Pillow: Antivirus Avast detect test image crash_2.tif as with exploit

Created on 26 Jun 2020  路  15Comments  路  Source: python-pillow/Pillow

What did you do?

My Antivirus (Avast Shield alert) keep reporting and removing file crash_2.tif to my virus chest because it has vulnerability with TIFF:CVE-2015-5097 [Expl] .
This image resides on path /private/var/folders/..../unpacked/Pillow-7.1.2/Tests/images/crash_2.tif

What did you expect to happen?

Any file distributed with Pillow will not be reported as an exploit.

What actually happened?

What are your OS, Python and Pillow versions?

  • OS: MacOS 10.15.5
  • Python: 3.8.2
  • Pillow: 7.1.2
code goes here
Testing
Source
picture danieltomasz

All 15 comments

They're not wrong, but it's not helpful. Anything that's named crash_ is a reproduction of a crashing bug in Pillow, most of them have CVEs.

wiredfool picture wiredfool on 26 Jun 2020

And this one was specifically for CVE-2020-10379 "Fix two buffer overflows in TIFF decoding" (https://github.com/python-pillow/Pillow/pull/4507):

hugovk picture hugovk on 26 Jun 2020

They're not wrong, but it's not helpful. Anything that's named crash_ is a reproduction of a crashing bug in Pillow, most of them have CVEs.

I am not importing Pillow directly, it was installed as a dependency for other packages. If I could isolate more I will post it here.

danieltomasz picture danieltomasz on 26 Jun 2020

It's a vulnerability for a past version of Pillow. It is not a vulnerability for Pillow 7.1.2 that you have.

radarhere picture radarhere on 28 Jun 2020
👍1

Also, to be clear, the image file can be removed by your antivirus software and Pillow will continue to work without a problem. The image would only be used if you ran a specific Pillow test script.

radarhere picture radarhere on 28 Jun 2020
👍1

If this is solved already, the issue could be closed ( I filled it to let others know about the issue) I removed the aforementioned file and could use Pillow without problems

danieltomasz picture danieltomasz on 29 Jun 2020
👍1

I've also just hit this issue when building pillow for a Kivy python deployment on iOS. Got it whilst trying to update from version 6.2.0 to 7.20. And sorry, deleting the file after deployment is not a solution. It's a workaround.

Consider if someone is building a Kivy app on MacOS for the first time and they sees this Virus warning immediately when they build? It's a terrible impression, and they will probably cancel and uninstall everything. Please could you consider a proper solution, that avoids this warning? i.e. removing the files or updating with non-vulnerable ones?

Please refer: https://github.com/kivy/kivy-ios/issues/529

Zen-CODE picture Zen-CODE on 15 Jul 2020

My suggested solution would be to move the CVE images to a separate python-pillow repository, and to fetch an image as part of each individual test. I don't personally have permissions to create such a repository though.

radarhere picture radarhere on 15 Jul 2020

They could go in https://github.com/python-pillow/pillow-depends/tree/master/test_images

These are fetched on the CIs but aren't in the sdist:

But would this be a problem for downstream packagers, who usually want tests too? Would they be okay not testing for CVE regressions by default?

hugovk picture hugovk on 16 Jul 2020

Thanks for providing that URL. I tried finding it instead at https://github.com/wiredfool/test-image-results, which isn't right.

I've created #4792 to clarify what I'm suggesting - download each image as part of each test, so that everyone would still be testing for CVE regressions, but without triggering antivirus software. I recognise this may not be an ideal solution, just putting the idea out there.

radarhere picture radarhere on 16 Jul 2020

@radarhere @hugovk Thanks. I really appreciate the action on this. +1

Zen-CODE picture Zen-CODE on 16 Jul 2020

https://github.com/python-pillow/Pillow/pull/4792#issuecomment-659335356

Tests shouldn't rely on the network being available -- The tests need to be deterministic based on what's on the disk.

Either:
1) It should stay, it's important
2) It should go in the additional test images repo
3) It should be in a pw protected zip/xor'd file with a known password like 'sudo_ignore_this_avast_this_is_a_false_positive'

(fwiw, tests that rely on network have been a pain over the last months as I've been on connections that are flakey to one level or other, and cell hotspots aren't much better)

radarhere picture radarhere on 16 Jul 2020

I've created PR #4869 to use the zip suggestion.

radarhere picture radarhere on 15 Aug 2020

#4792 (comment)

Tests shouldn't rely on the network being available -- The tests need to be deterministic based on what's on the disk.
Either:

  1. It should stay, it's important
  2. It should go in the additional test images repo
  3. It should be in a pw protected zip/xor'd file with a known password like 'sudo_ignore_this_avast_this_is_a_false_positive'

(fwiw, tests that rely on network have been a pain over the last months as I've been on connections that are flakey to one level or other, and cell hotspots aren't much better)

I've a slight preference for number 2, just because it simplifies our test mechanics and requires less special handling code.

But if anyone prefers number 3 (PR #4869), that's fine too.

hugovk picture hugovk on 19 Sep 2020

I've created https://github.com/python-pillow/Pillow/pull/4929 for number 2.

radarhere picture radarhere on 22 Sep 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

thinrhino picture thinrhino  路  3Comments
vytisb picture vytisb  路  4Comments
boskicthebrain picture boskicthebrain  路  4Comments
indirectlylit picture indirectlylit  路  4Comments
nomarek picture nomarek  路  3Comments