diff --git a/0000-CVE-2019-16865-1.patch b/0000-CVE-2019-16865-1.patch deleted file mode 100644 index 5635a0b0f29785ba5378194333fe911fe967f2f6..0000000000000000000000000000000000000000 --- a/0000-CVE-2019-16865-1.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 5d4b5d152f3408352d600ba97980061ea054e8e9 Mon Sep 17 00:00:00 2001 -From: Andrew Murray -Date: Sun, 29 Sep 2019 14:16:30 +1000 -Subject: [PATCH] Corrected negative seeks - -Signed-off-by: hanxinke ---- - src/PIL/PsdImagePlugin.py | 6 ++++-- - src/libImaging/RawDecode.c | 11 +++++++++-- - 2 files changed, 13 insertions(+), 4 deletions(-) - -diff --git a/src/PIL/PsdImagePlugin.py b/src/PIL/PsdImagePlugin.py -index 2d64ecd..e82dda2 100644 ---- a/src/PIL/PsdImagePlugin.py -+++ b/src/PIL/PsdImagePlugin.py -@@ -209,9 +209,11 @@ def _layerinfo(file): - # skip over blend flags and extra information - filler = read(12) - name = "" -- size = i32(read(4)) -+ size = i32(read(4)) # length of the extra data field - combined = 0 - if size: -+ data_end = file.tell() + size -+ - length = i32(read(4)) - if length: - mask_y = i32(read(4)) -@@ -233,7 +235,7 @@ def _layerinfo(file): - name = read(length).decode('latin-1', 'replace') - combined += length + 1 - -- file.seek(size - combined, 1) -+ file.seek(data_end) - layers.append((name, mode, (x0, y0, x1, y1))) - - # get tiles -diff --git a/src/libImaging/RawDecode.c b/src/libImaging/RawDecode.c -index 40c0cb7..d4b7994 100644 ---- a/src/libImaging/RawDecode.c -+++ b/src/libImaging/RawDecode.c -@@ -33,8 +33,15 @@ ImagingRawDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes) - - /* get size of image data and padding */ - state->bytes = (state->xsize * state->bits + 7) / 8; -- rawstate->skip = (rawstate->stride) ? -- rawstate->stride - state->bytes : 0; -+ if (rawstate->stride) { -+ rawstate->skip = rawstate->stride - state->bytes; -+ if (rawstate->skip < 0) { -+ state->errcode = IMAGING_CODEC_CONFIG; -+ return -1; -+ } -+ } else { -+ rawstate->skip = 0; -+ } - - /* check image orientation */ - if (state->ystep < 0) { --- -2.19.1 - diff --git a/0001-CVE-2019-16865-2.patch b/0001-CVE-2019-16865-2.patch deleted file mode 100644 index 1a154af62e8da54fcb6e824a092e18d1cf429b24..0000000000000000000000000000000000000000 --- a/0001-CVE-2019-16865-2.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 88d9a3994bc244f14d0f594755ac896a235017c5 Mon Sep 17 00:00:00 2001 -From: Andrew Murray -Date: Sun, 29 Sep 2019 14:14:38 +1000 -Subject: [PATCH] Added decompression bomb checks - -Signed-off-by: hanxinke ---- - src/PIL/GifImagePlugin.py | 1 + - src/PIL/IcoImagePlugin.py | 1 + - 2 files changed, 2 insertions(+) - -diff --git a/src/PIL/GifImagePlugin.py b/src/PIL/GifImagePlugin.py -index 107c015..70eebf9 100644 ---- a/src/PIL/GifImagePlugin.py -+++ b/src/PIL/GifImagePlugin.py -@@ -252,6 +252,7 @@ class GifImageFile(ImageFile.ImageFile): - self.dispose = None - elif self.disposal_method == 2: - # replace with background colour -+ Image._decompression_bomb_check(self.size) - self.dispose = Image.core.fill("P", self.size, - self.info["background"]) - else: -diff --git a/src/PIL/IcoImagePlugin.py b/src/PIL/IcoImagePlugin.py -index 589ef3c..926838d 100644 ---- a/src/PIL/IcoImagePlugin.py -+++ b/src/PIL/IcoImagePlugin.py -@@ -167,6 +167,7 @@ class IcoFile(object): - else: - # XOR + AND mask bmp frame - im = BmpImagePlugin.DibImageFile(self.buf) -+ Image._decompression_bomb_check(im.size) - - # change tile dimension to only encompass XOR image - im._size = (im.size[0], int(im.size[1] / 2)) --- -2.19.1 - diff --git a/0002-CVE-2019-16865-3.patch b/0002-CVE-2019-16865-3.patch deleted file mode 100644 index a659ae3539a02bc718b8b39f049b70a18bedf3fc..0000000000000000000000000000000000000000 --- a/0002-CVE-2019-16865-3.patch +++ /dev/null @@ -1,28 +0,0 @@ -From ab569e61066e1ef4490db730ca13180afe18e461 Mon Sep 17 00:00:00 2001 -From: Andrew Murray -Date: Sun, 29 Sep 2019 14:15:48 +1000 -Subject: [PATCH] Raise error if dimension is a string - -Signed-off-by: hanxinke ---- - src/PIL/TiffImagePlugin.py | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/PIL/TiffImagePlugin.py b/src/PIL/TiffImagePlugin.py -index 5059a13..05f58e5 100644 ---- a/src/PIL/TiffImagePlugin.py -+++ b/src/PIL/TiffImagePlugin.py -@@ -1185,8 +1185,8 @@ class TiffImageFile(ImageFile.ImageFile): - print("- YCbCr subsampling:", self.tag.get(530)) - - # size -- xsize = self.tag_v2.get(IMAGEWIDTH) -- ysize = self.tag_v2.get(IMAGELENGTH) -+ xsize = int(self.tag_v2.get(IMAGEWIDTH)) -+ ysize = int(self.tag_v2.get(IMAGELENGTH)) - self._size = xsize, ysize - - if DEBUG: --- -2.19.1 - diff --git a/0003-CVE-2019-16865-4.patch b/0003-CVE-2019-16865-4.patch deleted file mode 100644 index b809da052c532c7f3f28c6746983e18cbf2a1b3b..0000000000000000000000000000000000000000 --- a/0003-CVE-2019-16865-4.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 1f90f191cef5f4d18cb229e3717d0b2010e9b434 Mon Sep 17 00:00:00 2001 -From: Andrew Murray -Date: Mon, 30 Sep 2019 18:45:43 +1000 -Subject: [PATCH] Catch buffer overruns - -Signed-off-by: hanxinke ---- - src/libImaging/FliDecode.c | 14 +++++++++++--- - src/libImaging/PcxDecode.c | 5 +++++ - src/libImaging/SgiRleDecode.c | 5 +++++ - 3 files changed, 21 insertions(+), 3 deletions(-) - -diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c -index 6d22c6c..600528e 100644 ---- a/src/libImaging/FliDecode.c -+++ b/src/libImaging/FliDecode.c -@@ -30,7 +30,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes) - { - UINT8* ptr; - int framesize; -- int c, chunks; -+ int c, chunks, advance; - int l, lines; - int i, j, x = 0, y, ymax; - -@@ -59,10 +59,16 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes) - - chunks = I16(ptr+6); - ptr += 16; -+ bytes -= 16; - - /* Process subchunks */ - for (c = 0; c < chunks; c++) { -- UINT8 *data = ptr + 6; -+ UINT8* data; -+ if (bytes < 10) { -+ state->errcode = IMAGING_CODEC_OVERRUN; -+ return -1; -+ } -+ data = ptr + 6; - switch (I16(ptr+4)) { - case 4: case 11: - /* FLI COLOR chunk */ -@@ -198,7 +204,9 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes) - state->errcode = IMAGING_CODEC_UNKNOWN; - return -1; - } -- ptr += I32(ptr); -+ advance = I32(ptr); -+ ptr += advance; -+ bytes -= advance; - } - - return -1; /* end of frame */ -diff --git a/src/libImaging/PcxDecode.c b/src/libImaging/PcxDecode.c -index e5417f1..51de069 100644 ---- a/src/libImaging/PcxDecode.c -+++ b/src/libImaging/PcxDecode.c -@@ -22,6 +22,11 @@ ImagingPcxDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes) - UINT8 n; - UINT8* ptr; - -+ if (strcmp(im->mode, "1") == 0 && state->xsize > state->bytes * 8) { -+ state->errcode = IMAGING_CODEC_OVERRUN; -+ return -1; -+ } -+ - ptr = buf; - - for (;;) { -diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c -index 9d8e563..39e7b3a 100644 ---- a/src/libImaging/SgiRleDecode.c -+++ b/src/libImaging/SgiRleDecode.c -@@ -156,6 +156,11 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state, - c->rlelength = c->lengthtab[c->rowno + c->channo * im->ysize]; - c->rleoffset -= SGI_HEADER_SIZE; - -+ if (c->rleoffset + c->rlelength > c->bufsize) { -+ state->errcode = IMAGING_CODEC_OVERRUN; -+ return -1; -+ } -+ - /* row decompression */ - if (c->bpc ==1) { - if(expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands)) --- -2.19.1 - diff --git a/Pillow-5.3.0.tar.gz b/Pillow-7.2.0.tar.gz similarity index 37% rename from Pillow-5.3.0.tar.gz rename to Pillow-7.2.0.tar.gz index abdf4fe5e49a8d2cffd20cfde999b661e2a06e2d..d2e013e8de8461dbd64303cb2fd41528cf1c2536 100644 Binary files a/Pillow-5.3.0.tar.gz and b/Pillow-7.2.0.tar.gz differ diff --git a/python-pillow.spec b/python-pillow.spec index 02b000925167893fc83c3f269a8d65cf1207c835..4167ff424227ad9570ea9bf5332245f6306020b5 100644 --- a/python-pillow.spec +++ b/python-pillow.spec @@ -1,78 +1,27 @@ -%global py2_incdir %(python2 -c 'import distutils.sysconfig; print(distutils.sysconfig.get_python_inc())') %global py3_incdir %(python3 -c 'import distutils.sysconfig; print(distutils.sysconfig.get_python_inc())') -%global py2_libbuilddir %(python2 -c 'import sys; import sysconfig; print("lib.{p}-{v[0]}.{v[1]}".format(p=sysconfig.get_platform(), v=sys.version_info))') %global py3_libbuilddir %(python3 -c 'import sys; import sysconfig; print("lib.{p}-{v[0]}.{v[1]}".format(p=sysconfig.get_platform(), v=sys.version_info))') Name: python-pillow -Version: 5.3.0 -Release: 4 +Version: 7.2.0 +Release: 1 Summary: Python image processing library License: MIT URL: http://python-pillow.github.io/ Source0: https://github.com/python-pillow/Pillow/archive/%{version}/Pillow-%{version}.tar.gz -Patch0000: 0000-CVE-2019-16865-1.patch -Patch0001: 0001-CVE-2019-16865-2.patch -Patch0002: 0002-CVE-2019-16865-3.patch -Patch0003: 0003-CVE-2019-16865-4.patch - BuildRequires: freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel BuildRequires: libtiff-devel libwebp-devel openjpeg2-devel tk-devel zlib-devel -BuildRequires: python2-cffi python2-devel python2-numpy python2-olefile python2-setuptools -BuildRequires: python2-sphinx python2-sphinx_rtd_theme python2-tkinter BuildRequires: python3-cffi python3-devel python3-numpy python3-olefile BuildRequires: python3-setuptools python3-sphinx python3-sphinx_rtd_theme python3-tkinter Requires: ghostscript -%global __provides_exclude_from ^%{python2_sitearch}/PIL/.*\\.so$ %global __provides_exclude_from ^%{python3_sitearch}/PIL/.*\\.so$ %description Pillow is the friendly PIL fork by Alex Clark and Contributors. PIL is the Python Imaging \ Library by Fredrik Lundh and Contributors. As of 2019, Pillow development is supported by Tidelift. - -%package -n python2-pillow -Summary: Python 2 image processing library -%{?python_provide:%python_provide python2-pillow} -Provides: python-imaging = %{version}-%{release} python2-imaging = %{version}-%{release} -Provides: python2-pillow-tk = %{version}-%{release} python2-pillow-qt = %{version}-%{release} -Provides: python-imaging-tk = %{version}-%{release} python2-imaging-tk = %{version}-%{release} -Provides: python-imaging-qt = %{version}-%{release} python2-imaging-qt = %{version}-%{release} -Requires: python2-olefile python2-tkinter python2-PyQt4 - -Obsoletes: python2-pillow-tk < %{version}-%{release} python2-pillow-qt < %{version}-%{release} -%{?python_provide:%python_provide python2-pillow-tk} -%{?python_provide:%python_provide python2-pillow-qt} - -%description -n python2-pillow -Pillow is the friendly PIL fork by Alex Clark and Contributors. PIL is the Python Imaging \ -Library by Fredrik Lundh and Contributors. As of 2019, Pillow development is supported by Tidelift. - - -%package -n python2-pillow-devel -Summary: Development files for pillow -Requires: python2-devel libjpeg-devel zlib-devel python2-pillow = %{version}-%{release} -%{?python_provide:%python_provide python2-pillow-devel} -Provides: python-imaging-devel = %{version}-%{release} python2-imaging-devel = %{version}-%{release} - -%description -n python2-pillow-devel -Development files for pillow. - -%package -n python2-pillow-help -Summary: Documentation for pillow -BuildArch: noarch -Requires: python2-pillow = %{version}-%{release} -%{?python_provide:%python_provide python2-pillow-doc} -Provides: python-imaging-doc = %{version}-%{release} python2-imaging-doc = %{version}-%{release} -Provides: python2-pillow-doc = %{version}-%{release} -Obsoletes: python2-pillow-doc < %{version}-%{release} - -%description -n python2-pillow-help -Documentation for pillow. - - %package -n python3-pillow Summary: Python 3 image processing library %{?python_provide:%python_provide python3-pillow} @@ -113,30 +62,17 @@ Documentation for pillow. %autosetup -p1 -n Pillow-%{version} %build -%py2_build -PYTHONPATH=$PWD/build/%py2_libbuilddir make -C docs html BUILDDIR=_build_py2 SPHINXBUILD=sphinx-build-%python2_version -find . -name "docs/_build_py2/html/.buildinfo" -exec rm {} \; %py3_build PYTHONPATH=$PWD/build/%py3_libbuilddir make -C docs html BUILDDIR=_build_py3 SPHINXBUILD=sphinx-build-%python3_version find . -name "docs/_build_py3/html/.buildinfo" -exec rm {} \; %install -mkdir -p %{buildroot}/%{py2_incdir}/Imaging -install -m 644 src/libImaging/*.h %{buildroot}/%{py2_incdir}/Imaging -%py2_install mkdir -p %{buildroot}/%{py3_incdir}/Imaging install -m 644 src/libImaging/*.h %{buildroot}/%{py3_incdir}/Imaging %py3_install %check -ln -s $PWD/Images $PWD/build/%py2_libbuilddir/Images -cp -R $PWD/Tests $PWD/build/%py2_libbuilddir/Tests -install $PWD/selftest.py $PWD/build/%py2_libbuilddir/selftest.py -pushd build/%py2_libbuilddir -PYTHONPATH=$PWD %{__python2} selftest.py -popd - ln -s $PWD/Images $PWD/build/%py3_libbuilddir/Images cp -R $PWD/Tests $PWD/build/%py3_libbuilddir/Tests install $PWD/selftest.py $PWD/build/%py3_libbuilddir/selftest.py @@ -144,17 +80,6 @@ pushd build/%py3_libbuilddir PYTHONPATH=$PWD %{__python3} selftest.py popd -%files -n python2-pillow -%doc README.rst CHANGES.rst -%license docs/COPYING -%{python2_sitearch}/* - -%files -n python2-pillow-devel -%{py2_incdir}/Imaging/ - -%files -n python2-pillow-help -%doc docs/_build_py2/html - %files -n python3-pillow %doc README.rst CHANGES.rst %license docs/COPYING @@ -168,6 +93,9 @@ popd %doc docs/_build_py3/html %changelog +* Mon Aug 10 2020 yanglongkang - 7.2.0-1 +- update to 7.2.0,remove python2 support + * Wed Mar 11 2020 hy - 5.3.0-4 - fix CVE-2019-16865 * Thu Dec 12 2019 Senlin Xia - 5.3.0-3