From 9cbc35b8d5b2469b4a4c26da203405ff78bad912 Mon Sep 17 00:00:00 2001 From: wangxiao65 <287608437@qq.com> Date: Thu, 28 Jan 2021 14:57:35 +0800 Subject: [PATCH] fix CVE-2020-35653 CVE-2020-35655 --- CVE-2020-35653.patch | 38 +++++++++++++++++++++++ CVE-2020-35655-1.patch | 61 +++++++++++++++++++++++++++++++++++++ CVE-2020-35655-2.patch | 68 ++++++++++++++++++++++++++++++++++++++++++ python-pillow.spec | 8 ++++- 4 files changed, 174 insertions(+), 1 deletion(-) create mode 100644 CVE-2020-35653.patch create mode 100644 CVE-2020-35655-1.patch create mode 100644 CVE-2020-35655-2.patch diff --git a/CVE-2020-35653.patch b/CVE-2020-35653.patch new file mode 100644 index 0000000..db5e6ca --- /dev/null +++ b/CVE-2020-35653.patch @@ -0,0 +1,38 @@ +From 2f409261eb1228e166868f8f0b5da5cda52e55bf Mon Sep 17 00:00:00 2001 +From: Eric Soroos +Date: Thu, 17 Dec 2020 00:17:53 +0100 +Subject: [PATCH] Fix for CVE CVE-2020-35653 - Read Overflow in PCX Decoding. + +* Don't trust the image to specify a buffer size +--- + src/PIL/PcxImagePlugin.py | 9 ++++++-- + 1 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/src/PIL/PcxImagePlugin.py b/src/PIL/PcxImagePlugin.py +index b337b7dde2..a24d44b427 100644 +--- a/src/PIL/PcxImagePlugin.py ++++ b/src/PIL/PcxImagePlugin.py +@@ -63,9 +63,9 @@ class PcxImageFile(ImageFile.ImageFile): + version = i8(s[1]) + bits = i8(s[3]) + planes = i8(s[65]) +- stride = i16(s, 66) ++ ignored_stride = i16(s, 66) + logger.debug("PCX version %s, bits %s, planes %s, stride %s", +- version, bits, planes, stride) ++ version, bits, planes, ignored_stride) + + self.info["dpi"] = i16(s, 12), i16(s, 14) + +@@ -102,6 +102,11 @@ class PcxImageFile(ImageFile.ImageFile): + self.mode = mode + self._size = bbox[2]-bbox[0], bbox[3]-bbox[1] + ++ # don't trust the passed in stride. Calculate for ourselves. ++ # CVE-2020-35653 ++ stride = (self._size[0] * bits + 7) // 8 ++ stride += stride % 2 ++ + bbox = (0, 0) + self.size + logger.debug("size: %sx%s", *self.size) + diff --git a/CVE-2020-35655-1.patch b/CVE-2020-35655-1.patch new file mode 100644 index 0000000..e28cc1e --- /dev/null +++ b/CVE-2020-35655-1.patch @@ -0,0 +1,61 @@ +From 7e95c63fa7f503f185d3d9eb16b9cee1e54d1e46 Mon Sep 17 00:00:00 2001 +From: Eric Soroos +Date: Thu, 29 Oct 2020 23:07:15 +0000 +Subject: [PATCH] Fix for SGI Decode buffer overrun CVE-2020-35655 + +* Independently found by a contributor and sent to Tidelift, and by Google's OSS Fuzz. +--- + src/libImaging/SgiRleDecode.c | 23 ++++++++++++------ + 1 files changed, 17 insertions(+), 6 deletions(-) + +diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c +index a03ecd456e..46a9179234 100644 +--- a/src/libImaging/SgiRleDecode.c ++++ b/src/libImaging/SgiRleDecode.c +@@ -112,11 +112,27 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state, + int err = 0; + int status; + ++ /* size check */ ++ if (im->xsize > INT_MAX / im->bands || ++ im->ysize > INT_MAX / im->bands) { ++ return IMAGING_CODEC_MEMORY; ++ } ++ + /* Get all data from File descriptor */ + c = (SGISTATE*)state->context; + _imaging_seek_pyFd(state->fd, 0L, SEEK_END); + c->bufsize = _imaging_tell_pyFd(state->fd); + c->bufsize -= SGI_HEADER_SIZE; ++ ++ c->tablen = im->bands * im->ysize; ++ /* below, we populate the starttab and lentab into the bufsize, ++ each with 4 bytes per element of tablen ++ Check here before we allocate any memory ++ */ ++ if (c->bufsize < 8*c->tablen) { ++ return IMAGING_CODEC_MEMORY; ++ } ++ + ptr = malloc(sizeof(UINT8) * c->bufsize); + if (!ptr) { + return IMAGING_CODEC_MEMORY; +@@ -134,18 +150,11 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state, + state->ystep = 1; + } + +- if (im->xsize > INT_MAX / im->bands || +- im->ysize > INT_MAX / im->bands) { +- err = IMAGING_CODEC_MEMORY; +- goto sgi_finish_decode; +- } +- + /* Allocate memory for RLE tables and rows */ + free(state->buffer); + state->buffer = NULL; + /* malloc overflow check above */ + state->buffer = calloc(im->xsize * im->bands, sizeof(UINT8) * 2); +- c->tablen = im->bands * im->ysize; + c->starttab = calloc(c->tablen, sizeof(UINT32)); + c->lengthtab = calloc(c->tablen, sizeof(UINT32)); + if (!state->buffer || diff --git a/CVE-2020-35655-2.patch b/CVE-2020-35655-2.patch new file mode 100644 index 0000000..4ca01cc --- /dev/null +++ b/CVE-2020-35655-2.patch @@ -0,0 +1,68 @@ +From 9a2c9f722f78773e608d44710873437baf3f17d1 Mon Sep 17 00:00:00 2001 +From: Eric Soroos +Date: Fri, 30 Oct 2020 09:57:23 +0000 +Subject: [PATCH] Make the SGI code return -1 as an error flag, error in state + +--- + src/libImaging/SgiRleDecode.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c +index 46a9179234..9a8814b50c 100644 +--- a/src/libImaging/SgiRleDecode.c ++++ b/src/libImaging/SgiRleDecode.c +@@ -115,7 +115,8 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state, + /* size check */ + if (im->xsize > INT_MAX / im->bands || + im->ysize > INT_MAX / im->bands) { +- return IMAGING_CODEC_MEMORY; ++ state->errcode = IMAGING_CODEC_MEMORY; ++ return -1; + } + + /* Get all data from File descriptor */ +@@ -130,12 +131,14 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state, + Check here before we allocate any memory + */ + if (c->bufsize < 8*c->tablen) { +- return IMAGING_CODEC_MEMORY; ++ state->errcode = IMAGING_CODEC_OVERRUN; ++ return -1; + } + + ptr = malloc(sizeof(UINT8) * c->bufsize); + if (!ptr) { +- return IMAGING_CODEC_MEMORY; ++ state->errcode = IMAGING_CODEC_MEMORY; ++ return -1; + } + _imaging_seek_pyFd(state->fd, SGI_HEADER_SIZE, SEEK_SET); + _imaging_read_pyFd(state->fd, (char*)ptr, c->bufsize); +@@ -185,7 +188,7 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state, + + if (c->rleoffset + c->rlelength > c->bufsize) { + state->errcode = IMAGING_CODEC_OVERRUN; +- return -1; ++ goto sgi_finish_decode; + } + + /* row decompression */ +@@ -191,7 +194,7 @@ ImagingSgiRleDecode(Imaging im, ImagingC + } + if (status == -1) { + state->errcode = IMAGING_CODEC_OVERRUN; +- return -1; ++ goto sgi_finish_decode; + } else if (status == 1) { + goto sgi_finish_decode; + } +@@ -218,7 +221,8 @@ sgi_finish_decode: ; + free(c->lengthtab); + free(ptr); + if (err != 0){ +- return err; ++ state->errcode=err; ++ return -1; + } + return state->count - c->bufsize; + } diff --git a/python-pillow.spec b/python-pillow.spec index db15983..0522554 100644 --- a/python-pillow.spec +++ b/python-pillow.spec @@ -5,7 +5,7 @@ Name: python-pillow Version: 5.3.0 -Release: 10 +Release: 11 Summary: Python image processing library License: MIT URL: http://python-pillow.github.io/ @@ -26,6 +26,9 @@ Patch0016: CVE-2019-19911.patch Patch0017: CVE-2020-5310.patch Patch0018: CVE-2020-5312.patch Patch0019: CVE-2020-5313.patch +Patch0020: CVE-2020-35653.patch +Patch0021: CVE-2020-35655-1.patch +Patch0022: CVE-2020-35655-2.patch BuildRequires: freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel BuildRequires: libtiff-devel libwebp-devel openjpeg2-devel tk-devel zlib-devel @@ -179,6 +182,9 @@ popd %doc docs/_build_py3/html %changelog +* Thu Jan 28 2021 wangxiao - 5.3.0-11 +- fix CVE-2020-35653 CVE-2020-35655 + * Thu Nov 26 2020 shixuantong - 5.3.0-10 - Type:cves - ID:CVE-2020-5310 CVE-2020-5312 CVE-2020-5313 -- Gitee