From f767c20e9e35ecac169064ffacff94e115fe34e2 Mon Sep 17 00:00:00 2001 From: shirely16 Date: Sat, 20 Mar 2021 16:28:21 +0800 Subject: [PATCH] fix CVE Signed-off-by: shirely16 --- ...-27921_CVE-2021-27922_CVE-2021-27923.patch | 60 +++++++++++++++++++ python-pillow.spec | 10 +++- 2 files changed, 67 insertions(+), 3 deletions(-) create mode 100644 backport-CVE-2021-27921_CVE-2021-27922_CVE-2021-27923.patch diff --git a/backport-CVE-2021-27921_CVE-2021-27922_CVE-2021-27923.patch b/backport-CVE-2021-27921_CVE-2021-27922_CVE-2021-27923.patch new file mode 100644 index 0000000..dc39e2a --- /dev/null +++ b/backport-CVE-2021-27921_CVE-2021-27922_CVE-2021-27923.patch @@ -0,0 +1,60 @@ +From 480f6819b592d7f07b9a9a52a7656c10bbe07442 Mon Sep 17 00:00:00 2001 +From: Eric Soroos +Date: Wed, 24 Feb 2021 23:27:07 +0100 +Subject: [PATCH] Fix Memory DOS in Icns, Ico and Blp Image Plugins + +Some container plugins that could contain images of other formats, +such as the ICNS format, did not properly check the reported size of +the contained image. These images could cause arbitrariliy large +memory allocations. + +This is fixed for all locations where individual *ImageFile classes +are created without going through the usual Image.open method. +--- + + src/PIL/BlpImagePlugin.py | 1 + + src/PIL/IcnsImagePlugin.py | 2 ++ + src/PIL/IcoImagePlugin.py | 1 + + 3 files changed, 4 insertions(+) + +diff -Nuar Pillow-8.1.1-old/src/PIL/BlpImagePlugin.py Pillow-8.1.1/src/PIL/BlpImagePlugin.py +--- Pillow-8.1.1-old/src/PIL/BlpImagePlugin.py 2021-03-13 16:44:33.159000000 +0800 ++++ Pillow-8.1.1/src/PIL/BlpImagePlugin.py 2021-03-13 16:51:52.803000000 +0800 +@@ -353,6 +353,7 @@ + data = jpeg_header + data + data = BytesIO(data) + image = JpegImageFile(data) ++ Image._decompression_bomb_check(image.size) + self.tile = image.tile # :/ + self.fd = image.fp + self.mode = image.mode +diff -Nuar Pillow-8.1.1-old/src/PIL/IcnsImagePlugin.py Pillow-8.1.1/src/PIL/IcnsImagePlugin.py +--- Pillow-8.1.1-old/src/PIL/IcnsImagePlugin.py 2021-03-13 16:44:33.160000000 +0800 ++++ Pillow-8.1.1/src/PIL/IcnsImagePlugin.py 2021-03-13 16:54:10.925000000 +0800 +@@ -105,6 +105,7 @@ + if sig[:8] == b"\x89PNG\x0d\x0a\x1a\x0a": + fobj.seek(start) + im = PngImagePlugin.PngImageFile(fobj) ++ Image._decompression_bomb_check(im.size) + return {"RGBA": im} + elif ( + sig[:4] == b"\xff\x4f\xff\x51" +@@ -120,6 +121,7 @@ + fobj.seek(start) + jp2kstream = fobj.read(length) + f = io.BytesIO(jp2kstream) ++ Image._decompression_bomb_check(im.size) + im = Jpeg2KImagePlugin.Jpeg2KImageFile(f) + if im.mode != "RGBA": + im = im.convert("RGBA") +diff -Nuar Pillow-8.1.1-old/src/PIL/IcoImagePlugin.py Pillow-8.1.1/src/PIL/IcoImagePlugin.py +--- Pillow-8.1.1-old/src/PIL/IcoImagePlugin.py 2021-03-13 16:44:33.160000000 +0800 ++++ Pillow-8.1.1/src/PIL/IcoImagePlugin.py 2021-03-13 16:55:31.306000000 +0800 +@@ -178,6 +178,7 @@ + if data[:8] == PngImagePlugin._MAGIC: + # png frame + im = PngImagePlugin.PngImageFile(self.buf) ++ Image._decompression_bomb_check(im.size) + else: + # XOR + AND mask bmp frame + im = BmpImagePlugin.DibImageFile(self.buf) diff --git a/python-pillow.spec b/python-pillow.spec index 8414db0..0f42b54 100644 --- a/python-pillow.spec +++ b/python-pillow.spec @@ -3,14 +3,15 @@ Name: python-pillow Version: 7.2.0 -Release: 3 +Release: 4 Summary: Python image processing library License: MIT URL: http://python-pillow.github.io/ Source0: https://github.com/python-pillow/Pillow/archive/%{version}/Pillow-%{version}.tar.gz -Patch0000: backport-CVE-2020-35653.patch -Patch6000: backport-CVE-2020-35655.patch +Patch6000: backport-CVE-2020-35653.patch +Patch6001: backport-CVE-2020-35655.patch +Patch6002: backport-CVE-2021-27921_CVE-2021-27922_CVE-2021-27923.patch BuildRequires: freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel BuildRequires: libtiff-devel libwebp-devel openjpeg2-devel tk-devel zlib-devel @@ -96,6 +97,9 @@ popd %doc docs/_build_py3/html %changelog +* Sat Mar 20 2021 hanhui - 7.2.0-4 +- fix CVE-2021-27921 CVE-2021-27922 CVE-2021-27923 + * Tue Feb 23 2021 jinzhimin - 7.2.0-3 - fix CVE-2020-35655 -- Gitee