oval:org.opensuse.security:def:113230
    P
    		python3-Pillow-3.4.2-1.1 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:113251
    P
    		python36-Pillow-8.3.2-1.2 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:113193
    P
    		python-Pillow-3.1.1-4.1 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:55276
    P
    		Security update for ruby2.1 (Important)
    2021-12-01
    oval:org.opensuse.security:def:58038
    P
    		Security update for qemu (Important)
    2021-11-10
    oval:org.opensuse.security:def:55959
    P
    		Security update for xen (Moderate)
    2021-10-07
    oval:org.opensuse.security:def:106648
    P
    		python3-Pillow-3.4.2-1.1 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:106663
    P
    		python36-Pillow-8.3.2-1.2 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:106614
    P
    		python-Pillow-3.1.1-4.1 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:57479
    P
    		Security update for systemd (Important)
    2021-07-21
    oval:org.opensuse.security:def:57930
    P
    		Security update for the Linux Kernel (Live Patch 32 for SLE 12 SP3) (Important)
    2021-06-04
    oval:org.opensuse.security:def:56244
    P
    		Security update for gd (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:57200
    P
    		Security update for compat-openssl097g
    2020-12-01
    oval:org.opensuse.security:def:55114
    P
    		gdk-pixbuf-lang on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:58323
    P
    		Security update for xorg-x11-server (Important)
    2020-12-01
    oval:org.opensuse.security:def:56444
    P
    		Security update for libreoffice (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56556
    P
    		Security update for gdk-pixbuf (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:55687
    P
    		Security update for libssh2_org (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56800
    P
    		Security update for qemu (Important)
    2020-12-01
    oval:org.opensuse.security:def:58273
    P
    		Security update for python (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:58130
    P
    		Security update for python-Pillow (Important)
    2020-12-01
    oval:org.opensuse.security:def:56962
    P
    		Security update for freerdp (Important)
    2020-12-01
    oval:org.opensuse.security:def:55113
    P
    		gd on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:58242
    P
    		Security update for sssd (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56352
    P
    		Security update for libjpeg-turbo (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:57373
    P
    		Security update for icedtea-web
    2020-12-01
    oval:org.opensuse.security:def:55136
    P
    		gstreamer-plugins-bad on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56518
    P
    		Security update for java-1_8_0-openjdk (Important)
    2020-12-01
    oval:org.opensuse.security:def:57645
    P
    		Security update for tiff (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:55514
    P
    		Security update for the Linux Kernel (Important)
    2020-12-01
    oval:org.opensuse.security:def:56799
    P
    		Security update for ucode-intel (Important)
    2020-12-01
    oval:org.opensuse.security:def:56637
    P
    		Security update for webkit2gtk3 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:55793
    P
    		Security update for mariadb (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56822
    P
    		Security update for ghostscript (Important)
    2020-12-01
    oval:org.opensuse.security:def:58204
    P
    		Security update for clamav (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:58348
    P
    		Security update for qemu (Moderate)
    2020-11-29
    oval:com.ubuntu.precise:def:20160775000
    V
    		CVE-2016-0775 on Ubuntu 12.04 LTS (precise) - medium.
    2016-04-13
    oval:com.ubuntu.xenial:def:201607750000000
    V
    		CVE-2016-0775 on Ubuntu 16.04 LTS (xenial) - medium.
    2016-04-13
    oval:com.ubuntu.trusty:def:20160775000
    V
    		CVE-2016-0775 on Ubuntu 14.04 LTS (trusty) - medium.
    2016-04-13
    oval:com.ubuntu.xenial:def:20160775000
    V
    		CVE-2016-0775 on Ubuntu 16.04 LTS (xenial) - medium.
    2016-04-13
    BACK
    python pillow *
    debian debian linux 7.0
    debian debian linux 8.0
    python pillow 3.1.0