From 326f931d3a9f4c1f5fdc9d87ec7a81982663f804 Mon Sep 17 00:00:00 2001 From: eulerstorage Date: Wed, 11 Mar 2020 11:49:34 +0800 Subject: [PATCH] fix CVE-2019-16865 --- 0000-CVE-2019-16865-1.patch | 62 ++++++++++++++++++++++++++ 0001-CVE-2019-16865-2.patch | 38 ++++++++++++++++ 0002-CVE-2019-16865-3.patch | 28 ++++++++++++ 0003-CVE-2019-16865-4.patch | 89 +++++++++++++++++++++++++++++++++++++ python-pillow.spec | 14 ++++-- 5 files changed, 228 insertions(+), 3 deletions(-) create mode 100644 0000-CVE-2019-16865-1.patch create mode 100644 0001-CVE-2019-16865-2.patch create mode 100644 0002-CVE-2019-16865-3.patch create mode 100644 0003-CVE-2019-16865-4.patch diff --git a/0000-CVE-2019-16865-1.patch b/0000-CVE-2019-16865-1.patch new file mode 100644 index 0000000..5635a0b --- /dev/null +++ b/0000-CVE-2019-16865-1.patch @@ -0,0 +1,62 @@ +From 5d4b5d152f3408352d600ba97980061ea054e8e9 Mon Sep 17 00:00:00 2001 +From: Andrew Murray +Date: Sun, 29 Sep 2019 14:16:30 +1000 +Subject: [PATCH] Corrected negative seeks + +Signed-off-by: hanxinke +--- + src/PIL/PsdImagePlugin.py | 6 ++++-- + src/libImaging/RawDecode.c | 11 +++++++++-- + 2 files changed, 13 insertions(+), 4 deletions(-) + +diff --git a/src/PIL/PsdImagePlugin.py b/src/PIL/PsdImagePlugin.py +index 2d64ecd..e82dda2 100644 +--- a/src/PIL/PsdImagePlugin.py ++++ b/src/PIL/PsdImagePlugin.py +@@ -209,9 +209,11 @@ def _layerinfo(file): + # skip over blend flags and extra information + filler = read(12) + name = "" +- size = i32(read(4)) ++ size = i32(read(4)) # length of the extra data field + combined = 0 + if size: ++ data_end = file.tell() + size ++ + length = i32(read(4)) + if length: + mask_y = i32(read(4)) +@@ -233,7 +235,7 @@ def _layerinfo(file): + name = read(length).decode('latin-1', 'replace') + combined += length + 1 + +- file.seek(size - combined, 1) ++ file.seek(data_end) + layers.append((name, mode, (x0, y0, x1, y1))) + + # get tiles +diff --git a/src/libImaging/RawDecode.c b/src/libImaging/RawDecode.c +index 40c0cb7..d4b7994 100644 +--- a/src/libImaging/RawDecode.c ++++ b/src/libImaging/RawDecode.c +@@ -33,8 +33,15 @@ ImagingRawDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes) + + /* get size of image data and padding */ + state->bytes = (state->xsize * state->bits + 7) / 8; +- rawstate->skip = (rawstate->stride) ? +- rawstate->stride - state->bytes : 0; ++ if (rawstate->stride) { ++ rawstate->skip = rawstate->stride - state->bytes; ++ if (rawstate->skip < 0) { ++ state->errcode = IMAGING_CODEC_CONFIG; ++ return -1; ++ } ++ } else { ++ rawstate->skip = 0; ++ } + + /* check image orientation */ + if (state->ystep < 0) { +-- +2.19.1 + diff --git a/0001-CVE-2019-16865-2.patch b/0001-CVE-2019-16865-2.patch new file mode 100644 index 0000000..1a154af --- /dev/null +++ b/0001-CVE-2019-16865-2.patch @@ -0,0 +1,38 @@ +From 88d9a3994bc244f14d0f594755ac896a235017c5 Mon Sep 17 00:00:00 2001 +From: Andrew Murray +Date: Sun, 29 Sep 2019 14:14:38 +1000 +Subject: [PATCH] Added decompression bomb checks + +Signed-off-by: hanxinke +--- + src/PIL/GifImagePlugin.py | 1 + + src/PIL/IcoImagePlugin.py | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/src/PIL/GifImagePlugin.py b/src/PIL/GifImagePlugin.py +index 107c015..70eebf9 100644 +--- a/src/PIL/GifImagePlugin.py ++++ b/src/PIL/GifImagePlugin.py +@@ -252,6 +252,7 @@ class GifImageFile(ImageFile.ImageFile): + self.dispose = None + elif self.disposal_method == 2: + # replace with background colour ++ Image._decompression_bomb_check(self.size) + self.dispose = Image.core.fill("P", self.size, + self.info["background"]) + else: +diff --git a/src/PIL/IcoImagePlugin.py b/src/PIL/IcoImagePlugin.py +index 589ef3c..926838d 100644 +--- a/src/PIL/IcoImagePlugin.py ++++ b/src/PIL/IcoImagePlugin.py +@@ -167,6 +167,7 @@ class IcoFile(object): + else: + # XOR + AND mask bmp frame + im = BmpImagePlugin.DibImageFile(self.buf) ++ Image._decompression_bomb_check(im.size) + + # change tile dimension to only encompass XOR image + im._size = (im.size[0], int(im.size[1] / 2)) +-- +2.19.1 + diff --git a/0002-CVE-2019-16865-3.patch b/0002-CVE-2019-16865-3.patch new file mode 100644 index 0000000..a659ae3 --- /dev/null +++ b/0002-CVE-2019-16865-3.patch @@ -0,0 +1,28 @@ +From ab569e61066e1ef4490db730ca13180afe18e461 Mon Sep 17 00:00:00 2001 +From: Andrew Murray +Date: Sun, 29 Sep 2019 14:15:48 +1000 +Subject: [PATCH] Raise error if dimension is a string + +Signed-off-by: hanxinke +--- + src/PIL/TiffImagePlugin.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/PIL/TiffImagePlugin.py b/src/PIL/TiffImagePlugin.py +index 5059a13..05f58e5 100644 +--- a/src/PIL/TiffImagePlugin.py ++++ b/src/PIL/TiffImagePlugin.py +@@ -1185,8 +1185,8 @@ class TiffImageFile(ImageFile.ImageFile): + print("- YCbCr subsampling:", self.tag.get(530)) + + # size +- xsize = self.tag_v2.get(IMAGEWIDTH) +- ysize = self.tag_v2.get(IMAGELENGTH) ++ xsize = int(self.tag_v2.get(IMAGEWIDTH)) ++ ysize = int(self.tag_v2.get(IMAGELENGTH)) + self._size = xsize, ysize + + if DEBUG: +-- +2.19.1 + diff --git a/0003-CVE-2019-16865-4.patch b/0003-CVE-2019-16865-4.patch new file mode 100644 index 0000000..b809da0 --- /dev/null +++ b/0003-CVE-2019-16865-4.patch @@ -0,0 +1,89 @@ +From 1f90f191cef5f4d18cb229e3717d0b2010e9b434 Mon Sep 17 00:00:00 2001 +From: Andrew Murray +Date: Mon, 30 Sep 2019 18:45:43 +1000 +Subject: [PATCH] Catch buffer overruns + +Signed-off-by: hanxinke +--- + src/libImaging/FliDecode.c | 14 +++++++++++--- + src/libImaging/PcxDecode.c | 5 +++++ + src/libImaging/SgiRleDecode.c | 5 +++++ + 3 files changed, 21 insertions(+), 3 deletions(-) + +diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c +index 6d22c6c..600528e 100644 +--- a/src/libImaging/FliDecode.c ++++ b/src/libImaging/FliDecode.c +@@ -30,7 +30,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes) + { + UINT8* ptr; + int framesize; +- int c, chunks; ++ int c, chunks, advance; + int l, lines; + int i, j, x = 0, y, ymax; + +@@ -59,10 +59,16 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes) + + chunks = I16(ptr+6); + ptr += 16; ++ bytes -= 16; + + /* Process subchunks */ + for (c = 0; c < chunks; c++) { +- UINT8 *data = ptr + 6; ++ UINT8* data; ++ if (bytes < 10) { ++ state->errcode = IMAGING_CODEC_OVERRUN; ++ return -1; ++ } ++ data = ptr + 6; + switch (I16(ptr+4)) { + case 4: case 11: + /* FLI COLOR chunk */ +@@ -198,7 +204,9 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes) + state->errcode = IMAGING_CODEC_UNKNOWN; + return -1; + } +- ptr += I32(ptr); ++ advance = I32(ptr); ++ ptr += advance; ++ bytes -= advance; + } + + return -1; /* end of frame */ +diff --git a/src/libImaging/PcxDecode.c b/src/libImaging/PcxDecode.c +index e5417f1..51de069 100644 +--- a/src/libImaging/PcxDecode.c ++++ b/src/libImaging/PcxDecode.c +@@ -22,6 +22,11 @@ ImagingPcxDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes) + UINT8 n; + UINT8* ptr; + ++ if (strcmp(im->mode, "1") == 0 && state->xsize > state->bytes * 8) { ++ state->errcode = IMAGING_CODEC_OVERRUN; ++ return -1; ++ } ++ + ptr = buf; + + for (;;) { +diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c +index 9d8e563..39e7b3a 100644 +--- a/src/libImaging/SgiRleDecode.c ++++ b/src/libImaging/SgiRleDecode.c +@@ -156,6 +156,11 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state, + c->rlelength = c->lengthtab[c->rowno + c->channo * im->ysize]; + c->rleoffset -= SGI_HEADER_SIZE; + ++ if (c->rleoffset + c->rlelength > c->bufsize) { ++ state->errcode = IMAGING_CODEC_OVERRUN; ++ return -1; ++ } ++ + /* row decompression */ + if (c->bpc ==1) { + if(expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands)) +-- +2.19.1 + diff --git a/python-pillow.spec b/python-pillow.spec index 802d2a6..02b0009 100644 --- a/python-pillow.spec +++ b/python-pillow.spec @@ -5,11 +5,17 @@ Name: python-pillow Version: 5.3.0 -Release: 3 +Release: 4 Summary: Python image processing library License: MIT URL: http://python-pillow.github.io/ Source0: https://github.com/python-pillow/Pillow/archive/%{version}/Pillow-%{version}.tar.gz + +Patch0000: 0000-CVE-2019-16865-1.patch +Patch0001: 0001-CVE-2019-16865-2.patch +Patch0002: 0002-CVE-2019-16865-3.patch +Patch0003: 0003-CVE-2019-16865-4.patch + BuildRequires: freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel BuildRequires: libtiff-devel libwebp-devel openjpeg2-devel tk-devel zlib-devel BuildRequires: python2-cffi python2-devel python2-numpy python2-olefile python2-setuptools @@ -31,7 +37,7 @@ Library by Fredrik Lundh and Contributors. As of 2019, Pillow development is sup Summary: Python 2 image processing library %{?python_provide:%python_provide python2-pillow} Provides: python-imaging = %{version}-%{release} python2-imaging = %{version}-%{release} -Provides: python2-pillow-tk = %{version}-%{release} python2-pillow-qt = %{version}-%{release} +Provides: python2-pillow-tk = %{version}-%{release} python2-pillow-qt = %{version}-%{release} Provides: python-imaging-tk = %{version}-%{release} python2-imaging-tk = %{version}-%{release} Provides: python-imaging-qt = %{version}-%{release} python2-imaging-qt = %{version}-%{release} Requires: python2-olefile python2-tkinter python2-PyQt4 @@ -162,5 +168,7 @@ popd %doc docs/_build_py3/html %changelog -* Thu Dec 12 2019 Senlin Xia - 5.3.0-2 +* Wed Mar 11 2020 hy - 5.3.0-4 +- fix CVE-2019-16865 +* Thu Dec 12 2019 Senlin Xia - 5.3.0-3 - Package init -- Gitee