CVE-2019-19911
📋 TL;DR
CVE-2019-19911 is a denial-of-service vulnerability in Pillow's FpxImagePlugin that occurs when processing specially crafted FPX images. The vulnerability causes memory exhaustion by attempting to allocate excessive memory based on unvalidated input, leading to process termination via OOM killer on Linux or memory errors on Windows. Anyone using Pillow to process untrusted FPX images is affected.
💻 Affected Systems
- Pillow (Python Imaging Library fork)
📦 What is this software?
Fedora by Fedoraproject
Pillow by Python
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption through process termination, potentially affecting availability of applications that process user-uploaded images.
Likely Case
Denial of service affecting individual processes or services that handle FPX image uploads, requiring restart.
If Mitigated
Minimal impact if proper input validation and memory limits are in place, or if FPX format support is disabled.
🎯 Exploit Status
Simple to exploit by crafting malicious FPX images. Public proof-of-concept exists in vulnerability reports.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.2.2 and later
Vendor Advisory: https://pillow.readthedocs.io/en/stable/releasenotes/6.2.2.html
Restart Required: Yes
Instructions:
1. Update Pillow: pip install --upgrade pillow>=6.2.2
2. Restart all Python processes using Pillow
3. Verify no older versions remain in your environment
🔧 Temporary Workarounds
Disable FPX support
allRemove or disable FPX image format support in Pillow configuration
Modify code to avoid using FpxImagePlugin or set environment variable to disable
Implement input validation
allValidate image metadata before processing, reject images with suspicious band counts
🧯 If You Can't Patch
- Implement strict file upload validation to reject FPX format images
- Run vulnerable services with memory limits and automatic restart policies
🔍 How to Verify
Check if Vulnerable:
Check Pillow version: python -c "import PIL; print(PIL.__version__)" and compare to 6.2.2Check Version:
python -c "import PIL; print('Pillow version:', PIL.__version__)"Verify Fix Applied:
Confirm version is 6.2.2 or higher and test with known malicious FPX image sample📡 Detection & Monitoring
Log Indicators:
- Process termination logs
- Out of memory errors
- Python tracebacks showing OverflowError in FpxImagePlugin
Network Indicators:
- Multiple FPX image uploads to vulnerable endpoints
SIEM Query:
Process termination events where process name contains 'python' and exit code indicates memory error🔗 References
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3DUMIBUYGJRAVJCTFUWBRLVQKOUTVX5P/
- https://pillow.readthedocs.io/en/stable/releasenotes/6.2.2.html
- https://usn.ubuntu.com/4272-1/
- https://www.debian.org/security/2020/dsa-4631
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3DUMIBUYGJRAVJCTFUWBRLVQKOUTVX5P/
- https://pillow.readthedocs.io/en/stable/releasenotes/6.2.2.html
- https://usn.ubuntu.com/4272-1/
- https://www.debian.org/security/2020/dsa-4631
