From e957689b673d1e5510acf593178b08ed4aa295e3 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Aug 09 2021 18:25:59 +0000
Subject: import python-pillow-5.1.1-16.el8


---

diff --git a/SOURCES/CVE-2021-34552.patch b/SOURCES/CVE-2021-34552.patch
new file mode 100644
index 0000000..5047bae
--- /dev/null
+++ b/SOURCES/CVE-2021-34552.patch
@@ -0,0 +1,33 @@
+diff --git a/src/libImaging/Convert.c b/src/libImaging/Convert.c
+index b3e48e5..cfed8ad 100644
+--- a/src/libImaging/Convert.c
++++ b/src/libImaging/Convert.c
+@@ -1338,9 +1338,8 @@ convert(Imaging imOut, Imaging imIn, const char *mode,
+         return (Imaging) ImagingError_ValueError("conversion not supported");
+ #else
+     {
+-      static char buf[256];
+-      /* FIXME: may overflow if mode is too large */
+-      sprintf(buf, "conversion from %s to %s not supported", imIn->mode, mode);
++      static char buf[100];
++      snprintf(buf, 100, "conversion from %.10s to %.10s not supported", imIn->mode, mode);
+       return (Imaging) ImagingError_ValueError(buf);
+     }
+ #endif
+@@ -1394,9 +1393,13 @@ ImagingConvertTransparent(Imaging imIn, const char *mode,
+     }
+ #else
+     {
+-      static char buf[256];
+-      /* FIXME: may overflow if mode is too large */
+-      sprintf(buf, "conversion from %s to %s not supported in convert_transparent", imIn->mode, mode);
++      static char buf[100];
++      snprintf(
++        buf,
++        100,
++        "conversion from %.10s to %.10s not supported in convert_transparent",
++        imIn->mode,
++        mode);
+       return (Imaging) ImagingError_ValueError(buf);
+     }
+ #endif
diff --git a/SPECS/python-pillow.spec b/SPECS/python-pillow.spec
index 545b4a8..fb5a4f5 100644
--- a/SPECS/python-pillow.spec
+++ b/SPECS/python-pillow.spec
@@ -8,7 +8,7 @@
 
 Name:           python-%{srcname}
 Version:        5.1.1
-Release:        15%{?dist}
+Release:        16%{?dist}
 Summary:        Python image processing library
 
 # License: see http://www.pythonware.com/products/pil/license.htm
@@ -94,6 +94,11 @@ Patch16:        CVE-2021-28677.patch
 # Upstream fix: https://github.com/python-pillow/Pillow/commit/496245aa4365d0827390bd0b6fbd11287453b3a1
 # Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-28678
 Patch17:        CVE-2021-28678.patch
+# CVE-2021-34552: buffer overflow in Convert.c because it allow an attacker to pass
+# controlled parameters directly into a convert function
+# Upstream fix: https://github.com/python-pillow/Pillow/pull/5567
+# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1982378
+Patch18:        CVE-2021-34552.patch
 
 BuildRequires:  freetype-devel
 BuildRequires:  gcc
@@ -238,6 +243,10 @@ popd
 
 
 %changelog
+* Mon Aug 02 2021 Charalampos Stratakis <cstratak@redhat.com> - 5.1.1-16
+- Fix for CVE-2021-34552
+Resolves: rhbz#1982378
+
 * Mon Jun 14 2021 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-15
 - Fixes for CVE-2021-25288, CVE-2021-25287, CVE-2021-28675, CVE-2021-28676,
 CVE-2021-28677 and CVE-2021-28678