diff --git a/SOURCES/CVE-2020-11538.patch b/SOURCES/CVE-2020-11538.patch new file mode 100644 index 0000000..e8cc8df --- /dev/null +++ b/SOURCES/CVE-2020-11538.patch @@ -0,0 +1,56 @@ +From f91c78960495efa04c7f12eeb916158d4bfbabc4 Mon Sep 17 00:00:00 2001 +From: Lumir Balhar +Date: Mon, 13 Jul 2020 15:40:11 +0200 +Subject: [PATCH] CVE-2020-11538 + +--- + src/libImaging/SgiRleDecode.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c +index 6367ae7..eb8fc84 100644 +--- a/src/libImaging/SgiRleDecode.c ++++ b/src/libImaging/SgiRleDecode.c +@@ -28,6 +28,7 @@ static void read4B(UINT32* dest, UINT8* buf) + static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize) + { + UINT8 pixel, count; ++ int x = 0; + + for (;n > 0; n--) + { +@@ -37,9 +38,10 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize) + count = pixel & RLE_MAX_RUN; + if (!count) + return count; +- if (count > xsize) { ++ if (x + count > xsize) { + return -1; + } ++ x += count; + if (pixel & RLE_COPY_FLAG) { + while(count--) { + *dest = *src++; +@@ -63,6 +65,7 @@ static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize) + { + UINT8 pixel, count; + ++ int x = 0; + + for (;n > 0; n--) + { +@@ -73,9 +76,10 @@ static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize) + count = pixel & RLE_MAX_RUN; + if (!count) + return count; +- if (count > xsize) { ++ if (x + count > xsize) { + return -1; + } ++ x += count; + if (pixel & RLE_COPY_FLAG) { + while(count--) { + *dest = *src++; +-- +2.26.2 + diff --git a/SOURCES/CVE-2020-5313.patch b/SOURCES/CVE-2020-5313.patch new file mode 100644 index 0000000..fe505e8 --- /dev/null +++ b/SOURCES/CVE-2020-5313.patch @@ -0,0 +1,38 @@ +From 697957b79a9473f0f643051265885fb048395127 Mon Sep 17 00:00:00 2001 +From: Lumir Balhar +Date: Wed, 4 Mar 2020 10:54:54 +0100 +Subject: [PATCH] CVE-2020-5313 + +--- + src/libImaging/FliDecode.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c +index a99aca8..72ba138 100644 +--- a/src/libImaging/FliDecode.c ++++ b/src/libImaging/FliDecode.c +@@ -40,8 +40,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes) + return 0; + + /* We don't decode anything unless we have a full chunk in the +- input buffer (on the other hand, the Python part of the driver +- makes sure this is always the case) */ ++ input buffer */ + + ptr = buf; + +@@ -52,6 +51,11 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes) + /* Make sure this is a frame chunk. The Python driver takes + case of other chunk types. */ + ++ if (bytes < 8) { ++ state->errcode = IMAGING_CODEC_OVERRUN; ++ return -1; ++ } ++ + if (I16(ptr+4) != 0xF1FA) { + state->errcode = IMAGING_CODEC_UNKNOWN; + return -1; +-- +2.24.1 + diff --git a/SPECS/python-pillow.spec b/SPECS/python-pillow.spec index 2d786ca..2993cbb 100644 --- a/SPECS/python-pillow.spec +++ b/SPECS/python-pillow.spec @@ -8,7 +8,7 @@ Name: python-%{srcname} Version: 5.1.1 -Release: 10%{?dist} +Release: 12%{?dist} Summary: Python image processing library # License: see http://www.pythonware.com/products/pil/license.htm @@ -32,6 +32,14 @@ Patch3: CVE-2020-5312_CVE-2019-16865.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1789535 # https://github.com/python-pillow/Pillow/commit/a79b65c47c7dc6fe623aadf09aa6192fc54548f3 Patch4: CVE-2020-5311.patch +# CVE-2020-11538 out-of-bounds reads/writes in the parsing of SGI image files in expandrow/expandrow2 +# Upstream fix: https://github.com/python-pillow/Pillow/pull/4504/ +# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1852814 +Patch5: CVE-2020-11538.patch +# CVE-2020-5313 out-of-bounds read in ImagingFliDecode when loading FLI images +# Upstream fix: https://github.com/python-pillow/Pillow/commit/a09acd0decd8a87ccce939d5ff65dab59e7d365b?patch +# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1789532 +Patch6: CVE-2020-5313.patch BuildRequires: freetype-devel BuildRequires: gcc @@ -176,6 +184,14 @@ popd %changelog +* Mon Jul 13 2020 Lumír Balhar - 5.1.1-12 +- Fix for CVE-2020-5313 +Resolves: rhbz#1789532 + +* Mon Jul 13 2020 Lumír Balhar - 5.1.1-11 +- Fix for CVE-2020-11538 +Resolves: rhbz#1852814 + * Mon Feb 17 2020 Lumír Balhar - 5.1.1-10 - Bump and rebuild for gating to deliver CVE fixes Resolves: rhbz#1789535