search

tomer8007 / kik-bot-api-unofficial

Python API for writing unoffical Kik bots that act like humans
MIT License
126 stars 76 forks source link

Heap-based Buffer Overflow Affecting pillow package, versions [,10.0.1) #251

Open vipguy opened 4 months ago

vipguy commented 4 months ago

Affected versions of this package are vulnerable to Heap-based Buffer Overflow when the ReadHuffmanCodes() function is used

Pillow package, versions [,10.0.1) 10.2.0 also has some issues 😳

tomer8007 commented 4 months ago

Any CVE number? Why do you think it impacts this repo?

vipguy commented 4 months ago

I upgraded to the new pillow and it broke some stuff , then github flagged my repo as a vulnerability, in most pillow versions .as for your repo , pillow requirement there is less of a vulnerability then the new one the new one has potential for attacks

On Fri, Feb 9, 2024, 8:03 p.m. Tomer @.***> wrote:

Any CVE number? Why do you think it impacts this repo?

— Reply to this email directly, view it on GitHub https://github.com/tomer8007/kik-bot-api-unofficial/issues/251#issuecomment-1936785273, or unsubscribe https://github.com/notifications/unsubscribe-auth/ARY6SBSVSUXTCHU6UW6FVLTYS3BOXAVCNFSM6AAAAABDCGEJAKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMZWG44DKMRXGM . You are receiving this because you authored the thread.Message ID: @.***>

vipguy commented 4 months ago

https://security.snyk.io/vuln/SNYK-PYTHON-PILLOW-6219984

On Fri, Feb 9, 2024, 8:27 p.m. App Aesthetics @.***> wrote:

I upgraded to the new pillow and it broke some stuff , then github flagged my repo as a vulnerability, in most pillow versions .as for your repo , pillow requirement there is less of a vulnerability then the new one the new one has potential for attacks

On Fri, Feb 9, 2024, 8:03 p.m. Tomer @.***> wrote:

Any CVE number? Why do you think it impacts this repo?

— Reply to this email directly, view it on GitHub https://github.com/tomer8007/kik-bot-api-unofficial/issues/251#issuecomment-1936785273, or unsubscribe https://github.com/notifications/unsubscribe-auth/ARY6SBSVSUXTCHU6UW6FVLTYS3BOXAVCNFSM6AAAAABDCGEJAKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMZWG44DKMRXGM . You are receiving this because you authored the thread.Message ID: @.***>

tomer8007 commented 4 months ago

What's the threat here? Sending an image to the bot that results in an RCE?