From 7fb9ead982fda7f4c52e85eb431ba4a2780051cf Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 30 2021 13:09:22 +0000 Subject: import python-pillow-5.1.1-12.el8_2 --- diff --git a/SOURCES/CVE-2020-11538.patch b/SOURCES/CVE-2020-11538.patch new file mode 100644 index 0000000..e8cc8df --- /dev/null +++ b/SOURCES/CVE-2020-11538.patch @@ -0,0 +1,56 @@ +From f91c78960495efa04c7f12eeb916158d4bfbabc4 Mon Sep 17 00:00:00 2001 +From: Lumir Balhar +Date: Mon, 13 Jul 2020 15:40:11 +0200 +Subject: [PATCH] CVE-2020-11538 + +--- + src/libImaging/SgiRleDecode.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c +index 6367ae7..eb8fc84 100644 +--- a/src/libImaging/SgiRleDecode.c ++++ b/src/libImaging/SgiRleDecode.c +@@ -28,6 +28,7 @@ static void read4B(UINT32* dest, UINT8* buf) + static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize) + { + UINT8 pixel, count; ++ int x = 0; + + for (;n > 0; n--) + { +@@ -37,9 +38,10 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize) + count = pixel & RLE_MAX_RUN; + if (!count) + return count; +- if (count > xsize) { ++ if (x + count > xsize) { + return -1; + } ++ x += count; + if (pixel & RLE_COPY_FLAG) { + while(count--) { + *dest = *src++; +@@ -63,6 +65,7 @@ static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize) + { + UINT8 pixel, count; + ++ int x = 0; + + for (;n > 0; n--) + { +@@ -73,9 +76,10 @@ static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize) + count = pixel & RLE_MAX_RUN; + if (!count) + return count; +- if (count > xsize) { ++ if (x + count > xsize) { + return -1; + } ++ x += count; + if (pixel & RLE_COPY_FLAG) { + while(count--) { + *dest = *src++; +-- +2.26.2 + diff --git a/SPECS/python-pillow.spec b/SPECS/python-pillow.spec index a4dc3ba..2993cbb 100644 --- a/SPECS/python-pillow.spec +++ b/SPECS/python-pillow.spec @@ -8,7 +8,7 @@ Name: python-%{srcname} Version: 5.1.1 -Release: 11%{?dist} +Release: 12%{?dist} Summary: Python image processing library # License: see http://www.pythonware.com/products/pil/license.htm @@ -32,10 +32,14 @@ Patch3: CVE-2020-5312_CVE-2019-16865.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1789535 # https://github.com/python-pillow/Pillow/commit/a79b65c47c7dc6fe623aadf09aa6192fc54548f3 Patch4: CVE-2020-5311.patch +# CVE-2020-11538 out-of-bounds reads/writes in the parsing of SGI image files in expandrow/expandrow2 +# Upstream fix: https://github.com/python-pillow/Pillow/pull/4504/ +# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1852814 +Patch5: CVE-2020-11538.patch # CVE-2020-5313 out-of-bounds read in ImagingFliDecode when loading FLI images # Upstream fix: https://github.com/python-pillow/Pillow/commit/a09acd0decd8a87ccce939d5ff65dab59e7d365b?patch # Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1789532 -Patch5: CVE-2020-5313.patch +Patch6: CVE-2020-5313.patch BuildRequires: freetype-devel BuildRequires: gcc @@ -180,10 +184,14 @@ popd %changelog -* Wed Mar 04 2020 Lumír Balhar - 5.1.1-11 +* Mon Jul 13 2020 Lumír Balhar - 5.1.1-12 - Fix for CVE-2020-5313 Resolves: rhbz#1789532 +* Mon Jul 13 2020 Lumír Balhar - 5.1.1-11 +- Fix for CVE-2020-11538 +Resolves: rhbz#1852814 + * Mon Feb 17 2020 Lumír Balhar - 5.1.1-10 - Bump and rebuild for gating to deliver CVE fixes Resolves: rhbz#1789535