diff --git a/SOURCES/CVE-2020-35653.patch b/SOURCES/CVE-2020-35653.patch
new file mode 100644
index 0000000..8f6cc19
--- /dev/null
+++ b/SOURCES/CVE-2020-35653.patch
@@ -0,0 +1,41 @@
+From 7a0aea5806d57e0e7c5187fbc9c2937a16e0bca1 Mon Sep 17 00:00:00 2001
+From: Eric Soroos <eric-github@soroos.net>
+Date: Thu, 17 Dec 2020 00:17:53 +0100
+Subject: [PATCH] Fix for CVE CVE-2020-35655 - Read Overflow in PCX Decoding.
+
+* Don't trust the image to specify a buffer size
+---
+ src/PIL/PcxImagePlugin.py | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/src/PIL/PcxImagePlugin.py b/src/PIL/PcxImagePlugin.py
+index 564713a..17bbd18 100644
+--- a/src/PIL/PcxImagePlugin.py
++++ b/src/PIL/PcxImagePlugin.py
+@@ -63,9 +63,9 @@ class PcxImageFile(ImageFile.ImageFile):
+ version = i8(s[1])
+ bits = i8(s[3])
+ planes = i8(s[65])
+- stride = i16(s, 66)
++ ignored_stride = i16(s, 66)
+ logger.debug("PCX version %s, bits %s, planes %s, stride %s",
+- version, bits, planes, stride)
++ version, bits, planes, ignored_stride)
+
+ self.info["dpi"] = i16(s, 12), i16(s, 14)
+
+@@ -102,6 +102,11 @@ class PcxImageFile(ImageFile.ImageFile):
+ self.mode = mode
+ self.size = bbox[2]-bbox[0], bbox[3]-bbox[1]
+
++ # don't trust the passed in stride. Calculate for ourselves.
++ # CVE-2020-35653
++ stride = (self.size[0] * bits + 7) // 8
++ stride += stride % 2
++
+ bbox = (0, 0) + self.size
+ logger.debug("size: %sx%s", *self.size)
+
+--
+2.29.2
+
diff --git a/SOURCES/CVE-2020-35655.patch b/SOURCES/CVE-2020-35655.patch
new file mode 100644
index 0000000..9b07049
--- /dev/null
+++ b/SOURCES/CVE-2020-35655.patch
@@ -0,0 +1,136 @@
+From f276de1139ec16395dc8b382860fb58e331fbd53 Mon Sep 17 00:00:00 2001
+From: Eric Soroos <eric-github@soroos.net>
+Date: Thu, 29 Oct 2020 23:07:15 +0000
+Subject: [PATCH 1/2] Fix for SGI Decode buffer overrun CVE-2020-35655
+
+* Independently found by a contributor and sent to Tidelift, and by Google's OSS Fuzz.
+---
+ src/libImaging/SgiRleDecode.c | 23 ++++++++++++++++-------
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+
+diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c
+index eb8fc84..c256169 100644
+--- a/src/libImaging/SgiRleDecode.c
++++ b/src/libImaging/SgiRleDecode.c
+@@ -107,11 +107,27 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
+ int err = 0;
+ int status;
+
++ /* size check */
++ if (im->xsize > INT_MAX / im->bands ||
++ im->ysize > INT_MAX / im->bands) {
++ return IMAGING_CODEC_MEMORY;
++ }
++
+ /* Get all data from File descriptor */
+ c = (SGISTATE*)state->context;
+ _imaging_seek_pyFd(state->fd, 0L, SEEK_END);
+ c->bufsize = _imaging_tell_pyFd(state->fd);
+ c->bufsize -= SGI_HEADER_SIZE;
++
++ c->tablen = im->bands * im->ysize;
++ /* below, we populate the starttab and lentab into the bufsize,
++ each with 4 bytes per element of tablen
++ Check here before we allocate any memory
++ */
++ if (c->bufsize < 8*c->tablen) {
++ return IMAGING_CODEC_MEMORY;
++ }
++
+ ptr = malloc(sizeof(UINT8) * c->bufsize);
+ if (!ptr) {
+ return IMAGING_CODEC_MEMORY;
+@@ -129,18 +145,11 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
+ state->ystep = 1;
+ }
+
+- if (im->xsize > INT_MAX / im->bands ||
+- im->ysize > INT_MAX / im->bands) {
+- err = IMAGING_CODEC_MEMORY;
+- goto sgi_finish_decode;
+- }
+-
+ /* Allocate memory for RLE tables and rows */
+ free(state->buffer);
+ state->buffer = NULL;
+ /* malloc overflow check above */
+ state->buffer = calloc(im->xsize * im->bands, sizeof(UINT8) * 2);
+- c->tablen = im->bands * im->ysize;
+ c->starttab = calloc(c->tablen, sizeof(UINT32));
+ c->lengthtab = calloc(c->tablen, sizeof(UINT32));
+ if (!state->buffer ||
+--
+2.29.2
+
+From 18aa14484fa63dabcafea63cf0b7bfb4066e979c Mon Sep 17 00:00:00 2001
+From: Eric Soroos <eric-github@soroos.net>
+Date: Fri, 30 Oct 2020 09:57:23 +0000
+Subject: [PATCH 2/2] Make the SGI code return -1 as an error flag, error in
+ state
+
+---
+ src/libImaging/SgiRleDecode.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c
+index c256169..2259159 100644
+--- a/src/libImaging/SgiRleDecode.c
++++ b/src/libImaging/SgiRleDecode.c
+@@ -110,7 +110,8 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
+ /* size check */
+ if (im->xsize > INT_MAX / im->bands ||
+ im->ysize > INT_MAX / im->bands) {
+- return IMAGING_CODEC_MEMORY;
++ state->errcode = IMAGING_CODEC_MEMORY;
++ return -1;
+ }
+
+ /* Get all data from File descriptor */
+@@ -125,12 +126,14 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
+ Check here before we allocate any memory
+ */
+ if (c->bufsize < 8*c->tablen) {
+- return IMAGING_CODEC_MEMORY;
++ state->errcode = IMAGING_CODEC_OVERRUN;
++ return -1;
+ }
+
+ ptr = malloc(sizeof(UINT8) * c->bufsize);
+ if (!ptr) {
+- return IMAGING_CODEC_MEMORY;
++ state->errcode = IMAGING_CODEC_MEMORY;
++ return -1;
+ }
+ _imaging_seek_pyFd(state->fd, SGI_HEADER_SIZE, SEEK_SET);
+ _imaging_read_pyFd(state->fd, (char*)ptr, c->bufsize);
+@@ -178,7 +181,7 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
+
+ if (c->rleoffset + c->rlelength > c->bufsize) {
+ state->errcode = IMAGING_CODEC_OVERRUN;
+- return -1;
++ goto sgi_finish_decode;
+ }
+
+ /* row decompression */
+@@ -190,7 +193,7 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
+ }
+ if (status == -1) {
+ state->errcode = IMAGING_CODEC_OVERRUN;
+- return -1;
++ goto sgi_finish_decode;
+ } else if (status == 1) {
+ goto sgi_finish_decode;
+ }
+@@ -211,7 +214,8 @@ sgi_finish_decode: ;
+ free(c->lengthtab);
+ free(ptr);
+ if (err != 0){
+- return err;
++ state->errcode=err;
++ return -1;
+ }
+ return state->count - c->bufsize;
+ }
+--
+2.29.2
+
diff --git a/SOURCES/CVE-2021-25287_25288.patch b/SOURCES/CVE-2021-25287_25288.patch
new file mode 100644
index 0000000..acb42a8
--- /dev/null
+++ b/SOURCES/CVE-2021-25287_25288.patch
@@ -0,0 +1,130 @@
+From 9c781aa2020eef838284dcb348f4528f3c3cc1ab Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Mon, 14 Jun 2021 09:06:07 +0200
+Subject: [PATCH 1/5] CVE-2021-25287_25288
+
+---
+ src/libImaging/Jpeg2KDecode.c | 78 +++++++++++++++++++++++++++--------
+ 1 file changed, 61 insertions(+), 17 deletions(-)
+
+diff --git a/src/libImaging/Jpeg2KDecode.c b/src/libImaging/Jpeg2KDecode.c
+index 9140e00..fdbd0c0 100644
+--- a/src/libImaging/Jpeg2KDecode.c
++++ b/src/libImaging/Jpeg2KDecode.c
+@@ -110,6 +110,7 @@ j2ku_gray_l(opj_image_t *in, const JPEG2KTILEINFO *tileinfo,
+ if (shift < 0)
+ offset += 1 << (-shift - 1);
+
++ /* csiz*h*w + offset = tileinfo.datasize */
+ switch (csiz) {
+ case 1:
+ for (y = 0; y < h; ++y) {
+@@ -557,8 +558,10 @@ j2k_decode_entry(Imaging im, ImagingCodecState state)
+ opj_dparameters_t params;
+ OPJ_COLOR_SPACE color_space;
+ j2k_unpacker_t unpack = NULL;
+- size_t buffer_size = 0;
+- unsigned n;
++ size_t buffer_size = 0, tile_bytes = 0;
++ unsigned n, tile_height, tile_width;
++ int total_component_width = 0;
++
+
+ stream = opj_stream_create(BUFFER_SIZE, OPJ_TRUE);
+
+@@ -703,8 +706,62 @@ j2k_decode_entry(Imaging im, ImagingCodecState state)
+ tile_info.x1 = (tile_info.x1 + correction) >> context->reduce;
+ tile_info.y1 = (tile_info.y1 + correction) >> context->reduce;
+
++ /* Check the tile bounds; if the tile is outside the image area,
++ or if it has a negative width or height (i.e. the coordinates are
++ swapped), bail. */
++ if (tile_info.x0 >= tile_info.x1
++ || tile_info.y0 >= tile_info.y1
++ || tile_info.x0 < image->x0
++ || tile_info.y0 < image->y0
++ || tile_info.x1 - image->x0 > im->xsize
++ || tile_info.y1 - image->y0 > im->ysize) {
++ state->errcode = IMAGING_CODEC_BROKEN;
++ state->state = J2K_STATE_FAILED;
++ goto quick_exit;
++ }
++
++ if (tile_info.nb_comps != image->numcomps) {
++ state->errcode = IMAGING_CODEC_BROKEN;
++ state->state = J2K_STATE_FAILED;
++ goto quick_exit;
++ }
++
++ /* Sometimes the tile_info.datasize we get back from openjpeg
++ is less than sum(comp_bytes)*w*h, and we overflow in the
++ shuffle stage */
++
++ tile_width = tile_info.x1 - tile_info.x0;
++ tile_height = tile_info.y1 - tile_info.y0;
++
++ /* Total component width = sum (component_width) e.g, it's
++ legal for an la file to have a 1 byte width for l, and 4 for
++ a. and then a malicious file could have a smaller tile_bytes
++ */
++
++ for (n=0; n < tile_info.nb_comps; n++) {
++ // see csize /acsize calcs
++ int csize = (image->comps[n].prec + 7) >> 3;
++ csize = (csize == 3) ? 4 : csize;
++ total_component_width += csize;
++ }
++ if ((tile_width > UINT_MAX / total_component_width) ||
++ (tile_height > UINT_MAX / total_component_width) ||
++ (tile_width > UINT_MAX / (tile_height * total_component_width)) ||
++ (tile_height > UINT_MAX / (tile_width * total_component_width))) {
++
++ state->errcode = IMAGING_CODEC_BROKEN;
++ state->state = J2K_STATE_FAILED;
++ goto quick_exit;
++ }
++
++ tile_bytes = tile_width * tile_height * total_component_width;
++
++ if (tile_bytes > tile_info.data_size) {
++ tile_info.data_size = tile_bytes;
++ }
++
+ if (buffer_size < tile_info.data_size) {
+- /* malloc check ok, tile_info.data_size from openjpeg */
++ /* malloc check ok, overflow and tile size sanity check above */
+ UINT8 *new = realloc (state->buffer, tile_info.data_size);
+ if (!new) {
+ state->errcode = IMAGING_CODEC_MEMORY;
+@@ -715,6 +772,7 @@ j2k_decode_entry(Imaging im, ImagingCodecState state)
+ buffer_size = tile_info.data_size;
+ }
+
++
+ if (!opj_decode_tile_data(codec,
+ tile_info.tile_index,
+ (OPJ_BYTE *)state->buffer,
+@@ -725,20 +783,6 @@ j2k_decode_entry(Imaging im, ImagingCodecState state)
+ goto quick_exit;
+ }
+
+- /* Check the tile bounds; if the tile is outside the image area,
+- or if it has a negative width or height (i.e. the coordinates are
+- swapped), bail. */
+- if (tile_info.x0 >= tile_info.x1
+- || tile_info.y0 >= tile_info.y1
+- || tile_info.x0 < image->x0
+- || tile_info.y0 < image->y0
+- || tile_info.x1 - image->x0 > im->xsize
+- || tile_info.y1 - image->y0 > im->ysize) {
+- state->errcode = IMAGING_CODEC_BROKEN;
+- state->state = J2K_STATE_FAILED;
+- goto quick_exit;
+- }
+-
+ unpack(image, &tile_info, state->buffer, im);
+ }
+
+--
+2.31.1
+
diff --git a/SOURCES/CVE-2021-25290.patch b/SOURCES/CVE-2021-25290.patch
new file mode 100644
index 0000000..39af8bd
--- /dev/null
+++ b/SOURCES/CVE-2021-25290.patch
@@ -0,0 +1,28 @@
+From c558baf01a97aed376a67ff4641f1c3c864ae3f0 Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Thu, 8 Apr 2021 17:55:26 +0200
+Subject: [PATCH 1/4] CVE-2021-25290
+
+---
+ src/libImaging/TiffDecode.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/libImaging/TiffDecode.c b/src/libImaging/TiffDecode.c
+index f292da3..d17b557 100644
+--- a/src/libImaging/TiffDecode.c
++++ b/src/libImaging/TiffDecode.c
+@@ -36,6 +36,11 @@ tsize_t _tiffReadProc(thandle_t hdata, tdata_t buf, tsize_t size) {
+ TRACE(("_tiffReadProc: %d \n", (int)size));
+ dump_state(state);
+
++ if (state->loc > state->eof) {
++ TIFFError("_tiffReadProc", "Invalid Read at loc %d, eof: %d", state->loc, state->eof);
++ return 0;
++ }
++
+ to_read = min(size, min(state->size, (tsize_t)state->eof) - (tsize_t)state->loc);
+ TRACE(("to_read: %d\n", (int)to_read));
+
+--
+2.30.2
+
diff --git a/SOURCES/CVE-2021-25292.patch b/SOURCES/CVE-2021-25292.patch
new file mode 100644
index 0000000..452609b
--- /dev/null
+++ b/SOURCES/CVE-2021-25292.patch
@@ -0,0 +1,27 @@
+From f60b6ae79d3c2e759f54bb4acb62b4c49f89fef2 Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Thu, 8 Apr 2021 17:59:21 +0200
+Subject: [PATCH 2/4] CVE-2021-25292
+
+---
+ src/PIL/PdfParser.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/PIL/PdfParser.py b/src/PIL/PdfParser.py
+index b6938fd..189aed8 100644
+--- a/src/PIL/PdfParser.py
++++ b/src/PIL/PdfParser.py
+@@ -562,8 +562,9 @@ class PdfParser:
+ whitespace_or_hex = br"[\000\011\012\014\015\0400-9a-fA-F]"
+ whitespace_optional = whitespace + b"*"
+ whitespace_mandatory = whitespace + b"+"
++ whitespace_optional_no_nl = br"[\000\011\014\015\040]*" # no "\012" aka "\n"
+ newline_only = br"[\r\n]+"
+- newline = whitespace_optional + newline_only + whitespace_optional
++ newline = whitespace_optional_no_nl + newline_only + whitespace_optional_no_nl
+ re_trailer_end = re.compile(whitespace_mandatory + br"trailer" + whitespace_optional + br"\<\<(.*\>\>)" + newline
+ + br"startxref" + newline + br"([0-9]+)" + newline + br"%%EOF" + whitespace_optional + br"$", re.DOTALL)
+ re_trailer_prev = re.compile(whitespace_optional + br"trailer" + whitespace_optional + br"\<\<(.*?\>\>)" + newline
+--
+2.30.2
+
diff --git a/SOURCES/CVE-2021-25293.patch b/SOURCES/CVE-2021-25293.patch
new file mode 100644
index 0000000..0361ed6
--- /dev/null
+++ b/SOURCES/CVE-2021-25293.patch
@@ -0,0 +1,207 @@
+From 1312c5426e7dd84e396ef2ff35aa09b64d92d382 Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Fri, 9 Apr 2021 19:33:55 +0200
+Subject: [PATCH 3/4] CVE-2021-25293
+
+---
+ src/libImaging/SgiRleDecode.c | 88 +++++++++++++++++++++++++++++------
+ 1 file changed, 75 insertions(+), 13 deletions(-)
+
+diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c
+index 2259159..85af456 100644
+--- a/src/libImaging/SgiRleDecode.c
++++ b/src/libImaging/SgiRleDecode.c
+@@ -25,13 +25,60 @@ static void read4B(UINT32* dest, UINT8* buf)
+ *dest = (UINT32)((buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf[3]);
+ }
+
+-static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
++/*
++ SgiRleDecoding is done in a single channel row oriented set of RLE chunks.
++
++ * The file is arranged as
++ - SGI Header
++ - Rle Offset Table
++ - Rle Length Table
++ - Scanline Data
++
++ * Each RLE atom is c->bpc bytes wide (1 or 2)
++
++ * Each RLE Chunk is [specifier atom] [ 1 or n data atoms ]
++
++ * Copy Atoms are a byte with the high bit set, and the low 7 are
++ the number of bytes to copy from the source to the
++ destination. e.g.
++
++ CBBBBBBBB or 0CHLHLHLHLHLHL (B=byte, H/L = Hi low bytes)
++
++ * Run atoms do not have the high bit set, and the low 7 bits are
++ the number of copies of the next atom to copy to the
++ destination. e.g.:
++
++ RB -> BBBBB or RHL -> HLHLHLHLHL
++
++ The upshot of this is, there is no way to determine the required
++ length of the input buffer from reloffset and rlelength without
++ going through the data at that scan line.
++
++ Furthermore, there's no requirement that individual scan lines
++ pointed to from the rleoffset table are in any sort of order or
++ used only once, or even disjoint. There's also no requirement that
++ all of the data in the scan line area of the image file be used
++
++ */
++
++static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize, UINT8 *end_of_buffer)
+ {
++ /*
++ * n here is the number of rlechunks
++ * z is the number of channels, for calculating the interleave
++ * offset to go to RGBA style pixels
++ * xsize is the row width
++ * end_of_buffer is the address of the end of the input buffer
++ */
++
+ UINT8 pixel, count;
+ int x = 0;
+
+ for (;n > 0; n--)
+ {
++ if (src > end_of_buffer) {
++ return -1;
++ }
+ pixel = *src++;
+ if (n == 1 && pixel != 0)
+ return n;
+@@ -43,6 +90,9 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
+ }
+ x += count;
+ if (pixel & RLE_COPY_FLAG) {
++ if (src + count > end_of_buffer) {
++ return -1;
++ }
+ while(count--) {
+ *dest = *src++;
+ dest += z;
+@@ -50,6 +100,9 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
+
+ }
+ else {
++ if (src > end_of_buffer) {
++ return -1;
++ }
+ pixel = *src++;
+ while (count--) {
+ *dest = pixel;
+@@ -61,7 +114,7 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
+ return 0;
+ }
+
+-static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize)
++static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize, UINT8 *end_of_buffer)
+ {
+ UINT8 pixel, count;
+
+@@ -69,6 +122,9 @@ static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize)
+
+ for (;n > 0; n--)
+ {
++ if (src + 1 > end_of_buffer) {
++ return -1;
++ }
+ pixel = ((UINT8*)src)[1];
+ ++src;
+ if (n == 1 && pixel != 0)
+@@ -81,12 +137,18 @@ static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize)
+ }
+ x += count;
+ if (pixel & RLE_COPY_FLAG) {
++ if (src + 2 * count > end_of_buffer) {
++ return -1;
++ }
+ while(count--) {
+ *dest = *src++;
+ dest += z;
+ }
+ }
+ else {
++ if (src + 2 > end_of_buffer) {
++ return -1;
++ }
+ while (count--) {
+ *dest = *src;
+ dest += z;
+@@ -136,8 +198,10 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
+ return -1;
+ }
+ _imaging_seek_pyFd(state->fd, SGI_HEADER_SIZE, SEEK_SET);
+- _imaging_read_pyFd(state->fd, (char*)ptr, c->bufsize);
+-
++ if (_imaging_read_pyFd(state->fd, (char *)ptr, c->bufsize) != c->bufsize) {
++ state->errcode = IMAGING_CODEC_UNKNOWN;
++ return -1;
++ }
+
+ /* decoder initialization */
+ state->count = 0;
+@@ -168,8 +232,6 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
+ for (c->tabindex = 0, c->bufindex = c->tablen * sizeof(UINT32); c->tabindex < c->tablen; c->tabindex++, c->bufindex+=4)
+ read4B(&c->lengthtab[c->tabindex], &ptr[c->bufindex]);
+
+- state->count += c->tablen * sizeof(UINT32) * 2;
+-
+ /* read compressed rows */
+ for (c->rowno = 0; c->rowno < im->ysize; c->rowno++, state->y += state->ystep)
+ {
+@@ -177,19 +239,21 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
+ {
+ c->rleoffset = c->starttab[c->rowno + c->channo * im->ysize];
+ c->rlelength = c->lengthtab[c->rowno + c->channo * im->ysize];
+- c->rleoffset -= SGI_HEADER_SIZE;
+
+- if (c->rleoffset + c->rlelength > c->bufsize) {
++ // Check for underflow of rleoffset-SGI_HEADER_SIZE
++ if (c->rleoffset < SGI_HEADER_SIZE) {
+ state->errcode = IMAGING_CODEC_OVERRUN;
+ goto sgi_finish_decode;
+ }
+
++ c->rleoffset -= SGI_HEADER_SIZE;
++
+ /* row decompression */
+ if (c->bpc ==1) {
+- status = expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands, im->xsize);
++ status = expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands, im->xsize, &ptr[c->bufsize-1]);
+ }
+ else {
+- status = expandrow2(&state->buffer[c->channo * 2], &ptr[c->rleoffset], c->rlelength, im->bands, im->xsize);
++ status = expandrow2(&state->buffer[c->channo * 2], &ptr[c->rleoffset], c->rlelength, im->bands, im->xsize, &ptr[c->bufsize-1]);
+ }
+ if (status == -1) {
+ state->errcode = IMAGING_CODEC_OVERRUN;
+@@ -198,7 +262,6 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
+ goto sgi_finish_decode;
+ }
+
+- state->count += c->rlelength;
+ }
+
+ /* store decompressed data in image */
+@@ -206,7 +269,6 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
+
+ }
+
+- c->bufsize++;
+
+ sgi_finish_decode: ;
+
+@@ -217,5 +279,5 @@ sgi_finish_decode: ;
+ state->errcode=err;
+ return -1;
+ }
+- return state->count - c->bufsize;
++ return 0;
+ }
+--
+2.30.2
+
diff --git a/SOURCES/CVE-2021-27921_27922_27923.patch b/SOURCES/CVE-2021-27921_27922_27923.patch
new file mode 100644
index 0000000..0cdb073
--- /dev/null
+++ b/SOURCES/CVE-2021-27921_27922_27923.patch
@@ -0,0 +1,58 @@
+From 357fef8b4bd076e3a15e7ffc58a475626794c7e3 Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Fri, 9 Apr 2021 19:41:58 +0200
+Subject: [PATCH 4/4] CVE-2021-27921_27922_27923
+
+---
+ src/PIL/BlpImagePlugin.py | 1 +
+ src/PIL/IcnsImagePlugin.py | 2 ++
+ src/PIL/IcoImagePlugin.py | 1 +
+ 3 files changed, 4 insertions(+)
+
+diff --git a/src/PIL/BlpImagePlugin.py b/src/PIL/BlpImagePlugin.py
+index ec358db..d56d46c 100644
+--- a/src/PIL/BlpImagePlugin.py
++++ b/src/PIL/BlpImagePlugin.py
+@@ -362,6 +362,7 @@ class BLP1Decoder(_BLPBaseDecoder):
+ data = jpeg_header + data
+ data = BytesIO(data)
+ image = JpegImageFile(data)
++ Image._decompression_bomb_check(image.size)
+ self.tile = image.tile # :/
+ self.fd = image.fp
+ self.mode = image.mode
+diff --git a/src/PIL/IcnsImagePlugin.py b/src/PIL/IcnsImagePlugin.py
+index b382a73..2292584 100644
+--- a/src/PIL/IcnsImagePlugin.py
++++ b/src/PIL/IcnsImagePlugin.py
+@@ -110,6 +110,7 @@ def read_png_or_jpeg2000(fobj, start_length, size):
+ if sig[:8] == b'\x89PNG\x0d\x0a\x1a\x0a':
+ fobj.seek(start)
+ im = PngImagePlugin.PngImageFile(fobj)
++ Image._decompression_bomb_check(im.size)
+ return {"RGBA": im}
+ elif sig[:4] == b'\xff\x4f\xff\x51' \
+ or sig[:4] == b'\x0d\x0a\x87\x0a' \
+@@ -122,6 +123,7 @@ def read_png_or_jpeg2000(fobj, start_length, size):
+ jp2kstream = fobj.read(length)
+ f = io.BytesIO(jp2kstream)
+ im = Jpeg2KImagePlugin.Jpeg2KImageFile(f)
++ Image._decompression_bomb_check(im.size)
+ if im.mode != 'RGBA':
+ im = im.convert('RGBA')
+ return {"RGBA": im}
+diff --git a/src/PIL/IcoImagePlugin.py b/src/PIL/IcoImagePlugin.py
+index 2b6d1e0..30412ad 100644
+--- a/src/PIL/IcoImagePlugin.py
++++ b/src/PIL/IcoImagePlugin.py
+@@ -164,6 +164,7 @@ class IcoFile(object):
+ if data[:8] == PngImagePlugin._MAGIC:
+ # png frame
+ im = PngImagePlugin.PngImageFile(self.buf)
++ Image._decompression_bomb_check(im.size)
+ else:
+ # XOR + AND mask bmp frame
+ im = BmpImagePlugin.DibImageFile(self.buf)
+--
+2.30.2
+
diff --git a/SOURCES/CVE-2021-28675.patch b/SOURCES/CVE-2021-28675.patch
new file mode 100644
index 0000000..db8d38a
--- /dev/null
+++ b/SOURCES/CVE-2021-28675.patch
@@ -0,0 +1,146 @@
+From 7fe3dff241c11206616bf6229be898854ce0d066 Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Mon, 14 Jun 2021 11:33:36 +0200
+Subject: [PATCH] CVE-2021-28675
+
+---
+ src/PIL/ImageFile.py | 12 ++++++++++--
+ src/PIL/PsdImagePlugin.py | 33 +++++++++++++++++++++++----------
+ 2 files changed, 33 insertions(+), 12 deletions(-)
+
+diff --git a/src/PIL/ImageFile.py b/src/PIL/ImageFile.py
+index 1a3c4aa..2cef9ee 100644
+--- a/src/PIL/ImageFile.py
++++ b/src/PIL/ImageFile.py
+@@ -522,12 +522,18 @@ def _safe_read(fp, size):
+
+ :param fp: File handle. Must implement a <b>read</b> method.
+ :param size: Number of bytes to read.
+- :returns: A string containing up to <i>size</i> bytes of data.
++ :returns: A string containing <i>size</i> bytes of data.
++
++ Raises an OSError if the file is truncated and the read can not be completed
++
+ """
+ if size <= 0:
+ return b""
+ if size <= SAFEBLOCK:
+- return fp.read(size)
++ data = fp.read(size)
++ if len(data) < size:
++ raise OSError("Truncated File Read")
++ return data
+ data = []
+ while size > 0:
+ block = fp.read(min(size, SAFEBLOCK))
+@@ -535,6 +541,8 @@ def _safe_read(fp, size):
+ break
+ data.append(block)
+ size -= len(block)
++ if sum(len(d) for d in data) < size:
++ raise OSError("Truncated File Read")
+ return b"".join(data)
+
+
+diff --git a/src/PIL/PsdImagePlugin.py b/src/PIL/PsdImagePlugin.py
+index fe2a2ff..add9996 100644
+--- a/src/PIL/PsdImagePlugin.py
++++ b/src/PIL/PsdImagePlugin.py
+@@ -18,6 +18,8 @@
+
+ __version__ = "0.4"
+
++import io
++
+ from . import Image, ImageFile, ImagePalette
+ from ._binary import i8, i16be as i16, i32be as i32
+
+@@ -114,7 +116,8 @@ class PsdImageFile(ImageFile.ImageFile):
+ end = self.fp.tell() + size
+ size = i32(read(4))
+ if size:
+- self.layers = _layerinfo(self.fp)
++ _layer_data = io.BytesIO(ImageFile._safe_read(self.fp, size))
++ self.layers = _layerinfo(_layer_data, size)
+ self.fp.seek(end)
+
+ #
+@@ -164,11 +167,20 @@ class PsdImageFile(ImageFile.ImageFile):
+ Image.Image.load(self)
+
+
+-def _layerinfo(file):
++def _layerinfo(fp, ct_bytes):
+ # read layerinfo block
+ layers = []
+- read = file.read
+- for i in range(abs(i16(read(2)))):
++
++ def read(size):
++ return ImageFile._safe_read(fp, size)
++
++ ct = i16(read(2))
++
++ # sanity check
++ if ct_bytes < (abs(ct) * 20):
++ raise SyntaxError("Layer block too short for number of layers requested")
++
++ for i in range(abs(ct)):
+
+ # bounding box
+ y0 = i32(read(4))
+@@ -179,7 +191,8 @@ def _layerinfo(file):
+ # image info
+ info = []
+ mode = []
+- types = list(range(i16(read(2))))
++ ct_types = i16(read(2))
++ types = list(range(ct_types))
+ if len(types) > 4:
+ continue
+
+@@ -212,7 +225,7 @@ def _layerinfo(file):
+ size = i32(read(4)) # length of the extra data field
+ combined = 0
+ if size:
+- data_end = file.tell() + size
++ data_end = fp.tell() + size
+
+ length = i32(read(4))
+ if length:
+@@ -220,12 +233,12 @@ def _layerinfo(file):
+ mask_x = i32(read(4))
+ mask_h = i32(read(4)) - mask_y
+ mask_w = i32(read(4)) - mask_x
+- file.seek(length - 16, 1)
++ fp.seek(length - 16, 1)
+ combined += length + 4
+
+ length = i32(read(4))
+ if length:
+- file.seek(length, 1)
++ fp.seek(length, 1)
+ combined += length + 4
+
+ length = i8(read(1))
+@@ -235,7 +248,7 @@ def _layerinfo(file):
+ name = read(length).decode('latin-1', 'replace')
+ combined += length + 1
+
+- file.seek(data_end)
++ fp.seek(data_end)
+ layers.append((name, mode, (x0, y0, x1, y1)))
+
+ # get tiles
+@@ -243,7 +256,7 @@ def _layerinfo(file):
+ for name, mode, bbox in layers:
+ tile = []
+ for m in mode:
+- t = _maketile(file, m, bbox, 1)
++ t = _maketile(fp, m, bbox, 1)
+ if t:
+ tile.extend(t)
+ layers[i] = name, mode, bbox, tile
+--
+2.31.1
+
diff --git a/SOURCES/CVE-2021-28676.patch b/SOURCES/CVE-2021-28676.patch
new file mode 100644
index 0000000..4a222ea
--- /dev/null
+++ b/SOURCES/CVE-2021-28676.patch
@@ -0,0 +1,28 @@
+From cedb7ba568161021bc2f2f48af95fcf33e262f77 Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Mon, 14 Jun 2021 09:30:01 +0200
+Subject: [PATCH 4/5] CVE-2021-28676
+
+---
+ src/libImaging/FliDecode.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c
+index 72ba138..9181b8b 100644
+--- a/src/libImaging/FliDecode.c
++++ b/src/libImaging/FliDecode.c
+@@ -209,6 +209,11 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
+ return -1;
+ }
+ advance = I32(ptr);
++ if (advance == 0 ) {
++ // If there's no advance, we're in in infinite loop
++ state->errcode = IMAGING_CODEC_BROKEN;
++ return -1;
++ }
+ ptr += advance;
+ bytes -= advance;
+ }
+--
+2.31.1
+
diff --git a/SOURCES/CVE-2021-28677.patch b/SOURCES/CVE-2021-28677.patch
new file mode 100644
index 0000000..64d0f68
--- /dev/null
+++ b/SOURCES/CVE-2021-28677.patch
@@ -0,0 +1,41 @@
+From 8ad7b436649c424e22689a8a874c1b0cd7c1c0fc Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Mon, 14 Jun 2021 09:22:45 +0200
+Subject: [PATCH 3/5] CVE-2021-28677
+
+---
+ src/PIL/EpsImagePlugin.py | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/PIL/EpsImagePlugin.py b/src/PIL/EpsImagePlugin.py
+index b503487..5f5af15 100644
+--- a/src/PIL/EpsImagePlugin.py
++++ b/src/PIL/EpsImagePlugin.py
+@@ -167,12 +167,12 @@ class PSFile(object):
+ self.fp.seek(offset, whence)
+
+ def readline(self):
+- s = self.char or b""
++ s = [self.char or b""]
+ self.char = None
+
+ c = self.fp.read(1)
+- while c not in b"\r\n":
+- s = s + c
++ while (c not in b"\r\n") and len(c):
++ s.append(c)
+ c = self.fp.read(1)
+
+ self.char = self.fp.read(1)
+@@ -180,7 +180,7 @@ class PSFile(object):
+ if self.char in b"\r\n":
+ self.char = None
+
+- return s.decode('latin-1')
++ return b"".join(s).decode("latin-1")
+
+
+ def _accept(prefix):
+--
+2.31.1
+
diff --git a/SOURCES/CVE-2021-28678.patch b/SOURCES/CVE-2021-28678.patch
new file mode 100644
index 0000000..5bab189
--- /dev/null
+++ b/SOURCES/CVE-2021-28678.patch
@@ -0,0 +1,122 @@
+From eaef29c3696cd021147e692360997f4c12377c60 Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Mon, 14 Jun 2021 09:19:50 +0200
+Subject: [PATCH 2/5] CVE-2021-28678
+
+---
+ src/PIL/BlpImagePlugin.py | 43 +++++++++++++++++++++------------------
+ 1 file changed, 23 insertions(+), 20 deletions(-)
+
+diff --git a/src/PIL/BlpImagePlugin.py b/src/PIL/BlpImagePlugin.py
+index d56d46c..846c83d 100644
+--- a/src/PIL/BlpImagePlugin.py
++++ b/src/PIL/BlpImagePlugin.py
+@@ -294,33 +294,36 @@ class _BLPBaseDecoder(ImageFile.PyDecoder):
+ raise IOError("Truncated Blp file")
+ return 0, 0
+
++ def _safe_read(self, length):
++ return ImageFile._safe_read(self.fd, length)
++
+ def _read_palette(self):
+ ret = []
+ for i in range(256):
+ try:
+- b, g, r, a = struct.unpack("<4B", self.fd.read(4))
++ b, g, r, a = struct.unpack("<4B", self._safe_read(4))
+ except struct.error:
+ break
+ ret.append((b, g, r, a))
+ return ret
+
+ def _read_blp_header(self):
+- self._blp_compression, = struct.unpack("<i", self.fd.read(4))
++ self._blp_compression, = struct.unpack("<i", self._safe_read(4))
+
+- self._blp_encoding, = struct.unpack("<b", self.fd.read(1))
+- self._blp_alpha_depth, = struct.unpack("<b", self.fd.read(1))
+- self._blp_alpha_encoding, = struct.unpack("<b", self.fd.read(1))
+- self._blp_mips, = struct.unpack("<b", self.fd.read(1))
++ self._blp_encoding, = struct.unpack("<b", self._safe_read(1))
++ self._blp_alpha_depth, = struct.unpack("<b", self._safe_read(1))
++ self._blp_alpha_encoding, = struct.unpack("<b", self._safe_read(1))
++ self._blp_mips, = struct.unpack("<b", self._safe_read(1))
+
+- self.size = struct.unpack("<II", self.fd.read(8))
++ self.size = struct.unpack("<II", self._safe_read(8))
+
+ if self.magic == b"BLP1":
+ # Only present for BLP1
+- self._blp_encoding, = struct.unpack("<i", self.fd.read(4))
+- self._blp_subtype, = struct.unpack("<i", self.fd.read(4))
++ self._blp_encoding, = struct.unpack("<i", self._safe_read(4))
++ self._blp_subtype, = struct.unpack("<i", self._safe_read(4))
+
+- self._blp_offsets = struct.unpack("<16I", self.fd.read(16 * 4))
+- self._blp_lengths = struct.unpack("<16I", self.fd.read(16 * 4))
++ self._blp_offsets = struct.unpack("<16I", self._safe_read(16 * 4))
++ self._blp_lengths = struct.unpack("<16I", self._safe_read(16 * 4))
+
+
+ class BLP1Decoder(_BLPBaseDecoder):
+@@ -333,7 +336,7 @@ class BLP1Decoder(_BLPBaseDecoder):
+ if self._blp_encoding in (4, 5):
+ data = bytearray()
+ palette = self._read_palette()
+- _data = BytesIO(self.fd.read(self._blp_lengths[0]))
++ _data = BytesIO(self._safe_read(self._blp_lengths[0]))
+ while True:
+ try:
+ offset, = struct.unpack("<B", _data.read(1))
+@@ -355,10 +358,10 @@ class BLP1Decoder(_BLPBaseDecoder):
+ def _decode_jpeg_stream(self):
+ from PIL.JpegImagePlugin import JpegImageFile
+
+- jpeg_header_size, = struct.unpack("<I", self.fd.read(4))
+- jpeg_header = self.fd.read(jpeg_header_size)
+- self.fd.read(self._blp_offsets[0] - self.fd.tell()) # What IS this?
+- data = self.fd.read(self._blp_lengths[0])
++ jpeg_header_size, = struct.unpack("<I", self._safe_read(4))
++ jpeg_header = self._safe_read(jpeg_header_size)
++ self._safe_read(self._blp_offsets[0] - self.fd.tell()) # What IS this?
++ data = self._safe_read(self._blp_lengths[0])
+ data = jpeg_header + data
+ data = BytesIO(data)
+ image = JpegImageFile(data)
+@@ -380,7 +383,7 @@ class BLP2Decoder(_BLPBaseDecoder):
+ # Uncompressed or DirectX compression
+
+ if self._blp_encoding == BLP_ENCODING_UNCOMPRESSED:
+- _data = BytesIO(self.fd.read(self._blp_lengths[0]))
++ _data = BytesIO(self._safe_read(self._blp_lengths[0]))
+ while True:
+ try:
+ offset, = struct.unpack("<B", _data.read(1))
+@@ -394,7 +397,7 @@ class BLP2Decoder(_BLPBaseDecoder):
+ linesize = (self.size[0] + 3) // 4 * 8
+ for yb in range((self.size[1] + 3) // 4):
+ for d in decode_dxt1(
+- self.fd.read(linesize),
++ self._safe_read(linesize),
+ alpha=bool(self._blp_alpha_depth)
+ ):
+ data += d
+@@ -402,13 +405,13 @@ class BLP2Decoder(_BLPBaseDecoder):
+ elif self._blp_alpha_encoding == BLP_ALPHA_ENCODING_DXT3:
+ linesize = (self.size[0] + 3) // 4 * 16
+ for yb in range((self.size[1] + 3) // 4):
+- for d in decode_dxt3(self.fd.read(linesize)):
++ for d in decode_dxt3(self._safe_read(linesize)):
+ data += d
+
+ elif self._blp_alpha_encoding == BLP_ALPHA_ENCODING_DXT5:
+ linesize = (self.size[0] + 3) // 4 * 16
+ for yb in range((self.size[1] + 3) // 4):
+- for d in decode_dxt5(self.fd.read(linesize)):
++ for d in decode_dxt5(self._safe_read(linesize)):
+ data += d
+ else:
+ raise BLPFormatError("Unsupported alpha encoding %r" % (
+--
+2.31.1
+
diff --git a/SOURCES/CVE-2021-34552.patch b/SOURCES/CVE-2021-34552.patch
new file mode 100644
index 0000000..5047bae
--- /dev/null
+++ b/SOURCES/CVE-2021-34552.patch
@@ -0,0 +1,33 @@
+diff --git a/src/libImaging/Convert.c b/src/libImaging/Convert.c
+index b3e48e5..cfed8ad 100644
+--- a/src/libImaging/Convert.c
++++ b/src/libImaging/Convert.c
+@@ -1338,9 +1338,8 @@ convert(Imaging imOut, Imaging imIn, const char *mode,
+ return (Imaging) ImagingError_ValueError("conversion not supported");
+ #else
+ {
+- static char buf[256];
+- /* FIXME: may overflow if mode is too large */
+- sprintf(buf, "conversion from %s to %s not supported", imIn->mode, mode);
++ static char buf[100];
++ snprintf(buf, 100, "conversion from %.10s to %.10s not supported", imIn->mode, mode);
+ return (Imaging) ImagingError_ValueError(buf);
+ }
+ #endif
+@@ -1394,9 +1393,13 @@ ImagingConvertTransparent(Imaging imIn, const char *mode,
+ }
+ #else
+ {
+- static char buf[256];
+- /* FIXME: may overflow if mode is too large */
+- sprintf(buf, "conversion from %s to %s not supported in convert_transparent", imIn->mode, mode);
++ static char buf[100];
++ snprintf(
++ buf,
++ 100,
++ "conversion from %.10s to %.10s not supported in convert_transparent",
++ imIn->mode,
++ mode);
+ return (Imaging) ImagingError_ValueError(buf);
+ }
+ #endif
diff --git a/SPECS/python-pillow.spec b/SPECS/python-pillow.spec
index 2993cbb..fb5a4f5 100644
--- a/SPECS/python-pillow.spec
+++ b/SPECS/python-pillow.spec
@@ -8,7 +8,7 @@
Name: python-%{srcname}
Version: 5.1.1
-Release: 12%{?dist}
+Release: 16%{?dist}
Summary: Python image processing library
# License: see http://www.pythonware.com/products/pil/license.htm
@@ -32,14 +32,73 @@ Patch3: CVE-2020-5312_CVE-2019-16865.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1789535
# https://github.com/python-pillow/Pillow/commit/a79b65c47c7dc6fe623aadf09aa6192fc54548f3
Patch4: CVE-2020-5311.patch
-# CVE-2020-11538 out-of-bounds reads/writes in the parsing of SGI image files in expandrow/expandrow2
-# Upstream fix: https://github.com/python-pillow/Pillow/pull/4504/
-# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1852814
-Patch5: CVE-2020-11538.patch
# CVE-2020-5313 out-of-bounds read in ImagingFliDecode when loading FLI images
# Upstream fix: https://github.com/python-pillow/Pillow/commit/a09acd0decd8a87ccce939d5ff65dab59e7d365b?patch
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1789532
-Patch6: CVE-2020-5313.patch
+Patch5: CVE-2020-5313.patch
+# CVE-2020-11538 out-of-bounds reads/writes in the parsing of SGI image files in expandrow/expandrow2
+# Upstream fix: https://github.com/python-pillow/Pillow/pull/4504/
+# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1852814
+Patch6: CVE-2020-11538.patch
+# CVE-2020-35653 decoding a crafted PCX file could result in buffer over-read
+# Note that there is a wrong CVE number in the commit msg
+# Upstream fix: https://github.com/python-pillow/Pillow/commit/2f409261eb1228e166868f8f0b5da5cda52e55bf
+# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1915432
+Patch7: CVE-2020-35653.patch
+# CVE-2020-35655 decoding crafted SGI RLE image files could result in buffer over-read
+# Upstream fix: https://github.com/python-pillow/Pillow/commit/120eea2e4547a7d1826afdf01563035844f0b7d5
+# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-35653
+Patch8: CVE-2020-35655.patch
+# CVE-2021-25290 negative-offset memcpy with an invalid size in TiffDecode.c
+# Upstream fix: https://github.com/python-pillow/Pillow/commit/86f02f7c70862a0954bfe8133736d352db978eaa
+# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1934685
+Patch9: CVE-2021-25290.patch
+# CVE-2021-25292 backtracking regex in PDF parser could be used as a DOS attack
+# Upstream fix: https://github.com/python-pillow/Pillow/commit/3bce145966374dd39ce58a6fc0083f8d1890719c
+# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-25292
+Patch10: CVE-2021-25292.patch
+# CVE-2021-25293 out-of-bounds read in SGIRleDecode.c
+# Upstream fix: https://github.com/python-pillow/Pillow/commit/4853e522bddbec66022c0915b9a56255d0188bf9
+# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-25293
+Patch11: CVE-2021-25293.patch
+# CVE-2021-27921 reported size of a contained image is not properly checked for a BLP container
+# CVE-2021-27922 reported size of a contained image is not properly checked for an ICNS container
+# CVE-2021-27923 reported size of a contained image is not properly checked for an ICO container
+# Upstream fix: https://github.com/python-pillow/Pillow/commit/480f6819b592d7f07b9a9a52a7656c10bbe07442
+# Tracking bugs:
+# - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-27921
+# - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-27922
+# - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-27923
+Patch12: CVE-2021-27921_27922_27923.patch
+# CVE-2021-25288 and 25287 out-of-bounds read in J2kDecode in j2ku_gray_i and j2ku_graya_la
+# Upstream fixes this patch combines:
+# - Original fix for the CVEs: https://github.com/python-pillow/Pillow/commit/3bf5eddb89afdf690eceaa52bc4d3546ba9a5f87
+# - Older commit the fix is based on: https://github.com/python-pillow/Pillow/commit/cf6da6b79080a8c16984102fdc85f7ce28dca613
+# Tracking bugs:
+# - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-25287
+# - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-25288
+Patch13: CVE-2021-25287_25288.patch
+# CVE-2021-28675 DoS in PsdImagePlugin
+# Upstream fix: https://github.com/python-pillow/Pillow/commit/22e9bee4ef225c0edbb9323f94c26cee0c623497
+# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-28675
+Patch14: CVE-2021-28675.patch
+# CVE-2021-28676 infinite loop in FliDecode.c can lead to DoS
+# Upstream fix: https://github.com/python-pillow/Pillow/commit/bb6c11fb889e6c11b0ee122b828132ee763b5856
+# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-28676
+Patch15: CVE-2021-28676.patch
+# CVE-2021-28677 DoS in the open phase via a malicious EPS file
+# Upstream fix: https://github.com/python-pillow/Pillow/commit/5a5e6db0abf4e7a638fb1b3408c4e495a096cb92
+# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-28677
+Patch16: CVE-2021-28677.patch
+# CVE-2021-28678 improper check in BlpImagePlugin can lead to DoS
+# Upstream fix: https://github.com/python-pillow/Pillow/commit/496245aa4365d0827390bd0b6fbd11287453b3a1
+# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-28678
+Patch17: CVE-2021-28678.patch
+# CVE-2021-34552: buffer overflow in Convert.c because it allow an attacker to pass
+# controlled parameters directly into a convert function
+# Upstream fix: https://github.com/python-pillow/Pillow/pull/5567
+# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1982378
+Patch18: CVE-2021-34552.patch
BuildRequires: freetype-devel
BuildRequires: gcc
@@ -184,14 +243,32 @@ popd
%changelog
-* Mon Jul 13 2020 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-12
-- Fix for CVE-2020-5313
-Resolves: rhbz#1789532
+* Mon Aug 02 2021 Charalampos Stratakis <cstratak@redhat.com> - 5.1.1-16
+- Fix for CVE-2021-34552
+Resolves: rhbz#1982378
+
+* Mon Jun 14 2021 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-15
+- Fixes for CVE-2021-25288, CVE-2021-25287, CVE-2021-28675, CVE-2021-28676,
+CVE-2021-28677 and CVE-2021-28678
+Resolves: rhbz#1958231, rhbz#1958226, rhbz#1958240, rhbz#1958252, rhbz#1958257, rhbz#1958263
+
+* Fri Apr 09 2021 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-14
+- Fixes for CVE-2021-25290, CVE-2021-25292, CVE-2021-25293, CVE-2021-27921
+CVE-2021-27922, and CVE-2021-27923
+Resolves: rhbz#1934685 rhbz#1934699 rhbz#1934705 rhbz#1935384 rhbz#1935396 rhbz#1935401
+
+* Thu Feb 18 2021 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-13
+- Fixes for CVE-2020-35653 and CVE-2020-35655
+Resolves: rhbz#1915420 rhbz#1915432
-* Mon Jul 13 2020 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-11
+* Mon Jul 13 2020 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-12
- Fix for CVE-2020-11538
Resolves: rhbz#1852814
+* Wed Mar 04 2020 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-11
+- Fix for CVE-2020-5313
+Resolves: rhbz#1789532
+
* Mon Feb 17 2020 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-10
- Bump and rebuild for gating to deliver CVE fixes
Resolves: rhbz#1789535