diff --git a/CVE-2022-45199.patch b/CVE-2022-45199.patch new file mode 100644 index 0000000000000000000000000000000000000000..2173fc7e001f7ec24c668f18fd9dd6a457da905e --- /dev/null +++ b/CVE-2022-45199.patch @@ -0,0 +1,79 @@ +From 9ae8f6b7aa8ea4638cb675267cd20c5425dcfafc Mon Sep 17 00:00:00 2001 +From: qz_cx +Date: Thu, 17 Nov 2022 10:28:59 +0800 +Subject: [PATCH] Merge pull request #6700 from + hugovk/security-samples_per_pixel-sec + +hugovk committed +Prevent DOS with large SAMPLESPERPIXEL in Tiff IFD +A large value in the SAMPLESPERPIXEL tag could lead to a memory and +runtime DOS in TiffImagePlugin.py when setting up the context for +image decoding. +--- + Tests/test_file_tiff.py | 14 +++++++++++++- + src/PIL/TiffImagePlugin.py | 10 ++++++++++ + 2 files changed, 23 insertions(+), 1 deletion(-) + +diff --git a/Tests/test_file_tiff.py b/Tests/test_file_tiff.py +index 5801e17..57fabfa 100644 +--- a/Tests/test_file_tiff.py ++++ b/Tests/test_file_tiff.py +@@ -3,7 +3,7 @@ from io import BytesIO + + import pytest + +-from PIL import Image, ImageFile, TiffImagePlugin ++from PIL import Image, ImageFile, TiffImagePlugin, UnidentifiedImageError + from PIL.TiffImagePlugin import RESOLUTION_UNIT, X_RESOLUTION, Y_RESOLUTION + + from .helper import ( +@@ -734,6 +734,18 @@ class TestFileTiff: + im.load() + ImageFile.LOAD_TRUNCATED_IMAGES = False + ++ @pytest.mark.parametrize( ++ "test_file", ++ [ ++ "Tests/images/oom-225817ca0f8c663be7ab4b9e717b02c661e66834.tif", ++ ], ++ ) ++ @pytest.mark.timeout(2) ++ def test_oom(self, test_file): ++ with pytest.raises(UnidentifiedImageError): ++ with pytest.warns(UserWarning): ++ with Image.open(test_file): ++ pass + + @pytest.mark.skipif(not is_win32(), reason="Windows only") + class TestFileTiffW32: +diff --git a/src/PIL/TiffImagePlugin.py b/src/PIL/TiffImagePlugin.py +index 5df5c4f..f2afe63 100644 +--- a/src/PIL/TiffImagePlugin.py ++++ b/src/PIL/TiffImagePlugin.py +@@ -252,6 +252,8 @@ OPEN_INFO = { + (MM, 8, (1,), 1, (8, 8, 8), ()): ("LAB", "LAB"), + } + ++MAX_SAMPLESPERPIXEL = max(len(key_tp[4]) for key_tp in OPEN_INFO.keys()) ++ + PREFIXES = [ + b"MM\x00\x2A", # Valid TIFF header with big-endian byte order + b"II\x2A\x00", # Valid TIFF header with little-endian byte order +@@ -1310,6 +1312,14 @@ class TiffImageFile(ImageFile.ImageFile): + SAMPLESPERPIXEL, + 3 if self._compression == "tiff_jpeg" and photo in (2, 6) else 1, + ) ++ ++ if samplesPerPixel > MAX_SAMPLESPERPIXEL: ++ # DOS check, samplesPerPixel can be a Long, and we extend the tuple below ++ logger.error( ++ "More samples per pixel than can be decoded: %s", samplesPerPixel ++ ) ++ raise SyntaxError("Invalid value for samples per pixel") ++ + if len(bps_tuple) != samplesPerPixel: + raise SyntaxError("unknown data organization") + +-- +2.33.0 + diff --git a/oom-225817ca0f8c663be7ab4b9e717b02c661e66834.tif b/oom-225817ca0f8c663be7ab4b9e717b02c661e66834.tif new file mode 100644 index 0000000000000000000000000000000000000000..01dca594f53e22fda9b11ed5b704326680af1b8c Binary files /dev/null and b/oom-225817ca0f8c663be7ab4b9e717b02c661e66834.tif differ diff --git a/python-pillow.spec b/python-pillow.spec index b0120aff63cbbaa0f7b662e9c330014f02e6432c..60bf5151932d358d1c6a4a5fef44f604f9fe0b2d 100644 --- a/python-pillow.spec +++ b/python-pillow.spec @@ -5,16 +5,17 @@ Name: python-pillow Version: 9.0.1 -Release: 2 +Release: 3 Summary: Python image processing library License: MIT URL: http://python-pillow.github.io/ Source0: https://github.com/python-pillow/Pillow/archive/%{version}/Pillow-%{version}.tar.gz +Source1: oom-225817ca0f8c663be7ab4b9e717b02c661e66834.tif -Patch0: python-pillow_spinxwarn.patch -Patch1: python-pillow_sphinx-issues.patch - -Patch6000: backport-Corrected-memory-allocation.patch +Patch0000: python-pillow_spinxwarn.patch +Patch0001: python-pillow_sphinx-issues.patch +Patch0002: backport-Corrected-memory-allocation.patch +Patch0003: CVE-2022-45199.patch BuildRequires: freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel libtiff-devel BuildRequires: libwebp-devel openjpeg2-devel tk-devel zlib-devel python3-cffi python3-devel python3-numpy python3-olefile @@ -96,6 +97,7 @@ Qt pillow image wrapper. %autosetup -p1 -n Pillow-%{version} %build +cp %{SOURCE1} Tests/images/ %py3_build @@ -152,6 +154,9 @@ pytest --ignore=_build.python2 --ignore=_build.python3 --ignore=_build.pypy3 -v %{python3_sitearch}/PIL/__pycache__/ImageQt* %changelog +* Wed Nov 23 2022 jiangpeng - 9.0.1-3 +- Fix CVE-2022-45199 + * Wed Apr 20 2022 dongyuzhen - 9.0.1-2 - correct memory allocation in alloc_array (this is the rear patch of CVE-2022-22815,CVE-2022-22816)