CVE-2020-35654

CVE-2020-35654 is a heap-based buffer overflow vulnerability in the Pillow Python imaging library, specifically in the TiffDecode component. The root cause is a conflict in how libtiff interprets YCbCr color space data when Pillow reads strips in RGBA mode. Prior to Pillow 8.1.0, the ReadStrip function directly called libtiff's RGBA decoding for YCbCr images without properly validating the output buffer size, leading to an out-of-bounds write [1].

Exploitation requires an attacker to provide a specially crafted TIFF file with YCbCr photometric data. When Pillow attempts to decode the image, the heap buffer overflow occurs. No authentication or special network position is needed beyond convincing a user or application to process the malicious file. The attack vector is local (file-based) with low complexity [2].

The impact is a heap overflow that could corrupt adjacent memory, potentially leading to denial of service or arbitrary code execution in the context of the affected application [3]. The vulnerability is rated with a CVSS base score of 7.8 (High) [2].

The flaw was addressed in Pillow version 8.1.0. The fix rewrites the YCbCr decoding path to wrap the TIFF in a TIFFRGBAImage structure, relying on libtiff's own handling of subsampling and conversion, and adding explicit size and overflow checks [1]. Users should upgrade to Pillow >= 8.1.0. Fedora and other distributions have released updated packages [3].