From b2426c8fd1bfe9e8d97ff288928e553af393e4ff Mon Sep 17 00:00:00 2001 From: liudabo Date: Mon, 15 Mar 2021 20:38:50 +0800 Subject: [PATCH] fix CVE-2021-27921 CVE-2021-27922CVE-2021-27923 --- ...-27921_CVE-2021-27922_CVE-2021-27923.patch | 65 +++++++++++++++++++ python-pillow.spec | 9 ++- 2 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2021-27921_CVE-2021-27922_CVE-2021-27923.patch diff --git a/backport-CVE-2021-27921_CVE-2021-27922_CVE-2021-27923.patch b/backport-CVE-2021-27921_CVE-2021-27922_CVE-2021-27923.patch new file mode 100644 index 0000000..ff8c0f5 --- /dev/null +++ b/backport-CVE-2021-27921_CVE-2021-27922_CVE-2021-27923.patch @@ -0,0 +1,65 @@ +From 480f6819b592d7f07b9a9a52a7656c10bbe07442 Mon Sep 17 00:00:00 2001 +From: Eric Soroos +Date: Wed, 24 Feb 2021 23:27:07 +0100 +Subject: [PATCH] Fix Memory DOS in Icns, Ico and Blp Image Plugins + +Some container plugins that could contain images of other formats, +such as the ICNS format, did not properly check the reported size of +the contained image. These images could cause arbitrariliy large +memory allocations. + +This is fixed for all locations where individual *ImageFile classes +are created without going through the usual Image.open method. +--- + src/PIL/BlpImagePlugin.py | 1 + + src/PIL/IcnsImagePlugin.py | 2 ++ + src/PIL/IcoImagePlugin.py | 1 + + 3 files changed, 4 insertions(+) + +diff --git a/src/PIL/BlpImagePlugin.py b/src/PIL/BlpImagePlugin.py +index 398e0fa..792a433 100644 +--- a/src/PIL/BlpImagePlugin.py ++++ b/src/PIL/BlpImagePlugin.py +@@ -362,6 +362,7 @@ class BLP1Decoder(_BLPBaseDecoder): + data = jpeg_header + data + data = BytesIO(data) + image = JpegImageFile(data) ++ Image._decompression_bomb_check(image.size) + self.tile = image.tile # :/ + self.fd = image.fp + self.mode = image.mode +diff --git a/src/PIL/IcnsImagePlugin.py b/src/PIL/IcnsImagePlugin.py +index 21236d4..4147395 100644 +--- a/src/PIL/IcnsImagePlugin.py ++++ b/src/PIL/IcnsImagePlugin.py +@@ -110,6 +110,7 @@ def read_png_or_jpeg2000(fobj, start_length, size): + if sig[:8] == b'\x89PNG\x0d\x0a\x1a\x0a': + fobj.seek(start) + im = PngImagePlugin.PngImageFile(fobj) ++ Image._decompression_bomb_check(im.size) + return {"RGBA": im} + elif sig[:4] == b'\xff\x4f\xff\x51' \ + or sig[:4] == b'\x0d\x0a\x87\x0a' \ +@@ -121,6 +122,7 @@ def read_png_or_jpeg2000(fobj, start_length, size): + fobj.seek(start) + jp2kstream = fobj.read(length) + f = io.BytesIO(jp2kstream) ++ Image._decompression_bomb_check(im.size) + im = Jpeg2KImagePlugin.Jpeg2KImageFile(f) + if im.mode != 'RGBA': + im = im.convert('RGBA') +diff --git a/src/PIL/IcoImagePlugin.py b/src/PIL/IcoImagePlugin.py +index 926838d..f358695 100644 +--- a/src/PIL/IcoImagePlugin.py ++++ b/src/PIL/IcoImagePlugin.py +@@ -164,6 +164,7 @@ class IcoFile(object): + if data[:8] == PngImagePlugin._MAGIC: + # png frame + im = PngImagePlugin.PngImageFile(self.buf) ++ Image._decompression_bomb_check(im.size) + else: + # XOR + AND mask bmp frame + im = BmpImagePlugin.DibImageFile(self.buf) +-- +2.23.0 + diff --git a/python-pillow.spec b/python-pillow.spec index 6480192..5803ee1 100644 --- a/python-pillow.spec +++ b/python-pillow.spec @@ -5,7 +5,7 @@ Name: python-pillow Version: 5.3.0 -Release: 12 +Release: 13 Summary: Python image processing library License: MIT URL: http://python-pillow.github.io/ @@ -28,6 +28,7 @@ Patch0018: CVE-2020-5312.patch Patch0019: CVE-2020-5313.patch Patch0020: backport-CVE-2020-35653.patch Patch6000: backport-CVE-2020-35655.patch +Patch6001: backport-CVE-2021-27921_CVE-2021-27922_CVE-2021-27923.patch BuildRequires: freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel BuildRequires: libtiff-devel libwebp-devel openjpeg2-devel tk-devel zlib-devel @@ -181,6 +182,12 @@ popd %doc docs/_build_py3/html %changelog +* Mon Mar 15 2021 wangye - 5.3.0-13 +- Type:cves +- ID:CVE-2021-27921 CVE-2021-27922 CVE-2021-27923 +- SUG:NA +- DESC:fix CVE-2021-27921 CVE-2021-27922 CVE-2021-27923 + * Wed Feb 24 2021 jinzhimin - 5.3.0-12 - fix CVE-2020-35655 -- Gitee