diff --git a/CVE-2024-28219.patch b/CVE-2024-28219.patch new file mode 100644 index 0000000000000000000000000000000000000000..ba6c72c89e114dac6f5b9ebc5084ede38dcdcf38 --- /dev/null +++ b/CVE-2024-28219.patch @@ -0,0 +1,58 @@ +From 2a93aba5cfcf6e241ab4f9392c13e3b74032c061 Mon Sep 17 00:00:00 2001 +From: Andrew Murray +Date: Thu, 22 Feb 2024 18:56:26 +1100 +Subject: [PATCH] Use strncpy to avoid buffer overflow + +Origin: https://github.com/python-pillow/Pillow/commit/2a93aba5cfcf6e241ab4f9392c13e3b74032c061 + +--- + Tests/icc/sGrey-v2-nano.icc | Bin 0 -> 290 bytes + Tests/test_imagecms.py | 5 +++++ + src/_imagingcms.c | 9 ++++----- + 3 files changed, 9 insertions(+), 5 deletions(-) + create mode 100644 Tests/icc/sGrey-v2-nano.icc + +diff --git a/Tests/test_imagecms.py b/Tests/test_imagecms.py +index c80fab75b67..fbd78032e59 100644 +--- a/Tests/test_imagecms.py ++++ b/Tests/test_imagecms.py +@@ -661,6 +661,11 @@ def test_auxiliary_channels_isolated() -> None: + assert_image_equal(test_image.convert(dst_format[2]), reference_image) + + ++def test_long_modes() -> None: ++ p = ImageCms.getOpenProfile("Tests/icc/sGrey-v2-nano.icc") ++ ImageCms.buildTransform(p, p, "ABCDEFGHI", "ABCDEFGHI") ++ ++ + @pytest.mark.parametrize("mode", ("RGB", "RGBA", "RGBX")) + def test_rgb_lab(mode): + im = Image.new(mode, (1, 1)) +diff --git a/src/_imagingcms.c b/src/_imagingcms.c +index 4d66dcc1085..84b8a7e71f9 100644 +--- a/src/_imagingcms.c ++++ b/src/_imagingcms.c +@@ -201,8 +201,8 @@ cms_transform_new(cmsHTRANSFORM transform, char *mode_in, char *mode_out) { + + self->transform = transform; + +- strcpy(self->mode_in, mode_in); +- strcpy(self->mode_out, mode_out); ++ strncpy(self->mode_in, mode_in, 8); ++ strncpy(self->mode_out, mode_out, 8); + + return (PyObject *)self; + } +@@ -242,10 +242,9 @@ findLCMStype(char *PILmode) { + // LabX equivalent like ALab, but not reversed -- no #define in lcms2 + return (COLORSPACE_SH(PT_LabV2) | CHANNELS_SH(3) | BYTES_SH(1) | EXTRA_SH(1)); + } +- + else { +- /* take a wild guess... but you probably should fail instead. */ +- return TYPE_GRAY_8; /* so there's no buffer overrun... */ ++ /* take a wild guess... */ ++ return TYPE_GRAY_8; + } + } + diff --git a/python-pillow.spec b/python-pillow.spec index d22a7a54366bbfeb7864aea8fd4b71161b7d1ee0..475e9b677ac5e721998e4222f2100db684bbdef3 100644 --- a/python-pillow.spec +++ b/python-pillow.spec @@ -4,11 +4,15 @@ Name: python-pillow Version: 10.2.0 -Release: 1 +Release: 2 Summary: Python image processing library License: MIT URL: http://python-pillow.github.io/ Source0: https://files.pythonhosted.org/packages/source/p/pillow/pillow-%{version}.tar.gz +# https://github.com/python-pillow/Pillow/blob/2a93aba/Tests/icc/sGrey-v2-nano.icc +Source1: sGrey-v2-nano.icc + +Patch0: CVE-2024-28219.patch BuildRequires: freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel libtiff-devel BuildRequires: libwebp-devel openjpeg2-devel tk-devel zlib-devel python3-cffi python3-devel python3-numpy python3-olefile @@ -91,6 +95,7 @@ Qt pillow image wrapper. %autosetup -p1 -n pillow-%{version} %build +cp %{SOURCE1} Tests/icc/ %py3_build @@ -147,6 +152,9 @@ pytest --ignore=_build.python2 --ignore=_build.python3 --ignore=_build.pypy3 -v %{python3_sitearch}/PIL/__pycache__/ImageQt* %changelog +* Sun Apr 07 2024 wangkai <13474090681@163.com> - 10.2.0-2 +- Fix CVE-2024-28219 + * Wed Feb 07 2024 xu_ping <707078654@qq.com> - 10.2.0-1 - Upgrade version to 10.2.0 diff --git a/sGrey-v2-nano.icc b/sGrey-v2-nano.icc new file mode 100644 index 0000000000000000000000000000000000000000..0e9edfd403182dd3ca815935cc85f33ec5dbd746 Binary files /dev/null and b/sGrey-v2-nano.icc differ