rpms
/
python-pillow
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import python-pillow-5.1.1-13.el8

This commit is contained in:
CentOS Sources 2021-03-16 02:38:41 +00:00 committed by Andrew Lukoshko
parent 8863b0f70c
commit 8b04dc6441
4 changed files with 255 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
SOURCES/CVE-2020-11538.patch Normal file
View File

@ -0,0 +1,56 @@
From f91c78960495efa04c7f12eeb916158d4bfbabc4 Mon Sep 17 00:00:00 2001
From: Lumir Balhar <lbalhar@redhat.com>
Date: Mon, 13 Jul 2020 15:40:11 +0200
Subject: [PATCH] CVE-2020-11538
---
src/libImaging/SgiRleDecode.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c
index 6367ae7..eb8fc84 100644
--- a/src/libImaging/SgiRleDecode.c
+++ b/src/libImaging/SgiRleDecode.c
@@ -28,6 +28,7 @@ static void read4B(UINT32* dest, UINT8* buf)
static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
{
UINT8 pixel, count;
+ int x = 0;
for (;n > 0; n--)
{
@@ -37,9 +38,10 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
count = pixel & RLE_MAX_RUN;
if (!count)
return count;
- if (count > xsize) {
+ if (x + count > xsize) {
return -1;
}
+ x += count;
if (pixel & RLE_COPY_FLAG) {
while(count--) {
*dest = *src++;
@@ -63,6 +65,7 @@ static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize)
{
UINT8 pixel, count;
+ int x = 0;
for (;n > 0; n--)
{
@@ -73,9 +76,10 @@ static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize)
count = pixel & RLE_MAX_RUN;
if (!count)
return count;
- if (count > xsize) {
+ if (x + count > xsize) {
return -1;
}
+ x += count;
if (pixel & RLE_COPY_FLAG) {
while(count--) {
*dest = *src++;
--
2.26.2

41
SOURCES/CVE-2020-35653.patch Normal file
View File

@ -0,0 +1,41 @@
From 7a0aea5806d57e0e7c5187fbc9c2937a16e0bca1 Mon Sep 17 00:00:00 2001
From: Eric Soroos <eric-github@soroos.net>
Date: Thu, 17 Dec 2020 00:17:53 +0100
Subject: [PATCH] Fix for CVE CVE-2020-35655 - Read Overflow in PCX Decoding.
* Don't trust the image to specify a buffer size
---
src/PIL/PcxImagePlugin.py | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/PIL/PcxImagePlugin.py b/src/PIL/PcxImagePlugin.py
index 564713a..17bbd18 100644
--- a/src/PIL/PcxImagePlugin.py
+++ b/src/PIL/PcxImagePlugin.py
@@ -63,9 +63,9 @@ class PcxImageFile(ImageFile.ImageFile):
version = i8(s[1])
bits = i8(s[3])
planes = i8(s[65])
- stride = i16(s, 66)
+ ignored_stride = i16(s, 66)
logger.debug("PCX version %s, bits %s, planes %s, stride %s",
- version, bits, planes, stride)
+ version, bits, planes, ignored_stride)
self.info["dpi"] = i16(s, 12), i16(s, 14)
@@ -102,6 +102,11 @@ class PcxImageFile(ImageFile.ImageFile):
self.mode = mode
self.size = bbox[2]-bbox[0], bbox[3]-bbox[1]
+ # don't trust the passed in stride. Calculate for ourselves.
+ # CVE-2020-35653
+ stride = (self.size[0] * bits + 7) // 8
+ stride += stride % 2
+
bbox = (0, 0) + self.size
logger.debug("size: %sx%s", *self.size)
--
2.29.2

136
SOURCES/CVE-2020-35655.patch Normal file
View File

@ -0,0 +1,136 @@
From f276de1139ec16395dc8b382860fb58e331fbd53 Mon Sep 17 00:00:00 2001
From: Eric Soroos <eric-github@soroos.net>
Date: Thu, 29 Oct 2020 23:07:15 +0000
Subject: [PATCH 1/2] Fix for SGI Decode buffer overrun CVE-2020-35655
* Independently found by a contributor and sent to Tidelift, and by Google's OSS Fuzz.
---
src/libImaging/SgiRleDecode.c | 23 ++++++++++++++++-------
1 file changed, 16 insertions(+), 7 deletions(-)
diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c
index eb8fc84..c256169 100644
--- a/src/libImaging/SgiRleDecode.c
+++ b/src/libImaging/SgiRleDecode.c
@@ -107,11 +107,27 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
int err = 0;
int status;
+ /* size check */
+ if (im->xsize > INT_MAX / im->bands ||
+ im->ysize > INT_MAX / im->bands) {
+ return IMAGING_CODEC_MEMORY;
+ }
+
/* Get all data from File descriptor */
c = (SGISTATE*)state->context;
_imaging_seek_pyFd(state->fd, 0L, SEEK_END);
c->bufsize = _imaging_tell_pyFd(state->fd);
c->bufsize -= SGI_HEADER_SIZE;
+
+ c->tablen = im->bands * im->ysize;
+ /* below, we populate the starttab and lentab into the bufsize,
+ each with 4 bytes per element of tablen
+ Check here before we allocate any memory
+ */
+ if (c->bufsize < 8*c->tablen) {
+ return IMAGING_CODEC_MEMORY;
+ }
+
ptr = malloc(sizeof(UINT8) * c->bufsize);
if (!ptr) {
return IMAGING_CODEC_MEMORY;
@@ -129,18 +145,11 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
state->ystep = 1;
}
- if (im->xsize > INT_MAX / im->bands ||
- im->ysize > INT_MAX / im->bands) {
- err = IMAGING_CODEC_MEMORY;
- goto sgi_finish_decode;
- }
-
/* Allocate memory for RLE tables and rows */
free(state->buffer);
state->buffer = NULL;
/* malloc overflow check above */
state->buffer = calloc(im->xsize * im->bands, sizeof(UINT8) * 2);
- c->tablen = im->bands * im->ysize;
c->starttab = calloc(c->tablen, sizeof(UINT32));
c->lengthtab = calloc(c->tablen, sizeof(UINT32));
if (!state->buffer ||
--
2.29.2
From 18aa14484fa63dabcafea63cf0b7bfb4066e979c Mon Sep 17 00:00:00 2001
From: Eric Soroos <eric-github@soroos.net>
Date: Fri, 30 Oct 2020 09:57:23 +0000
Subject: [PATCH 2/2] Make the SGI code return -1 as an error flag, error in
state
---
src/libImaging/SgiRleDecode.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c
index c256169..2259159 100644
--- a/src/libImaging/SgiRleDecode.c
+++ b/src/libImaging/SgiRleDecode.c
@@ -110,7 +110,8 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
/* size check */
if (im->xsize > INT_MAX / im->bands ||
im->ysize > INT_MAX / im->bands) {
- return IMAGING_CODEC_MEMORY;
+ state->errcode = IMAGING_CODEC_MEMORY;
+ return -1;
}
/* Get all data from File descriptor */
@@ -125,12 +126,14 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
Check here before we allocate any memory
*/
if (c->bufsize < 8*c->tablen) {
- return IMAGING_CODEC_MEMORY;
+ state->errcode = IMAGING_CODEC_OVERRUN;
+ return -1;
}
ptr = malloc(sizeof(UINT8) * c->bufsize);
if (!ptr) {
- return IMAGING_CODEC_MEMORY;
+ state->errcode = IMAGING_CODEC_MEMORY;
+ return -1;
}
_imaging_seek_pyFd(state->fd, SGI_HEADER_SIZE, SEEK_SET);
_imaging_read_pyFd(state->fd, (char*)ptr, c->bufsize);
@@ -178,7 +181,7 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
if (c->rleoffset + c->rlelength > c->bufsize) {
state->errcode = IMAGING_CODEC_OVERRUN;
- return -1;
+ goto sgi_finish_decode;
}
/* row decompression */
@@ -190,7 +193,7 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
}
if (status == -1) {
state->errcode = IMAGING_CODEC_OVERRUN;
- return -1;
+ goto sgi_finish_decode;
} else if (status == 1) {
goto sgi_finish_decode;
}
@@ -211,7 +214,8 @@ sgi_finish_decode: ;
free(c->lengthtab);
free(ptr);
if (err != 0){
- return err;
+ state->errcode=err;
+ return -1;
}
return state->count - c->bufsize;
}
--
2.29.2

23
SPECS/python-pillow.spec
View File

@ -8,7 +8,7 @@
Name: python-%{srcname}
Version: 5.1.1
Release: 11%{?dist}
Release: 13%{?dist}
Summary: Python image processing library
# License: see http://www.pythonware.com/products/pil/license.htm
@ -36,6 +36,19 @@ Patch4: CVE-2020-5311.patch
# Upstream fix: https://github.com/python-pillow/Pillow/commit/a09acd0decd8a87ccce939d5ff65dab59e7d365b?patch
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1789532
Patch5: CVE-2020-5313.patch
# CVE-2020-11538 out-of-bounds reads/writes in the parsing of SGI image files in expandrow/expandrow2
# Upstream fix: https://github.com/python-pillow/Pillow/pull/4504/
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1852814
Patch6: CVE-2020-11538.patch
# CVE-2020-35653 decoding a crafted PCX file could result in buffer over-read
# Note that there is a wrong CVE number in the commit msg
# Upstream fix: https://github.com/python-pillow/Pillow/commit/2f409261eb1228e166868f8f0b5da5cda52e55bf
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1915432
Patch7: CVE-2020-35653.patch
# CVE-2020-35655 decoding crafted SGI RLE image files could result in buffer over-read
# Upstream fix: https://github.com/python-pillow/Pillow/commit/120eea2e4547a7d1826afdf01563035844f0b7d5
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-35653
Patch8: CVE-2020-35655.patch
BuildRequires: freetype-devel
BuildRequires: gcc
@ -180,6 +193,14 @@ popd
%changelog
* Thu Feb 18 2021 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-13
- Fixes for CVE-2020-35653 and CVE-2020-35655
Resolves: rhbz#1915420 rhbz#1915432
* Mon Jul 13 2020 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-12
- Fix for CVE-2020-11538
Resolves: rhbz#1852814
* Wed Mar 04 2020 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-11
- Fix for CVE-2020-5313
Resolves: rhbz#1789532