import python-pillow-5.1.1-13.el8
This commit is contained in:
parent
8863b0f70c
commit
8b04dc6441
56
SOURCES/CVE-2020-11538.patch
Normal file
56
SOURCES/CVE-2020-11538.patch
Normal file
@ -0,0 +1,56 @@
|
||||
From f91c78960495efa04c7f12eeb916158d4bfbabc4 Mon Sep 17 00:00:00 2001
|
||||
From: Lumir Balhar <lbalhar@redhat.com>
|
||||
Date: Mon, 13 Jul 2020 15:40:11 +0200
|
||||
Subject: [PATCH] CVE-2020-11538
|
||||
|
||||
---
|
||||
src/libImaging/SgiRleDecode.c | 8 ++++++--
|
||||
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c
|
||||
index 6367ae7..eb8fc84 100644
|
||||
--- a/src/libImaging/SgiRleDecode.c
|
||||
+++ b/src/libImaging/SgiRleDecode.c
|
||||
@@ -28,6 +28,7 @@ static void read4B(UINT32* dest, UINT8* buf)
|
||||
static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
|
||||
{
|
||||
UINT8 pixel, count;
|
||||
+ int x = 0;
|
||||
|
||||
for (;n > 0; n--)
|
||||
{
|
||||
@@ -37,9 +38,10 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
|
||||
count = pixel & RLE_MAX_RUN;
|
||||
if (!count)
|
||||
return count;
|
||||
- if (count > xsize) {
|
||||
+ if (x + count > xsize) {
|
||||
return -1;
|
||||
}
|
||||
+ x += count;
|
||||
if (pixel & RLE_COPY_FLAG) {
|
||||
while(count--) {
|
||||
*dest = *src++;
|
||||
@@ -63,6 +65,7 @@ static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize)
|
||||
{
|
||||
UINT8 pixel, count;
|
||||
|
||||
+ int x = 0;
|
||||
|
||||
for (;n > 0; n--)
|
||||
{
|
||||
@@ -73,9 +76,10 @@ static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize)
|
||||
count = pixel & RLE_MAX_RUN;
|
||||
if (!count)
|
||||
return count;
|
||||
- if (count > xsize) {
|
||||
+ if (x + count > xsize) {
|
||||
return -1;
|
||||
}
|
||||
+ x += count;
|
||||
if (pixel & RLE_COPY_FLAG) {
|
||||
while(count--) {
|
||||
*dest = *src++;
|
||||
--
|
||||
2.26.2
|
||||
|
41
SOURCES/CVE-2020-35653.patch
Normal file
41
SOURCES/CVE-2020-35653.patch
Normal file
@ -0,0 +1,41 @@
|
||||
From 7a0aea5806d57e0e7c5187fbc9c2937a16e0bca1 Mon Sep 17 00:00:00 2001
|
||||
From: Eric Soroos <eric-github@soroos.net>
|
||||
Date: Thu, 17 Dec 2020 00:17:53 +0100
|
||||
Subject: [PATCH] Fix for CVE CVE-2020-35655 - Read Overflow in PCX Decoding.
|
||||
|
||||
* Don't trust the image to specify a buffer size
|
||||
---
|
||||
src/PIL/PcxImagePlugin.py | 9 +++++++--
|
||||
1 file changed, 7 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/PIL/PcxImagePlugin.py b/src/PIL/PcxImagePlugin.py
|
||||
index 564713a..17bbd18 100644
|
||||
--- a/src/PIL/PcxImagePlugin.py
|
||||
+++ b/src/PIL/PcxImagePlugin.py
|
||||
@@ -63,9 +63,9 @@ class PcxImageFile(ImageFile.ImageFile):
|
||||
version = i8(s[1])
|
||||
bits = i8(s[3])
|
||||
planes = i8(s[65])
|
||||
- stride = i16(s, 66)
|
||||
+ ignored_stride = i16(s, 66)
|
||||
logger.debug("PCX version %s, bits %s, planes %s, stride %s",
|
||||
- version, bits, planes, stride)
|
||||
+ version, bits, planes, ignored_stride)
|
||||
|
||||
self.info["dpi"] = i16(s, 12), i16(s, 14)
|
||||
|
||||
@@ -102,6 +102,11 @@ class PcxImageFile(ImageFile.ImageFile):
|
||||
self.mode = mode
|
||||
self.size = bbox[2]-bbox[0], bbox[3]-bbox[1]
|
||||
|
||||
+ # don't trust the passed in stride. Calculate for ourselves.
|
||||
+ # CVE-2020-35653
|
||||
+ stride = (self.size[0] * bits + 7) // 8
|
||||
+ stride += stride % 2
|
||||
+
|
||||
bbox = (0, 0) + self.size
|
||||
logger.debug("size: %sx%s", *self.size)
|
||||
|
||||
--
|
||||
2.29.2
|
||||
|
136
SOURCES/CVE-2020-35655.patch
Normal file
136
SOURCES/CVE-2020-35655.patch
Normal file
@ -0,0 +1,136 @@
|
||||
From f276de1139ec16395dc8b382860fb58e331fbd53 Mon Sep 17 00:00:00 2001
|
||||
From: Eric Soroos <eric-github@soroos.net>
|
||||
Date: Thu, 29 Oct 2020 23:07:15 +0000
|
||||
Subject: [PATCH 1/2] Fix for SGI Decode buffer overrun CVE-2020-35655
|
||||
|
||||
* Independently found by a contributor and sent to Tidelift, and by Google's OSS Fuzz.
|
||||
---
|
||||
src/libImaging/SgiRleDecode.c | 23 ++++++++++++++++-------
|
||||
1 file changed, 16 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c
|
||||
index eb8fc84..c256169 100644
|
||||
--- a/src/libImaging/SgiRleDecode.c
|
||||
+++ b/src/libImaging/SgiRleDecode.c
|
||||
@@ -107,11 +107,27 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
|
||||
int err = 0;
|
||||
int status;
|
||||
|
||||
+ /* size check */
|
||||
+ if (im->xsize > INT_MAX / im->bands ||
|
||||
+ im->ysize > INT_MAX / im->bands) {
|
||||
+ return IMAGING_CODEC_MEMORY;
|
||||
+ }
|
||||
+
|
||||
/* Get all data from File descriptor */
|
||||
c = (SGISTATE*)state->context;
|
||||
_imaging_seek_pyFd(state->fd, 0L, SEEK_END);
|
||||
c->bufsize = _imaging_tell_pyFd(state->fd);
|
||||
c->bufsize -= SGI_HEADER_SIZE;
|
||||
+
|
||||
+ c->tablen = im->bands * im->ysize;
|
||||
+ /* below, we populate the starttab and lentab into the bufsize,
|
||||
+ each with 4 bytes per element of tablen
|
||||
+ Check here before we allocate any memory
|
||||
+ */
|
||||
+ if (c->bufsize < 8*c->tablen) {
|
||||
+ return IMAGING_CODEC_MEMORY;
|
||||
+ }
|
||||
+
|
||||
ptr = malloc(sizeof(UINT8) * c->bufsize);
|
||||
if (!ptr) {
|
||||
return IMAGING_CODEC_MEMORY;
|
||||
@@ -129,18 +145,11 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
|
||||
state->ystep = 1;
|
||||
}
|
||||
|
||||
- if (im->xsize > INT_MAX / im->bands ||
|
||||
- im->ysize > INT_MAX / im->bands) {
|
||||
- err = IMAGING_CODEC_MEMORY;
|
||||
- goto sgi_finish_decode;
|
||||
- }
|
||||
-
|
||||
/* Allocate memory for RLE tables and rows */
|
||||
free(state->buffer);
|
||||
state->buffer = NULL;
|
||||
/* malloc overflow check above */
|
||||
state->buffer = calloc(im->xsize * im->bands, sizeof(UINT8) * 2);
|
||||
- c->tablen = im->bands * im->ysize;
|
||||
c->starttab = calloc(c->tablen, sizeof(UINT32));
|
||||
c->lengthtab = calloc(c->tablen, sizeof(UINT32));
|
||||
if (!state->buffer ||
|
||||
--
|
||||
2.29.2
|
||||
|
||||
From 18aa14484fa63dabcafea63cf0b7bfb4066e979c Mon Sep 17 00:00:00 2001
|
||||
From: Eric Soroos <eric-github@soroos.net>
|
||||
Date: Fri, 30 Oct 2020 09:57:23 +0000
|
||||
Subject: [PATCH 2/2] Make the SGI code return -1 as an error flag, error in
|
||||
state
|
||||
|
||||
---
|
||||
src/libImaging/SgiRleDecode.c | 16 ++++++++++------
|
||||
1 file changed, 10 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c
|
||||
index c256169..2259159 100644
|
||||
--- a/src/libImaging/SgiRleDecode.c
|
||||
+++ b/src/libImaging/SgiRleDecode.c
|
||||
@@ -110,7 +110,8 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
|
||||
/* size check */
|
||||
if (im->xsize > INT_MAX / im->bands ||
|
||||
im->ysize > INT_MAX / im->bands) {
|
||||
- return IMAGING_CODEC_MEMORY;
|
||||
+ state->errcode = IMAGING_CODEC_MEMORY;
|
||||
+ return -1;
|
||||
}
|
||||
|
||||
/* Get all data from File descriptor */
|
||||
@@ -125,12 +126,14 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
|
||||
Check here before we allocate any memory
|
||||
*/
|
||||
if (c->bufsize < 8*c->tablen) {
|
||||
- return IMAGING_CODEC_MEMORY;
|
||||
+ state->errcode = IMAGING_CODEC_OVERRUN;
|
||||
+ return -1;
|
||||
}
|
||||
|
||||
ptr = malloc(sizeof(UINT8) * c->bufsize);
|
||||
if (!ptr) {
|
||||
- return IMAGING_CODEC_MEMORY;
|
||||
+ state->errcode = IMAGING_CODEC_MEMORY;
|
||||
+ return -1;
|
||||
}
|
||||
_imaging_seek_pyFd(state->fd, SGI_HEADER_SIZE, SEEK_SET);
|
||||
_imaging_read_pyFd(state->fd, (char*)ptr, c->bufsize);
|
||||
@@ -178,7 +181,7 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
|
||||
|
||||
if (c->rleoffset + c->rlelength > c->bufsize) {
|
||||
state->errcode = IMAGING_CODEC_OVERRUN;
|
||||
- return -1;
|
||||
+ goto sgi_finish_decode;
|
||||
}
|
||||
|
||||
/* row decompression */
|
||||
@@ -190,7 +193,7 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
|
||||
}
|
||||
if (status == -1) {
|
||||
state->errcode = IMAGING_CODEC_OVERRUN;
|
||||
- return -1;
|
||||
+ goto sgi_finish_decode;
|
||||
} else if (status == 1) {
|
||||
goto sgi_finish_decode;
|
||||
}
|
||||
@@ -211,7 +214,8 @@ sgi_finish_decode: ;
|
||||
free(c->lengthtab);
|
||||
free(ptr);
|
||||
if (err != 0){
|
||||
- return err;
|
||||
+ state->errcode=err;
|
||||
+ return -1;
|
||||
}
|
||||
return state->count - c->bufsize;
|
||||
}
|
||||
--
|
||||
2.29.2
|
||||
|
@ -8,7 +8,7 @@
|
||||
|
||||
Name: python-%{srcname}
|
||||
Version: 5.1.1
|
||||
Release: 11%{?dist}
|
||||
Release: 13%{?dist}
|
||||
Summary: Python image processing library
|
||||
|
||||
# License: see http://www.pythonware.com/products/pil/license.htm
|
||||
@ -36,6 +36,19 @@ Patch4: CVE-2020-5311.patch
|
||||
# Upstream fix: https://github.com/python-pillow/Pillow/commit/a09acd0decd8a87ccce939d5ff65dab59e7d365b?patch
|
||||
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1789532
|
||||
Patch5: CVE-2020-5313.patch
|
||||
# CVE-2020-11538 out-of-bounds reads/writes in the parsing of SGI image files in expandrow/expandrow2
|
||||
# Upstream fix: https://github.com/python-pillow/Pillow/pull/4504/
|
||||
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1852814
|
||||
Patch6: CVE-2020-11538.patch
|
||||
# CVE-2020-35653 decoding a crafted PCX file could result in buffer over-read
|
||||
# Note that there is a wrong CVE number in the commit msg
|
||||
# Upstream fix: https://github.com/python-pillow/Pillow/commit/2f409261eb1228e166868f8f0b5da5cda52e55bf
|
||||
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1915432
|
||||
Patch7: CVE-2020-35653.patch
|
||||
# CVE-2020-35655 decoding crafted SGI RLE image files could result in buffer over-read
|
||||
# Upstream fix: https://github.com/python-pillow/Pillow/commit/120eea2e4547a7d1826afdf01563035844f0b7d5
|
||||
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-35653
|
||||
Patch8: CVE-2020-35655.patch
|
||||
|
||||
BuildRequires: freetype-devel
|
||||
BuildRequires: gcc
|
||||
@ -180,6 +193,14 @@ popd
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu Feb 18 2021 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-13
|
||||
- Fixes for CVE-2020-35653 and CVE-2020-35655
|
||||
Resolves: rhbz#1915420 rhbz#1915432
|
||||
|
||||
* Mon Jul 13 2020 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-12
|
||||
- Fix for CVE-2020-11538
|
||||
Resolves: rhbz#1852814
|
||||
|
||||
* Wed Mar 04 2020 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-11
|
||||
- Fix for CVE-2020-5313
|
||||
Resolves: rhbz#1789532
|
||||
|
Loading…
Reference in New Issue
Block a user