Security fix for CVE-2026-54059, CVE-2026-54060, CVE-2026-55379, CVE-2026-55380

Resolves: RHEL-192830, RHEL-192770, RHEL-192684, RHEL-192731
This commit is contained in:
Lumir Balhar 2026-07-08 15:49:03 +02:00 committed by Lukas Zachar
parent aaaa0121d7
commit 4a648bc0d4
3 changed files with 112 additions and 1 deletions

View File

@ -0,0 +1,63 @@
From e616649b74319752628c78b5e72a16cf120c1bb6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lum=C3=ADr=20Balhar?= <lbalhar@redhat.com>
Date: Wed, 8 Jul 2026 13:02:14 +0000
Subject: [PATCH 1/2] Add decompression bomb checks to FontFile classes
Fixes CVE-2026-54059, CVE-2026-54060, CVE-2026-55379
Backport of upstream commit 0a263e6264aa5399988d9acd3bbfbca2ca3ec77d
---
src/PIL/BdfFontFile.py | 2 ++
src/PIL/FontFile.py | 4 +++-
src/PIL/PcfFontFile.py | 1 +
3 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/PIL/BdfFontFile.py b/src/PIL/BdfFontFile.py
index c8bc604..a0c78b8 100644
--- a/src/PIL/BdfFontFile.py
+++ b/src/PIL/BdfFontFile.py
@@ -75,6 +75,8 @@ def bdf_char(f):
bbox = (dx, dy), (l, -d-y, x+l, -d), (0, 0, x, y)
+ Image._decompression_bomb_check((x, y))
+
try:
im = Image.frombytes("1", (x, y), bitmap, "hex", "1")
except ValueError:
diff --git a/src/PIL/FontFile.py b/src/PIL/FontFile.py
index 46e49bc..bc68af3 100644
--- a/src/PIL/FontFile.py
+++ b/src/PIL/FontFile.py
@@ -58,7 +58,7 @@ class FontFile(object):
if glyph:
d, dst, src, im = glyph
h = max(h, src[3] - src[1])
- w = w + (src[2] - src[0])
+ w += src[2] - src[0]
if w > WIDTH:
lines += 1
w = (src[2] - src[0])
@@ -70,6 +70,8 @@ class FontFile(object):
if xsize == 0 and ysize == 0:
return ""
+ Image._decompression_bomb_check((xsize, ysize))
+
self.ysize = h
# paste glyphs into bitmap
diff --git a/src/PIL/PcfFontFile.py b/src/PIL/PcfFontFile.py
index eba85fe..3fdb505 100644
--- a/src/PIL/PcfFontFile.py
+++ b/src/PIL/PcfFontFile.py
@@ -213,6 +213,7 @@ class PcfFontFile(FontFile.FontFile):
for i in range(nbitmaps):
x, y, l, r, w, a, d, f = metrics[i]
+ Image._decompression_bomb_check((x, y))
b, e = offsets[i], offsets[i+1]
bitmaps.append(
Image.frombytes("1", (x, y), data[b:e], "raw", mode, pad(x))
--
2.54.0

36
CVE-2026-55380.patch Normal file
View File

@ -0,0 +1,36 @@
From 5b9cc2556f54493f15420ecc842c54b81845930d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lum=C3=ADr=20Balhar?= <lbalhar@redhat.com>
Date: Wed, 8 Jul 2026 13:03:39 +0000
Subject: [PATCH 2/2] Add decompression bomb check to GdImageFile
Fixes CVE-2026-55380
Backport of upstream commit f39b0ae6624eb2d7c5c5d651d9bb5fdbd96a8675
---
src/PIL/GdImageFile.py | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/PIL/GdImageFile.py b/src/PIL/GdImageFile.py
index 09ab5ec..f3c0e1d 100644
--- a/src/PIL/GdImageFile.py
+++ b/src/PIL/GdImageFile.py
@@ -23,7 +23,7 @@
# purposes only.
-from . import ImageFile, ImagePalette
+from . import Image, ImageFile, ImagePalette
from ._binary import i16be as i16
from ._util import isPath
@@ -55,6 +55,8 @@ class GdImageFile(ImageFile.ImageFile):
self.mode = "L" # FIXME: "P"
self.size = i16(s[0:2]), i16(s[2:4])
+ Image._decompression_bomb_check(self.size)
+
# transparency index
tindex = i16(s[5:7])
if tindex < 256:
--
2.54.0

View File

@ -8,7 +8,7 @@
Name: python-%{srcname}
Version: 5.1.1
Release: 21%{?dist}
Release: 22%{?dist}
Summary: Python image processing library
# License: see http://www.pythonware.com/products/pil/license.htm
@ -125,6 +125,14 @@ Patch22: CVE-2023-50447.patch
# Upstream fix: https://github.com/python-pillow/Pillow/pull/7928
# Patch rebased. The test requires a binary file and therefore isn't backported.
Patch23: CVE-2024-28219.patch
# CVE-2026-54059 python-pillow: uncontrolled memory allocation in PcfFontFile._load_bitmaps()
# CVE-2026-54060 python-pillow: uncontrolled memory allocation in FontFile.compile()
# CVE-2026-55379 python-pillow: uncontrolled memory allocation in BdfFontFile bdf_char()
# Upstream fix: https://github.com/python-pillow/Pillow/commit/0a263e6264aa5399988d9acd3bbfbca2ca3ec77d
Patch24: CVE-2026-54059_54060_55379.patch
# CVE-2026-55380 python-pillow: uncontrolled memory allocation in GdImageFile
# Upstream fix: https://github.com/python-pillow/Pillow/commit/f39b0ae6624eb2d7c5c5d651d9bb5fdbd96a8675
Patch25: CVE-2026-55380.patch
BuildRequires: freetype-devel
BuildRequires: gcc
@ -269,6 +277,10 @@ popd
%changelog
* Wed Jul 08 2026 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-22
- Security fix for CVE-2026-54059, CVE-2026-54060, CVE-2026-55379, CVE-2026-55380
Resolves: RHEL-192830, RHEL-192770, RHEL-192684, RHEL-192731
* Thu Apr 04 2024 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-21
- Security fix for CVE-2024-28219
Resolves: RHEL-31071