Antivirus Avast detect test image crash_2.tif as with exploit

[danieltomasz]

What did you do?

My Antivirus (Avast Shield alert) keep reporting and removing file crash_2.tif to my virus chest because it has vulnerability with TIFF:CVE-2015-5097 [Expl] .
This image resides on path /private/var/folders/..../unpacked/Pillow-7.1.2/Tests/images/crash_2.tif

What did you expect to happen?

Any file distributed with Pillow will not be reported as an exploit.

What actually happened?

What are your OS, Python and Pillow versions?

• OS: MacOS 10.15.5
• Python: 3.8.2
• Pillow: 7.1.2

code goes here

[wiredfool]

They're not wrong, but it's not helpful. Anything that's named crash_ is a reproduction of a crashing bug in Pillow, most of them have CVEs.

[hugovk]

And this one was specifically for CVE-2020-10379 "Fix two buffer overflows in TIFF decoding" (#4507):

• https://pillow.readthedocs.io/en/latest/releasenotes/7.1.0.html#security

[danieltomasz]

They're not wrong, but it's not helpful. Anything that's named crash_ is a reproduction of a crashing bug in Pillow, most of them have CVEs.

I am not importing Pillow directly, it was installed as a dependency for other packages. If I could isolate more I will post it here.

[radarhere]

It's a vulnerability for a past version of Pillow. It is not a vulnerability for Pillow 7.1.2 that you have.

[radarhere]

Also, to be clear, the image file can be removed by your antivirus software and Pillow will continue to work without a problem. The image would only be used if you ran a specific Pillow test script.

[danieltomasz]

If this is solved already, the issue could be closed ( I filled it to let others know about the issue) I removed the aforementioned file and could use Pillow without problems

[Zen-CODE]

I've also just hit this issue when building pillow for a Kivy python deployment on iOS. Got it whilst trying to update from version 6.2.0 to 7.20. And sorry, deleting the file after deployment is not a solution. It's a workaround.

Consider if someone is building a Kivy app on MacOS for the first time and they sees this Virus warning immediately when they build? It's a terrible impression, and they will probably cancel and uninstall everything. Please could you consider a proper solution, that avoids this warning? i.e. removing the files or updating with non-vulnerable ones?

Please refer: kivy/kivy-ios#529

[radarhere]

My suggested solution would be to move the CVE images to a separate python-pillow repository, and to fetch an image as part of each individual test. I don't personally have permissions to create such a repository though.

[hugovk]

They could go in https://github.com/python-pillow/pillow-depends/tree/master/test_images

These are fetched on the CIs but aren't in the sdist:

• https://github.com/python-pillow/Pillow/search?q=install_extra_test_images.sh+&type=

But would this be a problem for downstream packagers, who usually want tests too? Would they be okay not testing for CVE regressions by default?

[radarhere]

Thanks for providing that URL. I tried finding it instead at https://github.com/wiredfool/test-image-results, which isn't right.

I've created #4792 to clarify what I'm suggesting - download each image as part of each test, so that everyone would still be testing for CVE regressions, but without triggering antivirus software. I recognise this may not be an ideal solution, just putting the idea out there.