diff --git a/CVE-2026-54059_54060_55379.patch b/CVE-2026-54059_54060_55379.patch new file mode 100644 index 0000000..feb669a --- /dev/null +++ b/CVE-2026-54059_54060_55379.patch @@ -0,0 +1,63 @@ +From e616649b74319752628c78b5e72a16cf120c1bb6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lum=C3=ADr=20Balhar?= +Date: Wed, 8 Jul 2026 13:02:14 +0000 +Subject: [PATCH 1/2] Add decompression bomb checks to FontFile classes + +Fixes CVE-2026-54059, CVE-2026-54060, CVE-2026-55379 +Backport of upstream commit 0a263e6264aa5399988d9acd3bbfbca2ca3ec77d +--- + src/PIL/BdfFontFile.py | 2 ++ + src/PIL/FontFile.py | 4 +++- + src/PIL/PcfFontFile.py | 1 + + 3 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/PIL/BdfFontFile.py b/src/PIL/BdfFontFile.py +index c8bc604..a0c78b8 100644 +--- a/src/PIL/BdfFontFile.py ++++ b/src/PIL/BdfFontFile.py +@@ -75,6 +75,8 @@ def bdf_char(f): + + bbox = (dx, dy), (l, -d-y, x+l, -d), (0, 0, x, y) + ++ Image._decompression_bomb_check((x, y)) ++ + try: + im = Image.frombytes("1", (x, y), bitmap, "hex", "1") + except ValueError: +diff --git a/src/PIL/FontFile.py b/src/PIL/FontFile.py +index 46e49bc..bc68af3 100644 +--- a/src/PIL/FontFile.py ++++ b/src/PIL/FontFile.py +@@ -58,7 +58,7 @@ class FontFile(object): + if glyph: + d, dst, src, im = glyph + h = max(h, src[3] - src[1]) +- w = w + (src[2] - src[0]) ++ w += src[2] - src[0] + if w > WIDTH: + lines += 1 + w = (src[2] - src[0]) +@@ -70,6 +70,8 @@ class FontFile(object): + if xsize == 0 and ysize == 0: + return "" + ++ Image._decompression_bomb_check((xsize, ysize)) ++ + self.ysize = h + + # paste glyphs into bitmap +diff --git a/src/PIL/PcfFontFile.py b/src/PIL/PcfFontFile.py +index eba85fe..3fdb505 100644 +--- a/src/PIL/PcfFontFile.py ++++ b/src/PIL/PcfFontFile.py +@@ -213,6 +213,7 @@ class PcfFontFile(FontFile.FontFile): + + for i in range(nbitmaps): + x, y, l, r, w, a, d, f = metrics[i] ++ Image._decompression_bomb_check((x, y)) + b, e = offsets[i], offsets[i+1] + bitmaps.append( + Image.frombytes("1", (x, y), data[b:e], "raw", mode, pad(x)) +-- +2.54.0 + diff --git a/CVE-2026-55380.patch b/CVE-2026-55380.patch new file mode 100644 index 0000000..67a79b6 --- /dev/null +++ b/CVE-2026-55380.patch @@ -0,0 +1,36 @@ +From 5b9cc2556f54493f15420ecc842c54b81845930d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lum=C3=ADr=20Balhar?= +Date: Wed, 8 Jul 2026 13:03:39 +0000 +Subject: [PATCH 2/2] Add decompression bomb check to GdImageFile + +Fixes CVE-2026-55380 +Backport of upstream commit f39b0ae6624eb2d7c5c5d651d9bb5fdbd96a8675 +--- + src/PIL/GdImageFile.py | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/PIL/GdImageFile.py b/src/PIL/GdImageFile.py +index 09ab5ec..f3c0e1d 100644 +--- a/src/PIL/GdImageFile.py ++++ b/src/PIL/GdImageFile.py +@@ -23,7 +23,7 @@ + # purposes only. + + +-from . import ImageFile, ImagePalette ++from . import Image, ImageFile, ImagePalette + from ._binary import i16be as i16 + from ._util import isPath + +@@ -55,6 +55,8 @@ class GdImageFile(ImageFile.ImageFile): + self.mode = "L" # FIXME: "P" + self.size = i16(s[0:2]), i16(s[2:4]) + ++ Image._decompression_bomb_check(self.size) ++ + # transparency index + tindex = i16(s[5:7]) + if tindex < 256: +-- +2.54.0 + diff --git a/python-pillow.spec b/python-pillow.spec index 036f81b..335a1a2 100644 --- a/python-pillow.spec +++ b/python-pillow.spec @@ -8,7 +8,7 @@ Name: python-%{srcname} Version: 5.1.1 -Release: 21%{?dist} +Release: 22%{?dist} Summary: Python image processing library # License: see http://www.pythonware.com/products/pil/license.htm @@ -125,6 +125,14 @@ Patch22: CVE-2023-50447.patch # Upstream fix: https://github.com/python-pillow/Pillow/pull/7928 # Patch rebased. The test requires a binary file and therefore isn't backported. Patch23: CVE-2024-28219.patch +# CVE-2026-54059 python-pillow: uncontrolled memory allocation in PcfFontFile._load_bitmaps() +# CVE-2026-54060 python-pillow: uncontrolled memory allocation in FontFile.compile() +# CVE-2026-55379 python-pillow: uncontrolled memory allocation in BdfFontFile bdf_char() +# Upstream fix: https://github.com/python-pillow/Pillow/commit/0a263e6264aa5399988d9acd3bbfbca2ca3ec77d +Patch24: CVE-2026-54059_54060_55379.patch +# CVE-2026-55380 python-pillow: uncontrolled memory allocation in GdImageFile +# Upstream fix: https://github.com/python-pillow/Pillow/commit/f39b0ae6624eb2d7c5c5d651d9bb5fdbd96a8675 +Patch25: CVE-2026-55380.patch BuildRequires: freetype-devel BuildRequires: gcc @@ -269,6 +277,10 @@ popd %changelog +* Wed Jul 08 2026 Lumír Balhar - 5.1.1-22 +- Security fix for CVE-2026-54059, CVE-2026-54060, CVE-2026-55379, CVE-2026-55380 +Resolves: RHEL-192830, RHEL-192770, RHEL-192684, RHEL-192731 + * Thu Apr 04 2024 Lumír Balhar - 5.1.1-21 - Security fix for CVE-2024-28219 Resolves: RHEL-31071