CVE-2016-2533
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2016-2533
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-2533.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2016-2533
- Aliases
- Downstream
- Related
- Published
- 2016-04-13T16:59:14Z
- Modified
- 2025-10-21T03:37:01.908463Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Buffer overflow in the ImagingPcdDecode function in PcdDecode.c in Pillow before 3.1.1 and Python Imaging Library (PIL) 1.1.7 and earlier allows remote attackers to cause a denial of service (crash) via a crafted PhotoCD file.
- References
-
- http://www.debian.org/security/2016/dsa-3499
- https://github.com/python-pillow/Pillow/blob/c3cb690fed5d4bf0c45576759de55d054916c165/CHANGES.rst
- https://security.gentoo.org/glsa/201612-52
- https://github.com/python-pillow/Pillow/commit/5bdf54b5a76b54fb00bd05f2d733e0a4173eefc9#diff-8ff6909c159597e22288ad818938fd6b
- https://github.com/python-pillow/Pillow/commit/ae453aa18b66af54e7ff716f4ccb33adca60afd4#diff-8ff6909c159597e22288ad818938fd6b
- https://github.com/python-pillow/Pillow/pull/1706
- http://www.openwall.com/lists/oss-security/2016/02/02/5
- http://www.openwall.com/lists/oss-security/2016/02/22/2
- http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html
Affected packages
Git / github.com/python-pillow/pillow
Affected ranges
- Type
- GIT
- Repo
- https://github.com/python-pillow/pillow
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
Affected versions
1.*
1.0
1.2
1.7.6
1.7.7
1.7.8
2.*
2.0.0
2.1.0
2.2.0
2.2.1
2.2.2
2.3.0
2.5.0
2.6.0
2.6.0-rc1
2.7.0
2.8.0
2.8.1
2.9.0
2.9.0.dev0
2.9.0.dev1
2.9.0.dev2
3.*
3.0.0
3.1.0
3.1.0-rc1
Database specific
vanir_signatures
[
{
"source": "https://github.com/python-pillow/pillow/commit/ae453aa18b66af54e7ff716f4ccb33adca60afd4",
"target": {
"file": "libImaging/PcdDecode.c"
},
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2016-2533-8b4ca020",
"digest": {
"line_hashes": [
"243576619890553771933049052307961487112",
"159213527502674527969643437745726801554",
"45146649394448460556352801206302482404",
"53128559915082015387888206077850571244",
"105545442111552753224521131184882741405",
"159213527502674527969643437745726801554",
"45146649394448460556352801206302482404",
"53128559915082015387888206077850571244"
],
"threshold": 0.9
}
},
{
"source": "https://github.com/python-pillow/pillow/commit/ae453aa18b66af54e7ff716f4ccb33adca60afd4",
"target": {
"function": "ImagingPcdDecode",
"file": "libImaging/PcdDecode.c"
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2016-2533-98c38d44",
"digest": {
"function_hash": "168762087425834242494109050733475827334",
"length": 1022.0
}
},
{
"source": "https://github.com/python-pillow/pillow/commit/5bdf54b5a76b54fb00bd05f2d733e0a4173eefc9",
"target": {
"file": "libImaging/PcdDecode.c"
},
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2016-2533-a27dff82",
"digest": {
"line_hashes": [
"243576619890553771933049052307961487112",
"159213527502674527969643437745726801554",
"45146649394448460556352801206302482404",
"53128559915082015387888206077850571244",
"105545442111552753224521131184882741405",
"159213527502674527969643437745726801554",
"45146649394448460556352801206302482404",
"53128559915082015387888206077850571244"
],
"threshold": 0.9
}
},
{
"source": "https://github.com/python-pillow/pillow/commit/5bdf54b5a76b54fb00bd05f2d733e0a4173eefc9",
"target": {
"function": "ImagingPcdDecode",
"file": "libImaging/PcdDecode.c"
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2016-2533-f60f3dd6",
"digest": {
"function_hash": "168762087425834242494109050733475827334",
"length": 1022.0
}
}
]