Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix possible malware in one of the test files #251

Closed
jrocnuck opened this issue Jun 15, 2013 · 7 comments

Comments

Projects
None yet
4 participants
@jrocnuck
Copy link

commented Jun 15, 2013

After downloading the latest version of Pillow (2.0)

The virus scanners are triggering on this file:

/Tests/images/pngtest_bad.png.base64

Virus Total has 14 virus scanners calling this malware:

https://www.virustotal.com/en/file/7bc6edd81fb3d2741382863b0670cf2260b495f0065d83ea00c64fc5eddcefa1/analysis/1371264441/

@aclark4life

This comment has been minimized.

Copy link
Member

commented Jun 15, 2013

Likely a false positive

@cgohlke

This comment has been minimized.

Copy link
Contributor

commented Jun 15, 2013

It's not really a fp. Pngtest_bad.png was previously base64 encoded to avoid virus warnings and other incidents. It is designed to test/trigger a buffer overflow vulnerability in libpng-1.2.5.

@aclark4life

This comment has been minimized.

Copy link
Member

commented Jun 15, 2013

Ah, thanks @cgohlke

@jrocnuck

This comment has been minimized.

Copy link
Author

commented Jun 15, 2013

I was guessing it might be something like that and just wanted to point it out in case.
I guess the virus scanners look for its b64 pattern too.

So that png will cause a crash if there's an old libpng, but it won't run any exploit code / shell code?

@aclark4life

This comment has been minimized.

Copy link
Member

commented Jun 16, 2013

Looks like it, I guess you'd have to decode and examine it… actually you can examine the file pre-encoding here: http://hg.effbot.org/pil-117/raw/2ca582d524163216973285a5bc19706b82d094b3/Tests/images/pngtest_bad.png.

Also a bit more about the vulnerability in libpng is here: http://scary.beasts.org/security/CESA-2004-001.txt

@wiredfool

This comment has been minimized.

Copy link
Member

commented Jun 17, 2013

Might make sense to add a note in the source or in the test image directory, so that the answer to this isn't buried in the comments and the source control. (and I suppose, the next step is to encrypt, rather than b64)

@cgohlke

This comment has been minimized.

Copy link
Contributor

commented Jun 17, 2013

Another workaround might be to save the image without the complete PNG header (e.g. the first 4 bytes) and add it back in memory during the test.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.