Security fix for CVE-2026-54059, CVE-2026-54060, CVE-2026-55379, CVE-2026-55380
Resolves: RHEL-192830, RHEL-192770, RHEL-192684, RHEL-192731
This commit is contained in:
parent
aaaa0121d7
commit
4a648bc0d4
63
CVE-2026-54059_54060_55379.patch
Normal file
63
CVE-2026-54059_54060_55379.patch
Normal file
@ -0,0 +1,63 @@
|
||||
From e616649b74319752628c78b5e72a16cf120c1bb6 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Lum=C3=ADr=20Balhar?= <lbalhar@redhat.com>
|
||||
Date: Wed, 8 Jul 2026 13:02:14 +0000
|
||||
Subject: [PATCH 1/2] Add decompression bomb checks to FontFile classes
|
||||
|
||||
Fixes CVE-2026-54059, CVE-2026-54060, CVE-2026-55379
|
||||
Backport of upstream commit 0a263e6264aa5399988d9acd3bbfbca2ca3ec77d
|
||||
---
|
||||
src/PIL/BdfFontFile.py | 2 ++
|
||||
src/PIL/FontFile.py | 4 +++-
|
||||
src/PIL/PcfFontFile.py | 1 +
|
||||
3 files changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/PIL/BdfFontFile.py b/src/PIL/BdfFontFile.py
|
||||
index c8bc604..a0c78b8 100644
|
||||
--- a/src/PIL/BdfFontFile.py
|
||||
+++ b/src/PIL/BdfFontFile.py
|
||||
@@ -75,6 +75,8 @@ def bdf_char(f):
|
||||
|
||||
bbox = (dx, dy), (l, -d-y, x+l, -d), (0, 0, x, y)
|
||||
|
||||
+ Image._decompression_bomb_check((x, y))
|
||||
+
|
||||
try:
|
||||
im = Image.frombytes("1", (x, y), bitmap, "hex", "1")
|
||||
except ValueError:
|
||||
diff --git a/src/PIL/FontFile.py b/src/PIL/FontFile.py
|
||||
index 46e49bc..bc68af3 100644
|
||||
--- a/src/PIL/FontFile.py
|
||||
+++ b/src/PIL/FontFile.py
|
||||
@@ -58,7 +58,7 @@ class FontFile(object):
|
||||
if glyph:
|
||||
d, dst, src, im = glyph
|
||||
h = max(h, src[3] - src[1])
|
||||
- w = w + (src[2] - src[0])
|
||||
+ w += src[2] - src[0]
|
||||
if w > WIDTH:
|
||||
lines += 1
|
||||
w = (src[2] - src[0])
|
||||
@@ -70,6 +70,8 @@ class FontFile(object):
|
||||
if xsize == 0 and ysize == 0:
|
||||
return ""
|
||||
|
||||
+ Image._decompression_bomb_check((xsize, ysize))
|
||||
+
|
||||
self.ysize = h
|
||||
|
||||
# paste glyphs into bitmap
|
||||
diff --git a/src/PIL/PcfFontFile.py b/src/PIL/PcfFontFile.py
|
||||
index eba85fe..3fdb505 100644
|
||||
--- a/src/PIL/PcfFontFile.py
|
||||
+++ b/src/PIL/PcfFontFile.py
|
||||
@@ -213,6 +213,7 @@ class PcfFontFile(FontFile.FontFile):
|
||||
|
||||
for i in range(nbitmaps):
|
||||
x, y, l, r, w, a, d, f = metrics[i]
|
||||
+ Image._decompression_bomb_check((x, y))
|
||||
b, e = offsets[i], offsets[i+1]
|
||||
bitmaps.append(
|
||||
Image.frombytes("1", (x, y), data[b:e], "raw", mode, pad(x))
|
||||
--
|
||||
2.54.0
|
||||
|
||||
36
CVE-2026-55380.patch
Normal file
36
CVE-2026-55380.patch
Normal file
@ -0,0 +1,36 @@
|
||||
From 5b9cc2556f54493f15420ecc842c54b81845930d Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Lum=C3=ADr=20Balhar?= <lbalhar@redhat.com>
|
||||
Date: Wed, 8 Jul 2026 13:03:39 +0000
|
||||
Subject: [PATCH 2/2] Add decompression bomb check to GdImageFile
|
||||
|
||||
Fixes CVE-2026-55380
|
||||
Backport of upstream commit f39b0ae6624eb2d7c5c5d651d9bb5fdbd96a8675
|
||||
---
|
||||
src/PIL/GdImageFile.py | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/PIL/GdImageFile.py b/src/PIL/GdImageFile.py
|
||||
index 09ab5ec..f3c0e1d 100644
|
||||
--- a/src/PIL/GdImageFile.py
|
||||
+++ b/src/PIL/GdImageFile.py
|
||||
@@ -23,7 +23,7 @@
|
||||
# purposes only.
|
||||
|
||||
|
||||
-from . import ImageFile, ImagePalette
|
||||
+from . import Image, ImageFile, ImagePalette
|
||||
from ._binary import i16be as i16
|
||||
from ._util import isPath
|
||||
|
||||
@@ -55,6 +55,8 @@ class GdImageFile(ImageFile.ImageFile):
|
||||
self.mode = "L" # FIXME: "P"
|
||||
self.size = i16(s[0:2]), i16(s[2:4])
|
||||
|
||||
+ Image._decompression_bomb_check(self.size)
|
||||
+
|
||||
# transparency index
|
||||
tindex = i16(s[5:7])
|
||||
if tindex < 256:
|
||||
--
|
||||
2.54.0
|
||||
|
||||
@ -8,7 +8,7 @@
|
||||
|
||||
Name: python-%{srcname}
|
||||
Version: 5.1.1
|
||||
Release: 21%{?dist}
|
||||
Release: 22%{?dist}
|
||||
Summary: Python image processing library
|
||||
|
||||
# License: see http://www.pythonware.com/products/pil/license.htm
|
||||
@ -125,6 +125,14 @@ Patch22: CVE-2023-50447.patch
|
||||
# Upstream fix: https://github.com/python-pillow/Pillow/pull/7928
|
||||
# Patch rebased. The test requires a binary file and therefore isn't backported.
|
||||
Patch23: CVE-2024-28219.patch
|
||||
# CVE-2026-54059 python-pillow: uncontrolled memory allocation in PcfFontFile._load_bitmaps()
|
||||
# CVE-2026-54060 python-pillow: uncontrolled memory allocation in FontFile.compile()
|
||||
# CVE-2026-55379 python-pillow: uncontrolled memory allocation in BdfFontFile bdf_char()
|
||||
# Upstream fix: https://github.com/python-pillow/Pillow/commit/0a263e6264aa5399988d9acd3bbfbca2ca3ec77d
|
||||
Patch24: CVE-2026-54059_54060_55379.patch
|
||||
# CVE-2026-55380 python-pillow: uncontrolled memory allocation in GdImageFile
|
||||
# Upstream fix: https://github.com/python-pillow/Pillow/commit/f39b0ae6624eb2d7c5c5d651d9bb5fdbd96a8675
|
||||
Patch25: CVE-2026-55380.patch
|
||||
|
||||
BuildRequires: freetype-devel
|
||||
BuildRequires: gcc
|
||||
@ -269,6 +277,10 @@ popd
|
||||
|
||||
|
||||
%changelog
|
||||
* Wed Jul 08 2026 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-22
|
||||
- Security fix for CVE-2026-54059, CVE-2026-54060, CVE-2026-55379, CVE-2026-55380
|
||||
Resolves: RHEL-192830, RHEL-192770, RHEL-192684, RHEL-192731
|
||||
|
||||
* Thu Apr 04 2024 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-21
|
||||
- Security fix for CVE-2024-28219
|
||||
Resolves: RHEL-31071
|
||||
|
||||
Loading…
Reference in New Issue
Block a user