From 899593a135630380c7773b8f756f43c69210428f Mon Sep 17 00:00:00 2001 From: renmingshuai Date: Thu, 28 Jan 2021 17:22:11 +0800 Subject: [PATCH] fix CVE-2020-35653 (cherry picked from commit 53731cfccae624ddd6b9b594b01574627fee1e8b) --- backport-CVE-2020-35653.patch | 41 +++++++++++++++++++++++++++++++++++ python-pillow.spec | 27 ++++++++++++++--------- 2 files changed, 58 insertions(+), 10 deletions(-) create mode 100644 backport-CVE-2020-35653.patch diff --git a/backport-CVE-2020-35653.patch b/backport-CVE-2020-35653.patch new file mode 100644 index 0000000..901db5e --- /dev/null +++ b/backport-CVE-2020-35653.patch @@ -0,0 +1,41 @@ +From 1eff62205ebe9d42a9417955d2955591be69c9bb Mon Sep 17 00:00:00 2001 +From: Eric Soroos +Date: Thu, 17 Dec 2020 00:17:53 +0100 +Subject: [PATCH] Fix for CVE CVE-2020-35655 - Read Overflow in PCX Decoding. +commit 2f409261eb1228e166868f8f0b5da5cda52e55bf upstream +* Don't trust the image to specify a buffer size +Conflict:NA +Reference:https://github.com/python-pillow/Pillow/commit/2f409261eb1228e166868f8f0b5da5cda52e55bf +--- + src/PIL/PcxImagePlugin.py | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) +diff --git a/src/PIL/PcxImagePlugin.py b/src/PIL/PcxImagePlugin.py +index daa58b3..82aa3bb 100644 +--- a/src/PIL/PcxImagePlugin.py ++++ b/src/PIL/PcxImagePlugin.py +@@ -63,9 +63,9 @@ class PcxImageFile(ImageFile.ImageFile): + version = i8(s[1]) + bits = i8(s[3]) + planes = i8(s[65]) +- stride = i16(s, 66) ++ ignored_stride = i16(s, 66) + logger.debug("PCX version %s, bits %s, planes %s, stride %s", +- version, bits, planes, stride) ++ version, bits, planes, ignored_stride) + + self.info["dpi"] = i16(s, 12), i16(s, 14) + +@@ -102,6 +102,11 @@ class PcxImageFile(ImageFile.ImageFile): + self.mode = mode + self._size = bbox[2]-bbox[0], bbox[3]-bbox[1] + ++ # don't trust the passed in stride. Calculate for ourselves. ++ # CVE-2020-35655 ++ stride = (self._size[0] * bits + 7) // 8 ++ stride += stride % 2 ++ + bbox = (0, 0) + self.size + logger.debug("size: %sx%s", *self.size) + +-- +2.23.0 \ No newline at end of file diff --git a/python-pillow.spec b/python-pillow.spec index 6279dee..1376ef1 100644 --- a/python-pillow.spec +++ b/python-pillow.spec @@ -5,7 +5,7 @@ Name: python-pillow Version: 5.3.0 -Release: 8 +Release: 11 Summary: Python image processing library License: MIT URL: http://python-pillow.github.io/ @@ -18,14 +18,15 @@ Patch0003: 0003-CVE-2019-16865-4.patch Patch0004: CVE-2020-10378.patch Patch0005: CVE-2020-10177.patch Patch0006: CVE-2020-10994.patch -Patch0007: replace_copy_operations_with_memcpy.patch -Patch0008: pre-CVE-2020-11538-1.patch -Patch0011: CVE-2020-5311.patch -Patch0012: CVE-2020-11538.patch -Patch0013: CVE-2019-19911.patch -Patch0014: CVE-2020-5310.patch -Patch0015: CVE-2020-5312.patch -Patch0016: CVE-2020-5313.patch +Patch0010: replace_copy_operations_with_memcpy.patch +Patch0011: pre-CVE-2020-11538-1.patch +Patch0014: CVE-2020-5311.patch +Patch0015: CVE-2020-11538.patch +Patch0016: CVE-2019-19911.patch +Patch0017: CVE-2020-5310.patch +Patch0018: CVE-2020-5312.patch +Patch0019: CVE-2020-5313.patch +Patch0020: backport-CVE-2020-35653.patch BuildRequires: freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel BuildRequires: libtiff-devel libwebp-devel openjpeg2-devel tk-devel zlib-devel @@ -179,7 +180,13 @@ popd %doc docs/_build_py3/html %changelog -* Thu Nov 26 2020 shixuantong - 5.3.0-8 +* Thu Jan 28 2021 renmingshuai - 5.3.0-11 +- Type:cves +- ID:CVE-2020-35653 +- SUG:NA +- DESC:fix CVE-2020-35653 + +* Thu Nov 26 2020 shixuantong - 5.3.0-10 - Type:cves - ID:CVE-2020-5310 CVE-2020-5312 CVE-2020-5313 - SUG:NA -- Gitee