diff --git a/backport-CVE-2021-27921_CVE-2021-27922_CVE-2021-27923.patch b/backport-CVE-2021-27921_CVE-2021-27922_CVE-2021-27923.patch new file mode 100644 index 0000000000000000000000000000000000000000..dc39e2a8a45125c5954ca502b4fb36f73973ee52 --- /dev/null +++ b/backport-CVE-2021-27921_CVE-2021-27922_CVE-2021-27923.patch @@ -0,0 +1,60 @@ +From 480f6819b592d7f07b9a9a52a7656c10bbe07442 Mon Sep 17 00:00:00 2001 +From: Eric Soroos +Date: Wed, 24 Feb 2021 23:27:07 +0100 +Subject: [PATCH] Fix Memory DOS in Icns, Ico and Blp Image Plugins + +Some container plugins that could contain images of other formats, +such as the ICNS format, did not properly check the reported size of +the contained image. These images could cause arbitrariliy large +memory allocations. + +This is fixed for all locations where individual *ImageFile classes +are created without going through the usual Image.open method. +--- + + src/PIL/BlpImagePlugin.py | 1 + + src/PIL/IcnsImagePlugin.py | 2 ++ + src/PIL/IcoImagePlugin.py | 1 + + 3 files changed, 4 insertions(+) + +diff -Nuar Pillow-8.1.1-old/src/PIL/BlpImagePlugin.py Pillow-8.1.1/src/PIL/BlpImagePlugin.py +--- Pillow-8.1.1-old/src/PIL/BlpImagePlugin.py 2021-03-13 16:44:33.159000000 +0800 ++++ Pillow-8.1.1/src/PIL/BlpImagePlugin.py 2021-03-13 16:51:52.803000000 +0800 +@@ -353,6 +353,7 @@ + data = jpeg_header + data + data = BytesIO(data) + image = JpegImageFile(data) ++ Image._decompression_bomb_check(image.size) + self.tile = image.tile # :/ + self.fd = image.fp + self.mode = image.mode +diff -Nuar Pillow-8.1.1-old/src/PIL/IcnsImagePlugin.py Pillow-8.1.1/src/PIL/IcnsImagePlugin.py +--- Pillow-8.1.1-old/src/PIL/IcnsImagePlugin.py 2021-03-13 16:44:33.160000000 +0800 ++++ Pillow-8.1.1/src/PIL/IcnsImagePlugin.py 2021-03-13 16:54:10.925000000 +0800 +@@ -105,6 +105,7 @@ + if sig[:8] == b"\x89PNG\x0d\x0a\x1a\x0a": + fobj.seek(start) + im = PngImagePlugin.PngImageFile(fobj) ++ Image._decompression_bomb_check(im.size) + return {"RGBA": im} + elif ( + sig[:4] == b"\xff\x4f\xff\x51" +@@ -120,6 +121,7 @@ + fobj.seek(start) + jp2kstream = fobj.read(length) + f = io.BytesIO(jp2kstream) ++ Image._decompression_bomb_check(im.size) + im = Jpeg2KImagePlugin.Jpeg2KImageFile(f) + if im.mode != "RGBA": + im = im.convert("RGBA") +diff -Nuar Pillow-8.1.1-old/src/PIL/IcoImagePlugin.py Pillow-8.1.1/src/PIL/IcoImagePlugin.py +--- Pillow-8.1.1-old/src/PIL/IcoImagePlugin.py 2021-03-13 16:44:33.160000000 +0800 ++++ Pillow-8.1.1/src/PIL/IcoImagePlugin.py 2021-03-13 16:55:31.306000000 +0800 +@@ -178,6 +178,7 @@ + if data[:8] == PngImagePlugin._MAGIC: + # png frame + im = PngImagePlugin.PngImageFile(self.buf) ++ Image._decompression_bomb_check(im.size) + else: + # XOR + AND mask bmp frame + im = BmpImagePlugin.DibImageFile(self.buf) diff --git a/python-pillow.spec b/python-pillow.spec index ae7122a5891effc493607f082c4bf7b839010e66..8f5d14822742696cbbc6189385738db16f3fb996 100644 --- a/python-pillow.spec +++ b/python-pillow.spec @@ -5,7 +5,7 @@ Name: python-pillow Version: 8.1.1 -Release: 1 +Release: 2 Summary: Python image processing library License: MIT URL: http://python-pillow.github.io/ @@ -13,6 +13,7 @@ Source0: https://github.com/python-pillow/Pillow/archive/%{version}/Pillo Patch0: python-pillow_spinxwarn.patch Patch1: python-pillow_sphinx-issues.patch +Patch6000: backport-CVE-2021-27921_CVE-2021-27922_CVE-2021-27923.patch BuildRequires: freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel libraqm-devel libtiff-devel BuildRequires: libwebp-devel openjpeg2-devel tk-devel zlib-devel python3-cffi python3-devel python3-numpy python3-olefile @@ -144,5 +145,11 @@ popd %{python3_sitearch}/PIL/__pycache__/ImageQt* %changelog +* Mon Mar 15 2021 wangye - 8.1.1-2 +- Type:CVE +- CVE:CVE-2021-27921 CVE-2021-27922 CVE-2021-27923 +- SUG:NA +- DESC: fix CVE-2021-27921CVE-2021-27922CVE-2021-27923 + * Mon Mar 08 2021 wangye - 8.1.1-1 - Update to 8.1.1