import python-pillow-5.1.1-11.el8
This commit is contained in:
parent
617c8caf0f
commit
da935849a8
83
SOURCES/CVE-2020-5311.patch
Normal file
83
SOURCES/CVE-2020-5311.patch
Normal file
@ -0,0 +1,83 @@
|
|||||||
|
From 1dd0fb64bd3cc221b5877ece4ce2f300245b638f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Lumir Balhar <lbalhar@redhat.com>
|
||||||
|
Date: Mon, 17 Feb 2020 14:19:32 +0100
|
||||||
|
Subject: [PATCH] CVE-2020-5311
|
||||||
|
|
||||||
|
---
|
||||||
|
src/libImaging/SgiRleDecode.c | 23 +++++++++++++++++------
|
||||||
|
1 file changed, 17 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c
|
||||||
|
index 39e7b3a..6367ae7 100644
|
||||||
|
--- a/src/libImaging/SgiRleDecode.c
|
||||||
|
+++ b/src/libImaging/SgiRleDecode.c
|
||||||
|
@@ -25,7 +25,7 @@ static void read4B(UINT32* dest, UINT8* buf)
|
||||||
|
*dest = (UINT32)((buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf[3]);
|
||||||
|
}
|
||||||
|
|
||||||
|
-static int expandrow(UINT8* dest, UINT8* src, int n, int z)
|
||||||
|
+static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
|
||||||
|
{
|
||||||
|
UINT8 pixel, count;
|
||||||
|
|
||||||
|
@@ -37,6 +37,9 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z)
|
||||||
|
count = pixel & RLE_MAX_RUN;
|
||||||
|
if (!count)
|
||||||
|
return count;
|
||||||
|
+ if (count > xsize) {
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
if (pixel & RLE_COPY_FLAG) {
|
||||||
|
while(count--) {
|
||||||
|
*dest = *src++;
|
||||||
|
@@ -56,7 +59,7 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z)
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static int expandrow2(UINT16* dest, UINT16* src, int n, int z)
|
||||||
|
+static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize)
|
||||||
|
{
|
||||||
|
UINT8 pixel, count;
|
||||||
|
|
||||||
|
@@ -70,6 +73,9 @@ static int expandrow2(UINT16* dest, UINT16* src, int n, int z)
|
||||||
|
count = pixel & RLE_MAX_RUN;
|
||||||
|
if (!count)
|
||||||
|
return count;
|
||||||
|
+ if (count > xsize) {
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
if (pixel & RLE_COPY_FLAG) {
|
||||||
|
while(count--) {
|
||||||
|
*dest = *src++;
|
||||||
|
@@ -95,6 +101,7 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
|
||||||
|
UINT8 *ptr;
|
||||||
|
SGISTATE *c;
|
||||||
|
int err = 0;
|
||||||
|
+ int status;
|
||||||
|
|
||||||
|
/* Get all data from File descriptor */
|
||||||
|
c = (SGISTATE*)state->context;
|
||||||
|
@@ -163,12 +170,16 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
|
||||||
|
|
||||||
|
/* row decompression */
|
||||||
|
if (c->bpc ==1) {
|
||||||
|
- if(expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands))
|
||||||
|
- goto sgi_finish_decode;
|
||||||
|
+ status = expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands, im->xsize);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
- if(expandrow2((UINT16*)&state->buffer[c->channo * 2], (UINT16*)&ptr[c->rleoffset], c->rlelength, im->bands))
|
||||||
|
- goto sgi_finish_decode;
|
||||||
|
+ status = expandrow2(&state->buffer[c->channo * 2], &ptr[c->rleoffset], c->rlelength, im->bands, im->xsize);
|
||||||
|
+ }
|
||||||
|
+ if (status == -1) {
|
||||||
|
+ state->errcode = IMAGING_CODEC_OVERRUN;
|
||||||
|
+ return -1;
|
||||||
|
+ } else if (status == 1) {
|
||||||
|
+ goto sgi_finish_decode;
|
||||||
|
}
|
||||||
|
|
||||||
|
state->count += c->rlelength;
|
||||||
|
--
|
||||||
|
2.24.1
|
||||||
|
|
183
SOURCES/CVE-2020-5312_CVE-2019-16865.patch
Normal file
183
SOURCES/CVE-2020-5312_CVE-2019-16865.patch
Normal file
@ -0,0 +1,183 @@
|
|||||||
|
From cc9658731ba1ea291f83ea959acc27ac28384a2c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Lumir Balhar <lbalhar@redhat.com>
|
||||||
|
Date: Fri, 14 Feb 2020 11:14:53 +0100
|
||||||
|
Subject: [PATCH] Combined fix for CVE-2020-5312 and CVE-2019-16865
|
||||||
|
|
||||||
|
---
|
||||||
|
src/PIL/GifImagePlugin.py | 1 +
|
||||||
|
src/PIL/IcoImagePlugin.py | 1 +
|
||||||
|
src/PIL/PsdImagePlugin.py | 6 ++++--
|
||||||
|
src/PIL/TiffImagePlugin.py | 4 ++--
|
||||||
|
src/libImaging/FliDecode.c | 14 +++++++++++---
|
||||||
|
src/libImaging/PcxDecode.c | 8 ++++++++
|
||||||
|
src/libImaging/RawDecode.c | 11 +++++++++--
|
||||||
|
src/libImaging/SgiRleDecode.c | 5 +++++
|
||||||
|
8 files changed, 41 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/PIL/GifImagePlugin.py b/src/PIL/GifImagePlugin.py
|
||||||
|
index c01adff..99af4a5 100644
|
||||||
|
--- a/src/PIL/GifImagePlugin.py
|
||||||
|
+++ b/src/PIL/GifImagePlugin.py
|
||||||
|
@@ -251,6 +251,7 @@ class GifImageFile(ImageFile.ImageFile):
|
||||||
|
self.dispose = None
|
||||||
|
elif self.disposal_method == 2:
|
||||||
|
# replace with background colour
|
||||||
|
+ Image._decompression_bomb_check(self.size)
|
||||||
|
self.dispose = Image.core.fill("P", self.size,
|
||||||
|
self.info["background"])
|
||||||
|
else:
|
||||||
|
diff --git a/src/PIL/IcoImagePlugin.py b/src/PIL/IcoImagePlugin.py
|
||||||
|
index 428fdd4..2b6d1e0 100644
|
||||||
|
--- a/src/PIL/IcoImagePlugin.py
|
||||||
|
+++ b/src/PIL/IcoImagePlugin.py
|
||||||
|
@@ -167,6 +167,7 @@ class IcoFile(object):
|
||||||
|
else:
|
||||||
|
# XOR + AND mask bmp frame
|
||||||
|
im = BmpImagePlugin.DibImageFile(self.buf)
|
||||||
|
+ Image._decompression_bomb_check(im.size)
|
||||||
|
|
||||||
|
# change tile dimension to only encompass XOR image
|
||||||
|
im.size = (im.size[0], int(im.size[1] / 2))
|
||||||
|
diff --git a/src/PIL/PsdImagePlugin.py b/src/PIL/PsdImagePlugin.py
|
||||||
|
index f6e04f7..fe2a2ff 100644
|
||||||
|
--- a/src/PIL/PsdImagePlugin.py
|
||||||
|
+++ b/src/PIL/PsdImagePlugin.py
|
||||||
|
@@ -209,9 +209,11 @@ def _layerinfo(file):
|
||||||
|
# skip over blend flags and extra information
|
||||||
|
filler = read(12)
|
||||||
|
name = ""
|
||||||
|
- size = i32(read(4))
|
||||||
|
+ size = i32(read(4)) # length of the extra data field
|
||||||
|
combined = 0
|
||||||
|
if size:
|
||||||
|
+ data_end = file.tell() + size
|
||||||
|
+
|
||||||
|
length = i32(read(4))
|
||||||
|
if length:
|
||||||
|
mask_y = i32(read(4))
|
||||||
|
@@ -233,7 +235,7 @@ def _layerinfo(file):
|
||||||
|
name = read(length).decode('latin-1', 'replace')
|
||||||
|
combined += length + 1
|
||||||
|
|
||||||
|
- file.seek(size - combined, 1)
|
||||||
|
+ file.seek(data_end)
|
||||||
|
layers.append((name, mode, (x0, y0, x1, y1)))
|
||||||
|
|
||||||
|
# get tiles
|
||||||
|
diff --git a/src/PIL/TiffImagePlugin.py b/src/PIL/TiffImagePlugin.py
|
||||||
|
index f903918..b9a1ef7 100644
|
||||||
|
--- a/src/PIL/TiffImagePlugin.py
|
||||||
|
+++ b/src/PIL/TiffImagePlugin.py
|
||||||
|
@@ -1170,8 +1170,8 @@ class TiffImageFile(ImageFile.ImageFile):
|
||||||
|
print("- fill_order:", fillorder)
|
||||||
|
|
||||||
|
# size
|
||||||
|
- xsize = self.tag_v2.get(IMAGEWIDTH)
|
||||||
|
- ysize = self.tag_v2.get(IMAGELENGTH)
|
||||||
|
+ xsize = int(self.tag_v2.get(IMAGEWIDTH))
|
||||||
|
+ ysize = int(self.tag_v2.get(IMAGELENGTH))
|
||||||
|
self.size = xsize, ysize
|
||||||
|
|
||||||
|
if DEBUG:
|
||||||
|
diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c
|
||||||
|
index 6d22c6c..a99aca8 100644
|
||||||
|
--- a/src/libImaging/FliDecode.c
|
||||||
|
+++ b/src/libImaging/FliDecode.c
|
||||||
|
@@ -30,7 +30,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
|
||||||
|
{
|
||||||
|
UINT8* ptr;
|
||||||
|
int framesize;
|
||||||
|
- int c, chunks;
|
||||||
|
+ int c, chunks, advance;
|
||||||
|
int l, lines;
|
||||||
|
int i, j, x = 0, y, ymax;
|
||||||
|
|
||||||
|
@@ -59,10 +59,16 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
|
||||||
|
|
||||||
|
chunks = I16(ptr+6);
|
||||||
|
ptr += 16;
|
||||||
|
+ bytes -= 16;
|
||||||
|
|
||||||
|
/* Process subchunks */
|
||||||
|
for (c = 0; c < chunks; c++) {
|
||||||
|
- UINT8 *data = ptr + 6;
|
||||||
|
+ UINT8* data;
|
||||||
|
+ if (bytes < 10) {
|
||||||
|
+ state->errcode = IMAGING_CODEC_OVERRUN;
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+ data = ptr + 6;
|
||||||
|
switch (I16(ptr+4)) {
|
||||||
|
case 4: case 11:
|
||||||
|
/* FLI COLOR chunk */
|
||||||
|
@@ -198,7 +204,9 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
|
||||||
|
state->errcode = IMAGING_CODEC_UNKNOWN;
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
- ptr += I32(ptr);
|
||||||
|
+ advance = I32(ptr);
|
||||||
|
+ ptr += advance;
|
||||||
|
+ bytes -= advance;
|
||||||
|
}
|
||||||
|
|
||||||
|
return -1; /* end of frame */
|
||||||
|
diff --git a/src/libImaging/PcxDecode.c b/src/libImaging/PcxDecode.c
|
||||||
|
index e5417f1..aaf5867 100644
|
||||||
|
--- a/src/libImaging/PcxDecode.c
|
||||||
|
+++ b/src/libImaging/PcxDecode.c
|
||||||
|
@@ -22,6 +22,14 @@ ImagingPcxDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
|
||||||
|
UINT8 n;
|
||||||
|
UINT8* ptr;
|
||||||
|
|
||||||
|
+ if (strcmp(im->mode, "1") == 0 && state->xsize > state->bytes * 8) {
|
||||||
|
+ state->errcode = IMAGING_CODEC_OVERRUN;
|
||||||
|
+ return -1;
|
||||||
|
+ } else if (strcmp(im->mode, "P") == 0 && state->xsize > state->bytes) {
|
||||||
|
+ state->errcode = IMAGING_CODEC_OVERRUN;
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
ptr = buf;
|
||||||
|
|
||||||
|
for (;;) {
|
||||||
|
diff --git a/src/libImaging/RawDecode.c b/src/libImaging/RawDecode.c
|
||||||
|
index 40c0cb7..d4b7994 100644
|
||||||
|
--- a/src/libImaging/RawDecode.c
|
||||||
|
+++ b/src/libImaging/RawDecode.c
|
||||||
|
@@ -33,8 +33,15 @@ ImagingRawDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
|
||||||
|
|
||||||
|
/* get size of image data and padding */
|
||||||
|
state->bytes = (state->xsize * state->bits + 7) / 8;
|
||||||
|
- rawstate->skip = (rawstate->stride) ?
|
||||||
|
- rawstate->stride - state->bytes : 0;
|
||||||
|
+ if (rawstate->stride) {
|
||||||
|
+ rawstate->skip = rawstate->stride - state->bytes;
|
||||||
|
+ if (rawstate->skip < 0) {
|
||||||
|
+ state->errcode = IMAGING_CODEC_CONFIG;
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ rawstate->skip = 0;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
/* check image orientation */
|
||||||
|
if (state->ystep < 0) {
|
||||||
|
diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c
|
||||||
|
index 9d8e563..39e7b3a 100644
|
||||||
|
--- a/src/libImaging/SgiRleDecode.c
|
||||||
|
+++ b/src/libImaging/SgiRleDecode.c
|
||||||
|
@@ -156,6 +156,11 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
|
||||||
|
c->rlelength = c->lengthtab[c->rowno + c->channo * im->ysize];
|
||||||
|
c->rleoffset -= SGI_HEADER_SIZE;
|
||||||
|
|
||||||
|
+ if (c->rleoffset + c->rlelength > c->bufsize) {
|
||||||
|
+ state->errcode = IMAGING_CODEC_OVERRUN;
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* row decompression */
|
||||||
|
if (c->bpc ==1) {
|
||||||
|
if(expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands))
|
||||||
|
--
|
||||||
|
2.24.1
|
||||||
|
|
38
SOURCES/CVE-2020-5313.patch
Normal file
38
SOURCES/CVE-2020-5313.patch
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
From 697957b79a9473f0f643051265885fb048395127 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Lumir Balhar <lbalhar@redhat.com>
|
||||||
|
Date: Wed, 4 Mar 2020 10:54:54 +0100
|
||||||
|
Subject: [PATCH] CVE-2020-5313
|
||||||
|
|
||||||
|
---
|
||||||
|
src/libImaging/FliDecode.c | 8 ++++++--
|
||||||
|
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c
|
||||||
|
index a99aca8..72ba138 100644
|
||||||
|
--- a/src/libImaging/FliDecode.c
|
||||||
|
+++ b/src/libImaging/FliDecode.c
|
||||||
|
@@ -40,8 +40,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
/* We don't decode anything unless we have a full chunk in the
|
||||||
|
- input buffer (on the other hand, the Python part of the driver
|
||||||
|
- makes sure this is always the case) */
|
||||||
|
+ input buffer */
|
||||||
|
|
||||||
|
ptr = buf;
|
||||||
|
|
||||||
|
@@ -52,6 +51,11 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
|
||||||
|
/* Make sure this is a frame chunk. The Python driver takes
|
||||||
|
case of other chunk types. */
|
||||||
|
|
||||||
|
+ if (bytes < 8) {
|
||||||
|
+ state->errcode = IMAGING_CODEC_OVERRUN;
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (I16(ptr+4) != 0xF1FA) {
|
||||||
|
state->errcode = IMAGING_CODEC_UNKNOWN;
|
||||||
|
return -1;
|
||||||
|
--
|
||||||
|
2.24.1
|
||||||
|
|
@ -8,7 +8,7 @@
|
|||||||
|
|
||||||
Name: python-%{srcname}
|
Name: python-%{srcname}
|
||||||
Version: 5.1.1
|
Version: 5.1.1
|
||||||
Release: 7%{?dist}
|
Release: 11%{?dist}
|
||||||
Summary: Python image processing library
|
Summary: Python image processing library
|
||||||
|
|
||||||
# License: see http://www.pythonware.com/products/pil/license.htm
|
# License: see http://www.pythonware.com/products/pil/license.htm
|
||||||
@ -18,6 +18,24 @@ Source0: https://github.com/python-pillow/Pillow/archive/%{version}/Pillo
|
|||||||
Patch0: 0001-Fix-potential-un-terminated-buffer-problem-CWE-120.patch
|
Patch0: 0001-Fix-potential-un-terminated-buffer-problem-CWE-120.patch
|
||||||
Patch1: 0002-Fix-potential-leaked-storage-issues-CWE-772.patch
|
Patch1: 0002-Fix-potential-leaked-storage-issues-CWE-772.patch
|
||||||
Patch2: 0003-Fix-dereferencing-type-punned-pointer.patch
|
Patch2: 0003-Fix-dereferencing-type-punned-pointer.patch
|
||||||
|
# Combined fixes for CVE-2020-5312 improperly restricted operations on memory buffer in libImaging/PcxDecode.c
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1789533
|
||||||
|
# https://github.com/python-pillow/Pillow/commit/93b22b846e0269ee9594ff71a72bec02d2bea8fd
|
||||||
|
# and for CVE-2019-16865 reading specially crafted image files leads to allocation of large amounts of memory and denial of service
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1774066
|
||||||
|
# https://github.com/python-pillow/Pillow/commit/cc16025e234b7a7a4dd3a86d2fdc0980698db9cc
|
||||||
|
# https://github.com/python-pillow/Pillow/commit/b36c1bc943d554ba223086c7efb502d080f73905
|
||||||
|
# https://github.com/python-pillow/Pillow/commit/f228d0ccbf6bf9392d7fcd51356ef2cfda80c75a
|
||||||
|
# https://github.com/python-pillow/Pillow/commit/b9693a51c99c260bd66d1affeeab4a226cf7e5a5
|
||||||
|
Patch3: CVE-2020-5312_CVE-2019-16865.patch
|
||||||
|
# Fix for CVE-2020-5311 - out-of-bounds write in expandrow in libImaging/SgiRleDecode.c
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1789535
|
||||||
|
# https://github.com/python-pillow/Pillow/commit/a79b65c47c7dc6fe623aadf09aa6192fc54548f3
|
||||||
|
Patch4: CVE-2020-5311.patch
|
||||||
|
# CVE-2020-5313 out-of-bounds read in ImagingFliDecode when loading FLI images
|
||||||
|
# Upstream fix: https://github.com/python-pillow/Pillow/commit/a09acd0decd8a87ccce939d5ff65dab59e7d365b?patch
|
||||||
|
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1789532
|
||||||
|
Patch5: CVE-2020-5313.patch
|
||||||
|
|
||||||
BuildRequires: freetype-devel
|
BuildRequires: freetype-devel
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
@ -162,6 +180,23 @@ popd
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Mar 04 2020 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-11
|
||||||
|
- Fix for CVE-2020-5313
|
||||||
|
Resolves: rhbz#1789532
|
||||||
|
|
||||||
|
* Mon Feb 17 2020 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-10
|
||||||
|
- Bump and rebuild for gating to deliver CVE fixes
|
||||||
|
Resolves: rhbz#1789535
|
||||||
|
|
||||||
|
* Mon Feb 17 2020 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-9
|
||||||
|
- Fix for CVE-2020-5311 - out-of-bounds write in expandrow
|
||||||
|
Resolves: rhbz#1789535
|
||||||
|
|
||||||
|
* Fri Feb 14 2020 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-8
|
||||||
|
- Combined fixes for CVE-2020-5312 and CVE-2019-16865
|
||||||
|
Resolves: rhbz#1789533
|
||||||
|
Resolves: rhbz#1774066
|
||||||
|
|
||||||
* Tue Nov 27 2018 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-7
|
* Tue Nov 27 2018 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-7
|
||||||
- Add upstream patch to solve build-time warning
|
- Add upstream patch to solve build-time warning
|
||||||
- Move patches to dist-git
|
- Move patches to dist-git
|
||||||
|
Loading…
Reference in New Issue
Block a user