CVE-2020-5311

Published: Jan 3, 2020Modified: Jun 17, 2026

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer overflow.

Affected (7)

Products: Python: Pillow · Canonical: Ubuntu Linux · Debian: Debian Linux · +1 more

Show all products

Python: Pillow · Canonical: Ubuntu Linux · Debian: Debian Linux · Fedoraproject: Fedora

1 product

1 product

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Python Pillow	Before 6.2.2

Configuration B

6 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 18.04
Canonical Ubuntu Linux	Version 19.10
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 9.0
Fedoraproject Fedora	Version 30
Fedoraproject Fedora	Version 31

Related CWEs

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

References (16)

https://access.redhat.com/errata/RHSA-2020:0566

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2020:0580

Source: cve@mitre.org

Third Party Advisory

https://github.com/python-pillow/Pillow/commit/a79b65c47c7dc6fe623aadf09aa6192fc54548f3

Source: cve@mitre.org

PatchThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MMU3WT2X64GS5WHDPKKC2WZA7UIIQ3A/

Source: cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3DUMIBUYGJRAVJCTFUWBRLVQKOUTVX5P/

Source: cve@mitre.org

https://pillow.readthedocs.io/en/stable/releasenotes/6.2.2.html

Source: cve@mitre.org

Release NotesThird Party Advisory

https://usn.ubuntu.com/4272-1/

Source: cve@mitre.org

Third Party Advisory

https://www.debian.org/security/2020/dsa-4631

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2020:0566

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://access.redhat.com/errata/RHSA-2020:0580

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://github.com/python-pillow/Pillow/commit/a79b65c47c7dc6fe623aadf09aa6192fc54548f3

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MMU3WT2X64GS5WHDPKKC2WZA7UIIQ3A/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3DUMIBUYGJRAVJCTFUWBRLVQKOUTVX5P/

Source: af854a3a-2127-422b-91ae-364da2661108

https://pillow.readthedocs.io/en/stable/releasenotes/6.2.2.html

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesThird Party Advisory

https://usn.ubuntu.com/4272-1/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.debian.org/security/2020/dsa-4631

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.