From a4366cd743552f214981d1424593e67c9da749ca Mon Sep 17 00:00:00 2001 From: wk333 <13474090681@163.com> Date: Wed, 3 Apr 2024 05:59:51 +0800 Subject: [PATCH] Fix CVE-2024-28219 (cherry picked from commit 153d5e6d363befe4ac93a207597edd0e4288f12c) --- CVE-2024-28219.patch | 55 +++++++++++++++++++++++++++++++++++++++++++ python-pillow.spec | 9 ++++++- sGrey-v2-nano.icc | Bin 0 -> 290 bytes 3 files changed, 63 insertions(+), 1 deletion(-) create mode 100644 CVE-2024-28219.patch create mode 100644 sGrey-v2-nano.icc diff --git a/CVE-2024-28219.patch b/CVE-2024-28219.patch new file mode 100644 index 0000000..8e92c3d --- /dev/null +++ b/CVE-2024-28219.patch @@ -0,0 +1,55 @@ +From 2a93aba5cfcf6e241ab4f9392c13e3b74032c061 Mon Sep 17 00:00:00 2001 +From: Andrew Murray +Date: Thu, 22 Feb 2024 18:56:26 +1100 +Subject: [PATCH] Use strncpy to avoid buffer overflow + +Origin: https://github.com/python-pillow/Pillow/commit/2a93aba5cfcf6e241ab4f9392c13e3b74032c061 + +--- + Tests/icc/sGrey-v2-nano.icc | Bin 0 -> 290 bytes + Tests/test_imagecms.py | 5 +++++ + src/_imagingcms.c | 9 ++++----- + 3 files changed, 9 insertions(+), 5 deletions(-) + create mode 100644 Tests/icc/sGrey-v2-nano.icc + +diff --git a/Tests/test_imagecms.py b/Tests/test_imagecms.py +index c80fab75b67..fbd78032e59 100644 +--- a/Tests/test_imagecms.py ++++ b/Tests/test_imagecms.py +@@ -593,3 +593,8 @@ + ) + + assert_image_equal(test_image.convert(dst_format[2]), reference_image) ++ ++ ++def test_long_modes() -> None: ++ p = ImageCms.getOpenProfile("Tests/icc/sGrey-v2-nano.icc") ++ ImageCms.buildTransform(p, p, "ABCDEFGHI", "ABCDEFGHI") +diff --git a/src/_imagingcms.c b/src/_imagingcms.c +index 4d66dcc1085..84b8a7e71f9 100644 +--- a/src/_imagingcms.c ++++ b/src/_imagingcms.c +@@ -201,8 +201,8 @@ cms_transform_new(cmsHTRANSFORM transform, char *mode_in, char *mode_out) { + + self->transform = transform; + +- strcpy(self->mode_in, mode_in); +- strcpy(self->mode_out, mode_out); ++ strncpy(self->mode_in, mode_in, 8); ++ strncpy(self->mode_out, mode_out, 8); + + return (PyObject *)self; + } +@@ -242,10 +242,9 @@ findLCMStype(char *PILmode) { + // LabX equivalent like ALab, but not reversed -- no #define in lcms2 + return (COLORSPACE_SH(PT_LabV2) | CHANNELS_SH(3) | BYTES_SH(1) | EXTRA_SH(1)); + } +- + else { +- /* take a wild guess... but you probably should fail instead. */ +- return TYPE_GRAY_8; /* so there's no buffer overrun... */ ++ /* take a wild guess... */ ++ return TYPE_GRAY_8; + } + } + diff --git a/python-pillow.spec b/python-pillow.spec index de83c30..a172de9 100644 --- a/python-pillow.spec +++ b/python-pillow.spec @@ -5,7 +5,7 @@ Name: python-pillow Version: 9.0.1 -Release: 6 +Release: 7 Summary: Python image processing library License: MIT URL: http://python-pillow.github.io/ @@ -13,6 +13,8 @@ Source0: https://github.com/python-pillow/Pillow/archive/%{version}/Pillo Source1: oom-225817ca0f8c663be7ab4b9e717b02c661e66834.tif # https://github.com/python-pillow/Pillow/blob/c9f1b35/Tests/images/decompression_bomb_extents.gif Source2: decompression_bomb_extents.gif +# https://github.com/python-pillow/Pillow/blob/2a93aba/Tests/icc/sGrey-v2-nano.icc +Source3: sGrey-v2-nano.icc Patch0000: python-pillow_spinxwarn.patch Patch0001: python-pillow_sphinx-issues.patch @@ -21,6 +23,7 @@ Patch0003: CVE-2022-45199.patch Patch0004: CVE-2023-44271.patch Patch0005: CVE-2022-45198.patch Patch0006: CVE-2023-50447.patch +Patch0007: CVE-2024-28219.patch BuildRequires: freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel libtiff-devel BuildRequires: libwebp-devel openjpeg2-devel tk-devel zlib-devel python3-cffi python3-devel python3-numpy python3-olefile @@ -104,6 +107,7 @@ Qt pillow image wrapper. %build cp %{SOURCE1} Tests/images/ cp %{SOURCE2} Tests/images/ +cp %{SOURCE3} Tests/icc/ %py3_build @@ -160,6 +164,9 @@ pytest --ignore=_build.python2 --ignore=_build.python3 --ignore=_build.pypy3 -v %{python3_sitearch}/PIL/__pycache__/ImageQt* %changelog +* Sun Apr 07 2024 wangkai <13474090681@163.com> - 9.0.1-7 +- Fix CVE-2024-28219 + * Wed Jan 24 2024 wangkai <13474090681@163.com> - 9.0.1-6 - Fix CVE-2023-50447 diff --git a/sGrey-v2-nano.icc b/sGrey-v2-nano.icc new file mode 100644 index 0000000000000000000000000000000000000000..0e9edfd403182dd3ca815935cc85f33ec5dbd746 GIT binary patch literal 290 zcmZQzU{uOU&MjsVU|`72D=Bgha*T|Kj8b5K#K6oT!obPE#~_=STwLHA>=wcR1jUKv z#mOZ_IUqIye7nZL2;yDV%}C5k;hV$Xm^N{`e8QEs#kOw0V-V`FvRG15i<5yeTYxye zyriH6NM8VAk?fElXCVCqh)t3Uih$yb5b%7 literal 0 HcmV?d00001 -- Gitee