From 83527c74aeb5080006a577e7ede3ae90c9473125 Mon Sep 17 00:00:00 2001
From: Lumir Balhar <lbalhar@redhat.com>
Date: Thu, 4 Apr 2024 12:58:43 +0200
Subject: [PATCH] Security fix for CVE-2024-28219

Resolves: RHEL-31071
---
 CVE-2024-28219.patch | 38 ++++++++++++++++++++++++++++++++++++++
 python-pillow.spec   | 10 +++++++++-
 2 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2024-28219.patch

diff --git a/CVE-2024-28219.patch b/CVE-2024-28219.patch
new file mode 100644
index 0000000..fe80949
--- /dev/null
+++ b/CVE-2024-28219.patch
@@ -0,0 +1,38 @@
+From 2d30e67ec0b77993de62f975aae29266d8d1f784 Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Thu, 4 Apr 2024 13:01:56 +0200
+Subject: [PATCH] CVE-2024-28219
+
+---
+ src/_imagingcms.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/_imagingcms.c b/src/_imagingcms.c
+index 5e4196c..4169e28 100644
+--- a/src/_imagingcms.c
++++ b/src/_imagingcms.c
+@@ -212,8 +212,8 @@ cms_transform_new(cmsHTRANSFORM transform, char* mode_in, char* mode_out)
+ 
+     self->transform = transform;
+ 
+-    strcpy(self->mode_in, mode_in);
+-    strcpy(self->mode_out, mode_out);
++    strncpy(self->mode_in, mode_in, 8);
++    strncpy(self->mode_out, mode_out, 8);
+ 
+     return (PyObject*) self;
+ }
+@@ -286,8 +286,8 @@ findLCMStype(char* PILmode)
+     }
+ 
+     else {
+-        /* take a wild guess... but you probably should fail instead. */
+-        return TYPE_GRAY_8; /* so there's no buffer overrun... */
++        /* take a wild guess... */
++        return TYPE_GRAY_8;
+     }
+ }
+ 
+-- 
+2.44.0
+
diff --git a/python-pillow.spec b/python-pillow.spec
index d9e5c21..036f81b 100644
--- a/python-pillow.spec
+++ b/python-pillow.spec
@@ -8,7 +8,7 @@
 
 Name:           python-%{srcname}
 Version:        5.1.1
-Release:        20%{?dist}
+Release:        21%{?dist}
 Summary:        Python image processing library
 
 # License: see http://www.pythonware.com/products/pil/license.htm
@@ -121,6 +121,10 @@ Patch21:        CVE-2023-44271.patch
 # Upstream fix: https://github.com/python-pillow/Pillow/commit/02c6183d41c68a8dd080f5739f566bd82485822d
 # Patch rebased and tests converted from pytest to unittests.
 Patch22:        CVE-2023-50447.patch
+# CVE-2024-28219 python-pillow: buffer overflow in _imagingcms.c
+# Upstream fix: https://github.com/python-pillow/Pillow/pull/7928
+# Patch rebased. The test requires a binary file and therefore isn't backported.
+Patch23:        CVE-2024-28219.patch
 
 BuildRequires:  freetype-devel
 BuildRequires:  gcc
@@ -265,6 +269,10 @@ popd
 
 
 %changelog
+* Thu Apr 04 2024 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-21
+- Security fix for CVE-2024-28219
+Resolves: RHEL-31071
+
 * Thu Jan 25 2024 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-20
 - Security fix for CVE-2023-50447
 Resolves: RHEL-22240