packages/python-pillow
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!49 fix CVE-2021-27921 CVE-2021-27922 CVE-2021-27923

Browse Source 
From: @yeah_wang
Reviewed-by: @small_leek
Signed-off-by: @small_leek
This commit is contained in:
openeuler-ci-bot 2021-03-16 17:37:35 +08:00 committed by Gitee
commit e776991d2f
2 changed files with 69 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
backport-CVE-2021-27921_CVE-2021-27922_CVE-2021-27923.patch Normal file
View File

@ -0,0 +1,60 @@
From 480f6819b592d7f07b9a9a52a7656c10bbe07442 Mon Sep 17 00:00:00 2001
From: Eric Soroos <eric-github@soroos.net>
Date: Wed, 24 Feb 2021 23:27:07 +0100
Subject: [PATCH] Fix Memory DOS in Icns, Ico and Blp Image Plugins
Some container plugins that could contain images of other formats,
such as the ICNS format, did not properly check the reported size of
the contained image. These images could cause arbitrariliy large
memory allocations.
This is fixed for all locations where individual *ImageFile classes
are created without going through the usual Image.open method.
---
src/PIL/BlpImagePlugin.py | 1 +
src/PIL/IcnsImagePlugin.py | 2 ++
src/PIL/IcoImagePlugin.py | 1 +
3 files changed, 4 insertions(+)
diff -Nuar Pillow-8.1.1-old/src/PIL/BlpImagePlugin.py Pillow-8.1.1/src/PIL/BlpImagePlugin.py
--- Pillow-8.1.1-old/src/PIL/BlpImagePlugin.py 2021-03-13 16:44:33.159000000 +0800
+++ Pillow-8.1.1/src/PIL/BlpImagePlugin.py 2021-03-13 16:51:52.803000000 +0800
@@ -353,6 +353,7 @@
data = jpeg_header + data
data = BytesIO(data)
image = JpegImageFile(data)
+ Image._decompression_bomb_check(image.size)
self.tile = image.tile # :/
self.fd = image.fp
self.mode = image.mode
diff -Nuar Pillow-8.1.1-old/src/PIL/IcnsImagePlugin.py Pillow-8.1.1/src/PIL/IcnsImagePlugin.py
--- Pillow-8.1.1-old/src/PIL/IcnsImagePlugin.py 2021-03-13 16:44:33.160000000 +0800
+++ Pillow-8.1.1/src/PIL/IcnsImagePlugin.py 2021-03-13 16:54:10.925000000 +0800
@@ -105,6 +105,7 @@
if sig[:8] == b"\x89PNG\x0d\x0a\x1a\x0a":
fobj.seek(start)
im = PngImagePlugin.PngImageFile(fobj)
+ Image._decompression_bomb_check(im.size)
return {"RGBA": im}
elif (
sig[:4] == b"\xff\x4f\xff\x51"
@@ -120,6 +121,7 @@
fobj.seek(start)
jp2kstream = fobj.read(length)
f = io.BytesIO(jp2kstream)
+ Image._decompression_bomb_check(im.size)
im = Jpeg2KImagePlugin.Jpeg2KImageFile(f)
if im.mode != "RGBA":
im = im.convert("RGBA")
diff -Nuar Pillow-8.1.1-old/src/PIL/IcoImagePlugin.py Pillow-8.1.1/src/PIL/IcoImagePlugin.py
--- Pillow-8.1.1-old/src/PIL/IcoImagePlugin.py 2021-03-13 16:44:33.160000000 +0800
+++ Pillow-8.1.1/src/PIL/IcoImagePlugin.py 2021-03-13 16:55:31.306000000 +0800
@@ -178,6 +178,7 @@
if data[:8] == PngImagePlugin._MAGIC:
# png frame
im = PngImagePlugin.PngImageFile(self.buf)
+ Image._decompression_bomb_check(im.size)
else:
# XOR + AND mask bmp frame
im = BmpImagePlugin.DibImageFile(self.buf)

10
python-pillow.spec
View File

@ -5,7 +5,7 @@
Name: python-pillow
Version: 8.1.1
Release: 1
Release: 2
Summary: Python image processing library
License: MIT
URL: http://python-pillow.github.io/
@ -13,6 +13,8 @@ Source0: https://github.com/python-pillow/Pillow/archive/%{version}/Pillo
Patch0: python-pillow_spinxwarn.patch
Patch1: python-pillow_sphinx-issues.patch
Patch6000: backport-CVE-2021-27921_CVE-2021-27922_CVE-2021-27923.patch
BuildRequires: freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel libraqm-devel libtiff-devel
BuildRequires: libwebp-devel openjpeg2-devel tk-devel zlib-devel python3-cffi python3-devel python3-numpy python3-olefile
@ -144,5 +146,11 @@ popd
%{python3_sitearch}/PIL/__pycache__/ImageQt*
%changelog
* Sat Mar 13 2021 wangye <wangye70@huawei.com> - 8.1.1-2
- Type:CVE
- CVE:CVE-2021-27921 CVE-2021-27922 CVE-2021-27923
- SUG:NA
- DESC: fix CVE-2021-27921CVE-2021-27922CVE-2021-27923
* Mon Mar 08 2021 wangye <wangye70@huawei.com> - 8.1.1-1
- Update to 8.1.1