diff --git a/CVE-2020-5310.patch b/CVE-2020-5310.patch new file mode 100644 index 0000000000000000000000000000000000000000..ea56cf04982517917c1536b3556c3d8ce18e8f97 --- /dev/null +++ b/CVE-2020-5310.patch @@ -0,0 +1,59 @@ +From 4e2def2539ec13e53a82e06c4b3daf00454100c4 Mon Sep 17 00:00:00 2001 +From: Andrew Murray +Date: Wed, 1 Jan 2020 16:38:37 +1100 +Subject: [PATCH] Overflow checks for realloc for tiff decoding + +https://github.com/python-pillow/Pillow/commit/4e2def2539ec13e53a82e06c4b3daf00454100c4 + +--- + src/libImaging/TiffDecode.c | 18 +++++++++++------- + 1 files changed, 11 insertions(+), 7 deletions(-) + +diff --git a/src/libImaging/TiffDecode.c b/src/libImaging/TiffDecode.c +index 9830238..1f505ff 100644 +--- a/src/libImaging/TiffDecode.c ++++ b/src/libImaging/TiffDecode.c +@@ -237,20 +237,26 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, int + TIFFSetField(tiff, TIFFTAG_JPEGCOLORMODE, JPEGCOLORMODE_RGB); + + if (TIFFIsTiled(tiff)) { +- uint32 x, y, tile_y; ++ uint32 x, y, tile_y, row_byte_size; + uint32 tileWidth, tileLength; + UINT8 *new_data; + +- state->bytes = TIFFTileSize(tiff); ++ TIFFGetField(tiff, TIFFTAG_TILEWIDTH, &tileWidth); ++ TIFFGetField(tiff, TIFFTAG_TILELENGTH, &tileLength); ++ ++ // We could use TIFFTileSize, but for YCbCr data it returns subsampled data size ++ row_byte_size = (tileWidth * state->bits + 7) / 8; + +- /* overflow check for malloc */ +- if (state->bytes > INT_MAX - 1) { ++ /* overflow check for realloc */ ++ if (INT_MAX / row_byte_size < tileLength) { + state->errcode = IMAGING_CODEC_MEMORY; + TIFFClose(tiff); + return -1; + } + +- /* realloc to fit whole tile */ ++ state->bytes = row_byte_size * tileLength; ++ ++ /* malloc check above */ + new_data = realloc (state->buffer, state->bytes); + if (!new_data) { + state->errcode = IMAGING_CODEC_MEMORY; +@@ -262,8 +268,6 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, int + + TRACE(("TIFFTileSize: %d\n", state->bytes)); + +- TIFFGetField(tiff, TIFFTAG_TILEWIDTH, &tileWidth); +- TIFFGetField(tiff, TIFFTAG_TILELENGTH, &tileLength); + + for (y = state->yoff; y < state->ysize; y += tileLength) { + for (x = state->xoff; x < state->xsize; x += tileWidth) { +-- +2.27.0 + diff --git a/CVE-2020-5312.patch b/CVE-2020-5312.patch new file mode 100644 index 0000000000000000000000000000000000000000..1ca9822a46804114a33d24acefb12c8c76f97ed5 --- /dev/null +++ b/CVE-2020-5312.patch @@ -0,0 +1,28 @@ +From 93b22b846e0269ee9594ff71a72bec02d2bea8fd Mon Sep 17 00:00:00 2001 +From: Andrew Murray +Date: Sat, 21 Dec 2019 18:38:22 +1100 +Subject: [PATCH] Catch PCX P mode buffer overrun + +https://github.com/python-pillow/Pillow/commit/93b22b846e0269ee9594ff71a72bec02d2bea8fd + +--- + src/libImaging/PcxDecode.c | 3 +++ + 1 files changed, 3 insertions(+) + +diff --git a/src/libImaging/PcxDecode.c b/src/libImaging/PcxDecode.c +index bf0eb00..ba76d92 100644 +--- a/src/libImaging/PcxDecode.c ++++ b/src/libImaging/PcxDecode.c +@@ -25,6 +25,9 @@ ImagingPcxDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes) + if ((state->xsize * state->bits + 7) / 8 > state->bytes) { + state->errcode = IMAGING_CODEC_OVERRUN; + return -1; ++ } else if (strcmp(im->mode, "P") == 0 && state->xsize > state->bytes) { ++ state->errcode = IMAGING_CODEC_OVERRUN; ++ return -1; + } + + ptr = buf; +-- +2.27.0 + diff --git a/CVE-2020-5313.patch b/CVE-2020-5313.patch new file mode 100644 index 0000000000000000000000000000000000000000..f128a9426c5a594a4d29de6119f72d21e3240c9a --- /dev/null +++ b/CVE-2020-5313.patch @@ -0,0 +1,38 @@ +From a09acd0decd8a87ccce939d5ff65dab59e7d365b Mon Sep 17 00:00:00 2001 +From: Andrew Murray +Date: Wed, 1 Jan 2020 14:14:47 +1100 +Subject: [PATCH] Catch FLI buffer overrun + +https://github.com/python-pillow/Pillow/commit/a09acd0decd8a87ccce939d5ff65dab59e7d365b +--- + src/libImaging/FliDecode.c | 7 +++++-- + 1 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c +index 2d63bea..06fa307 100644 +--- a/src/libImaging/FliDecode.c ++++ b/src/libImaging/FliDecode.c +@@ -45,8 +45,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes) + return 0; + + /* We don't decode anything unless we have a full chunk in the +- input buffer (on the other hand, the Python part of the driver +- makes sure this is always the case) */ ++ input buffer */ + + ptr = buf; + +@@ -57,6 +56,10 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes) + /* Make sure this is a frame chunk. The Python driver takes + case of other chunk types. */ + ++ if (bytes < 8) { ++ state->errcode = IMAGING_CODEC_OVERRUN; ++ return -1; ++ } + if (I16(ptr+4) != 0xF1FA) { + state->errcode = IMAGING_CODEC_UNKNOWN; + return -1; +-- +2.27.0 + diff --git a/python-pillow.spec b/python-pillow.spec index 52a0474682818658608a7b63ea22eecbbadde14c..db15983b9367f9c36c18b4a1d8108ed88fc5a8fa 100644 --- a/python-pillow.spec +++ b/python-pillow.spec @@ -5,7 +5,7 @@ Name: python-pillow Version: 5.3.0 -Release: 9 +Release: 10 Summary: Python image processing library License: MIT URL: http://python-pillow.github.io/ @@ -23,6 +23,9 @@ Patch0011: pre-CVE-2020-11538-1.patch Patch0014: CVE-2020-5311.patch Patch0015: CVE-2020-11538.patch Patch0016: CVE-2019-19911.patch +Patch0017: CVE-2020-5310.patch +Patch0018: CVE-2020-5312.patch +Patch0019: CVE-2020-5313.patch BuildRequires: freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel BuildRequires: libtiff-devel libwebp-devel openjpeg2-devel tk-devel zlib-devel @@ -176,6 +179,12 @@ popd %doc docs/_build_py3/html %changelog +* Thu Nov 26 2020 shixuantong - 5.3.0-10 +- Type:cves +- ID:CVE-2020-5310 CVE-2020-5312 CVE-2020-5313 +- SUG:NA +- DESC:fix CVE-2020-5310 CVE-2020-5312 CVE-2020-5313 + * Wed Nov 25 2020 shixuantong - 5.3.0-9 - Type:cves - ID:CVE-2019-19911 CVE-2020-5311