From 7f73fb9eab03ff2a23151b390aa2ab90cbaa7567 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 16 2021 02:38:41 +0000 Subject: import python-pillow-5.1.1-13.el8 --- diff --git a/SOURCES/CVE-2020-11538.patch b/SOURCES/CVE-2020-11538.patch new file mode 100644 index 0000000..e8cc8df --- /dev/null +++ b/SOURCES/CVE-2020-11538.patch @@ -0,0 +1,56 @@ +From f91c78960495efa04c7f12eeb916158d4bfbabc4 Mon Sep 17 00:00:00 2001 +From: Lumir Balhar +Date: Mon, 13 Jul 2020 15:40:11 +0200 +Subject: [PATCH] CVE-2020-11538 + +--- + src/libImaging/SgiRleDecode.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c +index 6367ae7..eb8fc84 100644 +--- a/src/libImaging/SgiRleDecode.c ++++ b/src/libImaging/SgiRleDecode.c +@@ -28,6 +28,7 @@ static void read4B(UINT32* dest, UINT8* buf) + static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize) + { + UINT8 pixel, count; ++ int x = 0; + + for (;n > 0; n--) + { +@@ -37,9 +38,10 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize) + count = pixel & RLE_MAX_RUN; + if (!count) + return count; +- if (count > xsize) { ++ if (x + count > xsize) { + return -1; + } ++ x += count; + if (pixel & RLE_COPY_FLAG) { + while(count--) { + *dest = *src++; +@@ -63,6 +65,7 @@ static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize) + { + UINT8 pixel, count; + ++ int x = 0; + + for (;n > 0; n--) + { +@@ -73,9 +76,10 @@ static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize) + count = pixel & RLE_MAX_RUN; + if (!count) + return count; +- if (count > xsize) { ++ if (x + count > xsize) { + return -1; + } ++ x += count; + if (pixel & RLE_COPY_FLAG) { + while(count--) { + *dest = *src++; +-- +2.26.2 + diff --git a/SOURCES/CVE-2020-35653.patch b/SOURCES/CVE-2020-35653.patch new file mode 100644 index 0000000..8f6cc19 --- /dev/null +++ b/SOURCES/CVE-2020-35653.patch @@ -0,0 +1,41 @@ +From 7a0aea5806d57e0e7c5187fbc9c2937a16e0bca1 Mon Sep 17 00:00:00 2001 +From: Eric Soroos +Date: Thu, 17 Dec 2020 00:17:53 +0100 +Subject: [PATCH] Fix for CVE CVE-2020-35655 - Read Overflow in PCX Decoding. + +* Don't trust the image to specify a buffer size +--- + src/PIL/PcxImagePlugin.py | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/src/PIL/PcxImagePlugin.py b/src/PIL/PcxImagePlugin.py +index 564713a..17bbd18 100644 +--- a/src/PIL/PcxImagePlugin.py ++++ b/src/PIL/PcxImagePlugin.py +@@ -63,9 +63,9 @@ class PcxImageFile(ImageFile.ImageFile): + version = i8(s[1]) + bits = i8(s[3]) + planes = i8(s[65]) +- stride = i16(s, 66) ++ ignored_stride = i16(s, 66) + logger.debug("PCX version %s, bits %s, planes %s, stride %s", +- version, bits, planes, stride) ++ version, bits, planes, ignored_stride) + + self.info["dpi"] = i16(s, 12), i16(s, 14) + +@@ -102,6 +102,11 @@ class PcxImageFile(ImageFile.ImageFile): + self.mode = mode + self.size = bbox[2]-bbox[0], bbox[3]-bbox[1] + ++ # don't trust the passed in stride. Calculate for ourselves. ++ # CVE-2020-35653 ++ stride = (self.size[0] * bits + 7) // 8 ++ stride += stride % 2 ++ + bbox = (0, 0) + self.size + logger.debug("size: %sx%s", *self.size) + +-- +2.29.2 + diff --git a/SOURCES/CVE-2020-35655.patch b/SOURCES/CVE-2020-35655.patch new file mode 100644 index 0000000..9b07049 --- /dev/null +++ b/SOURCES/CVE-2020-35655.patch @@ -0,0 +1,136 @@ +From f276de1139ec16395dc8b382860fb58e331fbd53 Mon Sep 17 00:00:00 2001 +From: Eric Soroos +Date: Thu, 29 Oct 2020 23:07:15 +0000 +Subject: [PATCH 1/2] Fix for SGI Decode buffer overrun CVE-2020-35655 + +* Independently found by a contributor and sent to Tidelift, and by Google's OSS Fuzz. +--- + src/libImaging/SgiRleDecode.c | 23 ++++++++++++++++------- + 1 file changed, 16 insertions(+), 7 deletions(-) + +diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c +index eb8fc84..c256169 100644 +--- a/src/libImaging/SgiRleDecode.c ++++ b/src/libImaging/SgiRleDecode.c +@@ -107,11 +107,27 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state, + int err = 0; + int status; + ++ /* size check */ ++ if (im->xsize > INT_MAX / im->bands || ++ im->ysize > INT_MAX / im->bands) { ++ return IMAGING_CODEC_MEMORY; ++ } ++ + /* Get all data from File descriptor */ + c = (SGISTATE*)state->context; + _imaging_seek_pyFd(state->fd, 0L, SEEK_END); + c->bufsize = _imaging_tell_pyFd(state->fd); + c->bufsize -= SGI_HEADER_SIZE; ++ ++ c->tablen = im->bands * im->ysize; ++ /* below, we populate the starttab and lentab into the bufsize, ++ each with 4 bytes per element of tablen ++ Check here before we allocate any memory ++ */ ++ if (c->bufsize < 8*c->tablen) { ++ return IMAGING_CODEC_MEMORY; ++ } ++ + ptr = malloc(sizeof(UINT8) * c->bufsize); + if (!ptr) { + return IMAGING_CODEC_MEMORY; +@@ -129,18 +145,11 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state, + state->ystep = 1; + } + +- if (im->xsize > INT_MAX / im->bands || +- im->ysize > INT_MAX / im->bands) { +- err = IMAGING_CODEC_MEMORY; +- goto sgi_finish_decode; +- } +- + /* Allocate memory for RLE tables and rows */ + free(state->buffer); + state->buffer = NULL; + /* malloc overflow check above */ + state->buffer = calloc(im->xsize * im->bands, sizeof(UINT8) * 2); +- c->tablen = im->bands * im->ysize; + c->starttab = calloc(c->tablen, sizeof(UINT32)); + c->lengthtab = calloc(c->tablen, sizeof(UINT32)); + if (!state->buffer || +-- +2.29.2 + +From 18aa14484fa63dabcafea63cf0b7bfb4066e979c Mon Sep 17 00:00:00 2001 +From: Eric Soroos +Date: Fri, 30 Oct 2020 09:57:23 +0000 +Subject: [PATCH 2/2] Make the SGI code return -1 as an error flag, error in + state + +--- + src/libImaging/SgiRleDecode.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c +index c256169..2259159 100644 +--- a/src/libImaging/SgiRleDecode.c ++++ b/src/libImaging/SgiRleDecode.c +@@ -110,7 +110,8 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state, + /* size check */ + if (im->xsize > INT_MAX / im->bands || + im->ysize > INT_MAX / im->bands) { +- return IMAGING_CODEC_MEMORY; ++ state->errcode = IMAGING_CODEC_MEMORY; ++ return -1; + } + + /* Get all data from File descriptor */ +@@ -125,12 +126,14 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state, + Check here before we allocate any memory + */ + if (c->bufsize < 8*c->tablen) { +- return IMAGING_CODEC_MEMORY; ++ state->errcode = IMAGING_CODEC_OVERRUN; ++ return -1; + } + + ptr = malloc(sizeof(UINT8) * c->bufsize); + if (!ptr) { +- return IMAGING_CODEC_MEMORY; ++ state->errcode = IMAGING_CODEC_MEMORY; ++ return -1; + } + _imaging_seek_pyFd(state->fd, SGI_HEADER_SIZE, SEEK_SET); + _imaging_read_pyFd(state->fd, (char*)ptr, c->bufsize); +@@ -178,7 +181,7 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state, + + if (c->rleoffset + c->rlelength > c->bufsize) { + state->errcode = IMAGING_CODEC_OVERRUN; +- return -1; ++ goto sgi_finish_decode; + } + + /* row decompression */ +@@ -190,7 +193,7 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state, + } + if (status == -1) { + state->errcode = IMAGING_CODEC_OVERRUN; +- return -1; ++ goto sgi_finish_decode; + } else if (status == 1) { + goto sgi_finish_decode; + } +@@ -211,7 +214,8 @@ sgi_finish_decode: ; + free(c->lengthtab); + free(ptr); + if (err != 0){ +- return err; ++ state->errcode=err; ++ return -1; + } + return state->count - c->bufsize; + } +-- +2.29.2 + diff --git a/SPECS/python-pillow.spec b/SPECS/python-pillow.spec index a4dc3ba..19678fa 100644 --- a/SPECS/python-pillow.spec +++ b/SPECS/python-pillow.spec @@ -8,7 +8,7 @@ Name: python-%{srcname} Version: 5.1.1 -Release: 11%{?dist} +Release: 13%{?dist} Summary: Python image processing library # License: see http://www.pythonware.com/products/pil/license.htm @@ -36,6 +36,19 @@ Patch4: CVE-2020-5311.patch # Upstream fix: https://github.com/python-pillow/Pillow/commit/a09acd0decd8a87ccce939d5ff65dab59e7d365b?patch # Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1789532 Patch5: CVE-2020-5313.patch +# CVE-2020-11538 out-of-bounds reads/writes in the parsing of SGI image files in expandrow/expandrow2 +# Upstream fix: https://github.com/python-pillow/Pillow/pull/4504/ +# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1852814 +Patch6: CVE-2020-11538.patch +# CVE-2020-35653 decoding a crafted PCX file could result in buffer over-read +# Note that there is a wrong CVE number in the commit msg +# Upstream fix: https://github.com/python-pillow/Pillow/commit/2f409261eb1228e166868f8f0b5da5cda52e55bf +# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1915432 +Patch7: CVE-2020-35653.patch +# CVE-2020-35655 decoding crafted SGI RLE image files could result in buffer over-read +# Upstream fix: https://github.com/python-pillow/Pillow/commit/120eea2e4547a7d1826afdf01563035844f0b7d5 +# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-35653 +Patch8: CVE-2020-35655.patch BuildRequires: freetype-devel BuildRequires: gcc @@ -180,6 +193,14 @@ popd %changelog +* Thu Feb 18 2021 Lumír Balhar - 5.1.1-13 +- Fixes for CVE-2020-35653 and CVE-2020-35655 +Resolves: rhbz#1915420 rhbz#1915432 + +* Mon Jul 13 2020 Lumír Balhar - 5.1.1-12 +- Fix for CVE-2020-11538 +Resolves: rhbz#1852814 + * Wed Mar 04 2020 Lumír Balhar - 5.1.1-11 - Fix for CVE-2020-5313 Resolves: rhbz#1789532