import python-pillow-5.1.1-10.el8_1

This commit is contained in:
CentOS Sources 2020-02-24 06:35:32 -05:00 committed by Andrew Lukoshko
parent 4973b9879b
commit d3a4de34af
3 changed files with 294 additions and 1 deletions

View File

@ -0,0 +1,83 @@
From 1dd0fb64bd3cc221b5877ece4ce2f300245b638f Mon Sep 17 00:00:00 2001
From: Lumir Balhar <lbalhar@redhat.com>
Date: Mon, 17 Feb 2020 14:19:32 +0100
Subject: [PATCH] CVE-2020-5311
---
src/libImaging/SgiRleDecode.c | 23 +++++++++++++++++------
1 file changed, 17 insertions(+), 6 deletions(-)
diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c
index 39e7b3a..6367ae7 100644
--- a/src/libImaging/SgiRleDecode.c
+++ b/src/libImaging/SgiRleDecode.c
@@ -25,7 +25,7 @@ static void read4B(UINT32* dest, UINT8* buf)
*dest = (UINT32)((buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf[3]);
}
-static int expandrow(UINT8* dest, UINT8* src, int n, int z)
+static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
{
UINT8 pixel, count;
@@ -37,6 +37,9 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z)
count = pixel & RLE_MAX_RUN;
if (!count)
return count;
+ if (count > xsize) {
+ return -1;
+ }
if (pixel & RLE_COPY_FLAG) {
while(count--) {
*dest = *src++;
@@ -56,7 +59,7 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z)
return 0;
}
-static int expandrow2(UINT16* dest, UINT16* src, int n, int z)
+static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize)
{
UINT8 pixel, count;
@@ -70,6 +73,9 @@ static int expandrow2(UINT16* dest, UINT16* src, int n, int z)
count = pixel & RLE_MAX_RUN;
if (!count)
return count;
+ if (count > xsize) {
+ return -1;
+ }
if (pixel & RLE_COPY_FLAG) {
while(count--) {
*dest = *src++;
@@ -95,6 +101,7 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
UINT8 *ptr;
SGISTATE *c;
int err = 0;
+ int status;
/* Get all data from File descriptor */
c = (SGISTATE*)state->context;
@@ -163,12 +170,16 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
/* row decompression */
if (c->bpc ==1) {
- if(expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands))
- goto sgi_finish_decode;
+ status = expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands, im->xsize);
}
else {
- if(expandrow2((UINT16*)&state->buffer[c->channo * 2], (UINT16*)&ptr[c->rleoffset], c->rlelength, im->bands))
- goto sgi_finish_decode;
+ status = expandrow2(&state->buffer[c->channo * 2], &ptr[c->rleoffset], c->rlelength, im->bands, im->xsize);
+ }
+ if (status == -1) {
+ state->errcode = IMAGING_CODEC_OVERRUN;
+ return -1;
+ } else if (status == 1) {
+ goto sgi_finish_decode;
}
state->count += c->rlelength;
--
2.24.1

View File

@ -0,0 +1,183 @@
From cc9658731ba1ea291f83ea959acc27ac28384a2c Mon Sep 17 00:00:00 2001
From: Lumir Balhar <lbalhar@redhat.com>
Date: Fri, 14 Feb 2020 11:14:53 +0100
Subject: [PATCH] Combined fix for CVE-2020-5312 and CVE-2019-16865
---
src/PIL/GifImagePlugin.py | 1 +
src/PIL/IcoImagePlugin.py | 1 +
src/PIL/PsdImagePlugin.py | 6 ++++--
src/PIL/TiffImagePlugin.py | 4 ++--
src/libImaging/FliDecode.c | 14 +++++++++++---
src/libImaging/PcxDecode.c | 8 ++++++++
src/libImaging/RawDecode.c | 11 +++++++++--
src/libImaging/SgiRleDecode.c | 5 +++++
8 files changed, 41 insertions(+), 9 deletions(-)
diff --git a/src/PIL/GifImagePlugin.py b/src/PIL/GifImagePlugin.py
index c01adff..99af4a5 100644
--- a/src/PIL/GifImagePlugin.py
+++ b/src/PIL/GifImagePlugin.py
@@ -251,6 +251,7 @@ class GifImageFile(ImageFile.ImageFile):
self.dispose = None
elif self.disposal_method == 2:
# replace with background colour
+ Image._decompression_bomb_check(self.size)
self.dispose = Image.core.fill("P", self.size,
self.info["background"])
else:
diff --git a/src/PIL/IcoImagePlugin.py b/src/PIL/IcoImagePlugin.py
index 428fdd4..2b6d1e0 100644
--- a/src/PIL/IcoImagePlugin.py
+++ b/src/PIL/IcoImagePlugin.py
@@ -167,6 +167,7 @@ class IcoFile(object):
else:
# XOR + AND mask bmp frame
im = BmpImagePlugin.DibImageFile(self.buf)
+ Image._decompression_bomb_check(im.size)
# change tile dimension to only encompass XOR image
im.size = (im.size[0], int(im.size[1] / 2))
diff --git a/src/PIL/PsdImagePlugin.py b/src/PIL/PsdImagePlugin.py
index f6e04f7..fe2a2ff 100644
--- a/src/PIL/PsdImagePlugin.py
+++ b/src/PIL/PsdImagePlugin.py
@@ -209,9 +209,11 @@ def _layerinfo(file):
# skip over blend flags and extra information
filler = read(12)
name = ""
- size = i32(read(4))
+ size = i32(read(4)) # length of the extra data field
combined = 0
if size:
+ data_end = file.tell() + size
+
length = i32(read(4))
if length:
mask_y = i32(read(4))
@@ -233,7 +235,7 @@ def _layerinfo(file):
name = read(length).decode('latin-1', 'replace')
combined += length + 1
- file.seek(size - combined, 1)
+ file.seek(data_end)
layers.append((name, mode, (x0, y0, x1, y1)))
# get tiles
diff --git a/src/PIL/TiffImagePlugin.py b/src/PIL/TiffImagePlugin.py
index f903918..b9a1ef7 100644
--- a/src/PIL/TiffImagePlugin.py
+++ b/src/PIL/TiffImagePlugin.py
@@ -1170,8 +1170,8 @@ class TiffImageFile(ImageFile.ImageFile):
print("- fill_order:", fillorder)
# size
- xsize = self.tag_v2.get(IMAGEWIDTH)
- ysize = self.tag_v2.get(IMAGELENGTH)
+ xsize = int(self.tag_v2.get(IMAGEWIDTH))
+ ysize = int(self.tag_v2.get(IMAGELENGTH))
self.size = xsize, ysize
if DEBUG:
diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c
index 6d22c6c..a99aca8 100644
--- a/src/libImaging/FliDecode.c
+++ b/src/libImaging/FliDecode.c
@@ -30,7 +30,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
{
UINT8* ptr;
int framesize;
- int c, chunks;
+ int c, chunks, advance;
int l, lines;
int i, j, x = 0, y, ymax;
@@ -59,10 +59,16 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
chunks = I16(ptr+6);
ptr += 16;
+ bytes -= 16;
/* Process subchunks */
for (c = 0; c < chunks; c++) {
- UINT8 *data = ptr + 6;
+ UINT8* data;
+ if (bytes < 10) {
+ state->errcode = IMAGING_CODEC_OVERRUN;
+ return -1;
+ }
+ data = ptr + 6;
switch (I16(ptr+4)) {
case 4: case 11:
/* FLI COLOR chunk */
@@ -198,7 +204,9 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
state->errcode = IMAGING_CODEC_UNKNOWN;
return -1;
}
- ptr += I32(ptr);
+ advance = I32(ptr);
+ ptr += advance;
+ bytes -= advance;
}
return -1; /* end of frame */
diff --git a/src/libImaging/PcxDecode.c b/src/libImaging/PcxDecode.c
index e5417f1..aaf5867 100644
--- a/src/libImaging/PcxDecode.c
+++ b/src/libImaging/PcxDecode.c
@@ -22,6 +22,14 @@ ImagingPcxDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
UINT8 n;
UINT8* ptr;
+ if (strcmp(im->mode, "1") == 0 && state->xsize > state->bytes * 8) {
+ state->errcode = IMAGING_CODEC_OVERRUN;
+ return -1;
+ } else if (strcmp(im->mode, "P") == 0 && state->xsize > state->bytes) {
+ state->errcode = IMAGING_CODEC_OVERRUN;
+ return -1;
+ }
+
ptr = buf;
for (;;) {
diff --git a/src/libImaging/RawDecode.c b/src/libImaging/RawDecode.c
index 40c0cb7..d4b7994 100644
--- a/src/libImaging/RawDecode.c
+++ b/src/libImaging/RawDecode.c
@@ -33,8 +33,15 @@ ImagingRawDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
/* get size of image data and padding */
state->bytes = (state->xsize * state->bits + 7) / 8;
- rawstate->skip = (rawstate->stride) ?
- rawstate->stride - state->bytes : 0;
+ if (rawstate->stride) {
+ rawstate->skip = rawstate->stride - state->bytes;
+ if (rawstate->skip < 0) {
+ state->errcode = IMAGING_CODEC_CONFIG;
+ return -1;
+ }
+ } else {
+ rawstate->skip = 0;
+ }
/* check image orientation */
if (state->ystep < 0) {
diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c
index 9d8e563..39e7b3a 100644
--- a/src/libImaging/SgiRleDecode.c
+++ b/src/libImaging/SgiRleDecode.c
@@ -156,6 +156,11 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
c->rlelength = c->lengthtab[c->rowno + c->channo * im->ysize];
c->rleoffset -= SGI_HEADER_SIZE;
+ if (c->rleoffset + c->rlelength > c->bufsize) {
+ state->errcode = IMAGING_CODEC_OVERRUN;
+ return -1;
+ }
+
/* row decompression */
if (c->bpc ==1) {
if(expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands))
--
2.24.1

View File

@ -8,7 +8,7 @@
Name: python-%{srcname} Name: python-%{srcname}
Version: 5.1.1 Version: 5.1.1
Release: 7%{?dist} Release: 10%{?dist}
Summary: Python image processing library Summary: Python image processing library
# License: see http://www.pythonware.com/products/pil/license.htm # License: see http://www.pythonware.com/products/pil/license.htm
@ -18,6 +18,20 @@ Source0: https://github.com/python-pillow/Pillow/archive/%{version}/Pillo
Patch0: 0001-Fix-potential-un-terminated-buffer-problem-CWE-120.patch Patch0: 0001-Fix-potential-un-terminated-buffer-problem-CWE-120.patch
Patch1: 0002-Fix-potential-leaked-storage-issues-CWE-772.patch Patch1: 0002-Fix-potential-leaked-storage-issues-CWE-772.patch
Patch2: 0003-Fix-dereferencing-type-punned-pointer.patch Patch2: 0003-Fix-dereferencing-type-punned-pointer.patch
# Combined fixes for CVE-2020-5312 improperly restricted operations on memory buffer in libImaging/PcxDecode.c
# https://bugzilla.redhat.com/show_bug.cgi?id=1789533
# https://github.com/python-pillow/Pillow/commit/93b22b846e0269ee9594ff71a72bec02d2bea8fd
# and for CVE-2019-16865 reading specially crafted image files leads to allocation of large amounts of memory and denial of service
# https://bugzilla.redhat.com/show_bug.cgi?id=1774066
# https://github.com/python-pillow/Pillow/commit/cc16025e234b7a7a4dd3a86d2fdc0980698db9cc
# https://github.com/python-pillow/Pillow/commit/b36c1bc943d554ba223086c7efb502d080f73905
# https://github.com/python-pillow/Pillow/commit/f228d0ccbf6bf9392d7fcd51356ef2cfda80c75a
# https://github.com/python-pillow/Pillow/commit/b9693a51c99c260bd66d1affeeab4a226cf7e5a5
Patch3: CVE-2020-5312_CVE-2019-16865.patch
# Fix for CVE-2020-5311 - out-of-bounds write in expandrow in libImaging/SgiRleDecode.c
# https://bugzilla.redhat.com/show_bug.cgi?id=1789535
# https://github.com/python-pillow/Pillow/commit/a79b65c47c7dc6fe623aadf09aa6192fc54548f3
Patch4: CVE-2020-5311.patch
BuildRequires: freetype-devel BuildRequires: freetype-devel
BuildRequires: gcc BuildRequires: gcc
@ -162,6 +176,19 @@ popd
%changelog %changelog
* Mon Feb 17 2020 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-10
- Bump and rebuild for gating to deliver CVE fixes
Resolves: rhbz#1789535
* Mon Feb 17 2020 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-9
- Fix for CVE-2020-5311 - out-of-bounds write in expandrow
Resolves: rhbz#1789535
* Fri Feb 14 2020 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-8
- Combined fixes for CVE-2020-5312 and CVE-2019-16865
Resolves: rhbz#1789533
Resolves: rhbz#1774066
* Tue Nov 27 2018 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-7 * Tue Nov 27 2018 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-7
- Add upstream patch to solve build-time warning - Add upstream patch to solve build-time warning
- Move patches to dist-git - Move patches to dist-git