Bug#966213: marked as done (buster-pu: package pillow/5.4.1-2+deb10u2)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 01 Aug 2020 12:51:28 +0100
with message-id <43535efb498a168cf81452ca0c326f004f46adc6.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.5 point release
has caused the Debian Bug report #966213,
regarding buster-pu: package pillow/5.4.1-2+deb10u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
966213: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=966213
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: buster-pu: package pillow/5.4.1-2+deb10u2
• From: Moritz Muehlenhoff <jmm@debian.org>
• Date: Fri, 24 Jul 2020 21:00:53 +0200
• Message-id: <159561725385.236357.3437840001868848582.reportbug@hullmann.westfalen.local>

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

A few non-severe security issues, debdiff below.

Cheers,
        Moritz

diff -Nru pillow-5.4.1/debian/changelog pillow-5.4.1/debian/changelog
--- pillow-5.4.1/debian/changelog	2020-02-06 20:47:20.000000000 +0100
+++ pillow-5.4.1/debian/changelog	2020-07-22 17:25:31.000000000 +0200
@@ -1,3 +1,9 @@
+pillow (5.4.1-2+deb10u2) buster; urgency=medium
+
+  * CVE-2020-11538 CVE-2020-10378 CVE-2020-10177
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Wed, 22 Jul 2020 19:23:16 +0200
+
 pillow (5.4.1-2+deb10u1) buster-security; urgency=medium
 
   * CVE-2019-16865 CVE-2019-19911 CVE-2020-5311 CVE-2020-5312 CVE-2020-5313
diff -Nru pillow-5.4.1/debian/patches/CVE-2020-10177.patch pillow-5.4.1/debian/patches/CVE-2020-10177.patch
--- pillow-5.4.1/debian/patches/CVE-2020-10177.patch	1970-01-01 01:00:00.000000000 +0100
+++ pillow-5.4.1/debian/patches/CVE-2020-10177.patch	2020-07-22 17:19:07.000000000 +0200
@@ -0,0 +1,154 @@
+Backport the following commits:
+c66d8aa75436f334f686fe32bca8e414bcdd18e6
+f6926a041b4b544fd2ced3752542afb6c8c19405
+b4e439d6d7fd986cd6b4c7f9ca18830d79dacd44
+c88b0204d7c930e3bd72626ae6ea078571cc0ea7
+c5edc361fd6450f805a6a444723b0f68190b1d0c
+8d4f3c0c5f2fecf175aeb895e9c2d6d06d85bdc9
+088ce4df981b70fbec140ee54417bcb49a7dffca
+5b490fc413dfab2d52de46a58905c25d9badb650
+
+--- pillow-5.4.1.orig/src/libImaging/FliDecode.c
++++ pillow-5.4.1/src/libImaging/FliDecode.c
+@@ -24,7 +24,12 @@
+ #define	I32(ptr)\
+     ((ptr)[0] + ((ptr)[1] << 8) + ((ptr)[2] << 16) + ((ptr)[3] << 24))
+ 
+-
++#define ERR_IF_DATA_OOB(offset) \
++  if ((data + (offset)) > ptr + bytes) {\
++    state->errcode = IMAGING_CODEC_OVERRUN; \
++    return -1; \
++  }
++    
+ int
+ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
+ {
+@@ -78,10 +83,12 @@ ImagingFliDecode(Imaging im, ImagingCode
+ 	    break; /* ignored; handled by Python code */
+ 	case 7:
+ 	    /* FLI SS2 chunk (word delta) */
++	    /* OOB ok, we've got 4 bytes min on entry */
+ 	    lines = I16(data); data += 2;
+ 	    for (l = y = 0; l < lines && y < state->ysize; l++, y++) {
+-		UINT8* buf = (UINT8*) im->image[y];
++		UINT8* local_buf = (UINT8*) im->image[y];
+ 		int p, packets;
++		ERR_IF_DATA_OOB(2)
+ 		packets = I16(data); data += 2;
+ 		while (packets & 0x8000) {
+ 		    /* flag word */
+@@ -91,29 +98,33 @@ ImagingFliDecode(Imaging im, ImagingCode
+ 			    state->errcode = IMAGING_CODEC_OVERRUN;
+ 			    return -1;
+ 			}
+-			buf = (UINT8*) im->image[y];
++			local_buf = (UINT8*) im->image[y];
+ 		    } else {
+ 			/* store last byte (used if line width is odd) */
+-			buf[state->xsize-1] = (UINT8) packets;
++			local_buf[state->xsize-1] = (UINT8) packets;
+ 		    }
++		    ERR_IF_DATA_OOB(2)
+ 		    packets = I16(data); data += 2;
+ 		}
+ 		for (p = x = 0; p < packets; p++) {
++		    ERR_IF_DATA_OOB(2)
+ 		    x += data[0]; /* pixel skip */
+ 		    if (data[1] >= 128) {
++			ERR_IF_DATA_OOB(4)
+ 			i = 256-data[1]; /* run */
+ 			if (x + i + i > state->xsize)
+ 			    break;
+ 			for (j = 0; j < i; j++) {
+-			    buf[x++] = data[2];
+-			    buf[x++] = data[3];
++			    local_buf[x++] = data[2];
++			    local_buf[x++] = data[3];
+ 			}
+ 			data += 2 + 2;
+ 		    } else {
+ 			i = 2 * (int) data[1]; /* chunk */
+ 			if (x + i > state->xsize)
+ 			    break;
+-			memcpy(buf + x, data + 2, i);
++			ERR_IF_DATA_OOB(2+i)
++			memcpy(local_buf + x, data + 2, i);
+ 			data += 2 + i;
+ 			x += i;
+ 		    }
+@@ -129,22 +140,27 @@ ImagingFliDecode(Imaging im, ImagingCode
+ 	    break;
+ 	case 12:
+ 	    /* FLI LC chunk (byte delta) */
++	    /* OOB Check ok, we have 4 bytes min here */
+ 	    y = I16(data); ymax = y + I16(data+2); data += 4;
+ 	    for (; y < ymax && y < state->ysize; y++) {
+ 		UINT8* out = (UINT8*) im->image[y];
++                ERR_IF_DATA_OOB(1)
+ 		int p, packets = *data++;
+ 		for (p = x = 0; p < packets; p++, x += i) {
++		    ERR_IF_DATA_OOB(2)
+ 		    x += data[0]; /* skip pixels */
+ 		    if (data[1] & 0x80) {
+ 			i = 256-data[1]; /* run */
+ 			if (x + i > state->xsize)
+ 			    break;
++			ERR_IF_DATA_OOB(3)
+ 			memset(out + x, data[2], i);
+ 			data += 3;
+ 		    } else {
+ 			i = data[1]; /* chunk */
+ 			if (x + i > state->xsize)
+ 			    break;
++			ERR_IF_DATA_OOB(2+i)
+ 			memcpy(out + x, data + 2, i);
+ 			data += i + 2;
+ 		    }
+@@ -165,14 +181,18 @@ ImagingFliDecode(Imaging im, ImagingCode
+ 	    break;
+ 	case 15:
+ 	    /* FLI BRUN chunk */
++	    /* OOB, ok, we've got 4 bytes min on entry */
+ 	    for (y = 0; y < state->ysize; y++) {
+ 		UINT8* out = (UINT8*) im->image[y];
+ 		data += 1; /* ignore packetcount byte */
+ 		for (x = 0; x < state->xsize; x += i) {
++		    ERR_IF_DATA_OOB(2)
+ 		    if (data[0] & 0x80) {
+ 			i = 256 - data[0];
+-			if (x + i > state->xsize)
++			if (x + i > state->xsize) {
+ 			    break; /* safety first */
++			}
++			ERR_IF_DATA_OOB(i+1)
+ 			memcpy(out + x, data + 1, i);
+ 			data += i + 1;
+ 		    } else {
+@@ -192,9 +212,13 @@ ImagingFliDecode(Imaging im, ImagingCode
+ 	    break;
+ 	case 16:
+ 	    /* COPY chunk */
++	    if (state->xsize > bytes/state->ysize) {
++		/* not enough data for frame */
++		return ptr - buf; /* bytes consumed */
++	    }
+ 	    for (y = 0; y < state->ysize; y++) {
+-		UINT8* buf = (UINT8*) im->image[y];
+-		memcpy(buf, data, state->xsize);
++		UINT8* local_buf = (UINT8*) im->image[y];
++		memcpy(local_buf, data, state->xsize);
+ 		data += state->xsize;
+ 	    }
+ 	    break;
+@@ -208,6 +232,10 @@ ImagingFliDecode(Imaging im, ImagingCode
+ 	    return -1;
+ 	}
+ 	advance = I32(ptr);
++	if (advance < 0 || advance > bytes) {
++	    state->errcode = IMAGING_CODEC_OVERRUN;
++	    return -1;
++	}
+ 	ptr += advance;
+ 	bytes -= advance;
+     }
diff -Nru pillow-5.4.1/debian/patches/CVE-2020-10378.patch pillow-5.4.1/debian/patches/CVE-2020-10378.patch
--- pillow-5.4.1/debian/patches/CVE-2020-10378.patch	1970-01-01 01:00:00.000000000 +0100
+++ pillow-5.4.1/debian/patches/CVE-2020-10378.patch	2020-07-07 19:31:54.000000000 +0200
@@ -0,0 +1,26 @@
+From 6a83e4324738bb0452fbe8074a995b1c73f08de7 Mon Sep 17 00:00:00 2001
+From: Eric Soroos <eric-github@soroos.net>
+Date: Mon, 9 Mar 2020 20:22:06 +0000
+Subject: [PATCH 2/3] Fix OOB Access on PcxDecode.c
+
+---
+ src/libImaging/PcxDecode.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/src/libImaging/PcxDecode.c b/src/libImaging/PcxDecode.c
+index 9e9504ce5f..e5a38f4bec 100644
+--- a/src/libImaging/PcxDecode.c
++++ b/src/libImaging/PcxDecode.c
+@@ -22,10 +22,7 @@ ImagingPcxDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt
+     UINT8 n;
+     UINT8* ptr;
+ 
+-    if (strcmp(im->mode, "1") == 0 && state->xsize > state->bytes * 8) {
+-        state->errcode = IMAGING_CODEC_OVERRUN;
+-        return -1;
+-    } else if (strcmp(im->mode, "P") == 0 && state->xsize > state->bytes) {
++    if ((state->xsize * state->bits + 7) / 8 > state->bytes) {
+         state->errcode = IMAGING_CODEC_OVERRUN;
+         return -1;
+     }
+
diff -Nru pillow-5.4.1/debian/patches/CVE-2020-11538.patch pillow-5.4.1/debian/patches/CVE-2020-11538.patch
--- pillow-5.4.1/debian/patches/CVE-2020-11538.patch	1970-01-01 01:00:00.000000000 +0100
+++ pillow-5.4.1/debian/patches/CVE-2020-11538.patch	2020-07-07 19:35:05.000000000 +0200
@@ -0,0 +1,51 @@
+From 394d6a180a4b63a149a223b13e98a3209f837147 Mon Sep 17 00:00:00 2001
+From: Eric Soroos <eric-github@soroos.net>
+Date: Sat, 28 Mar 2020 13:00:46 +0000
+Subject: [PATCH 1/4] Track number of pixels, not the number of runs
+
+---
+ src/libImaging/SgiRleDecode.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/src/libImaging/SgiRleDecode.c
++++ b/src/libImaging/SgiRleDecode.c
+@@ -28,6 +28,7 @@ static void read4B(UINT32* dest, UINT8*
+ static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
+ {
+     UINT8 pixel, count;
++    int x = 0;
+ 
+     for (;n > 0; n--)
+     {
+@@ -37,9 +38,10 @@ static int expandrow(UINT8* dest, UINT8*
+         count = pixel & RLE_MAX_RUN;
+         if (!count)
+             return count;
+-        if (count > xsize) {
++        if (x + count > xsize) {
+             return -1;
+         }
++        x += count;
+         if (pixel & RLE_COPY_FLAG) {
+             while(count--) {
+                 *dest = *src++;
+@@ -63,6 +65,7 @@ static int expandrow2(UINT8* dest, const
+ {
+     UINT8 pixel, count;
+ 
++    int x = 0;
+ 
+     for (;n > 0; n--)
+     {
+@@ -73,9 +76,10 @@ static int expandrow2(UINT8* dest, const
+         count = pixel & RLE_MAX_RUN;
+         if (!count)
+             return count;
+-        if (count > xsize) {
++        if (x + count > xsize) {
+             return -1;
+         }
++        x += count;
+         if (pixel & RLE_COPY_FLAG) {
+             while(count--) {
+                 *dest = *src++;
diff -Nru pillow-5.4.1/debian/patches/series pillow-5.4.1/debian/patches/series
--- pillow-5.4.1/debian/patches/series	2020-02-06 20:12:35.000000000 +0100
+++ pillow-5.4.1/debian/patches/series	2020-07-22 17:22:53.000000000 +0200
@@ -7,3 +7,6 @@
 CVE-2020-5311.patch
 CVE-2020-5312.patch
 CVE-2020-5313.patch
+CVE-2020-10177.patch
+CVE-2020-10378.patch
+CVE-2020-11538.patch

--- End Message ---

--- Begin Message ---

• To: 931678-done@bugs.debian.org, 947351-done@bugs.debian.org, 947758-done@bugs.debian.org, 948652-done@bugs.debian.org, 953763-done@bugs.debian.org, 954020-done@bugs.debian.org, 954716-done@bugs.debian.org, 959661-done@bugs.debian.org, 959890-done@bugs.debian.org, 960020-done@bugs.debian.org, 960376-done@bugs.debian.org, 960395-done@bugs.debian.org, 960575-done@bugs.debian.org, 960600-done@bugs.debian.org, 960804-done@bugs.debian.org, 960806-done@bugs.debian.org, 960836-done@bugs.debian.org, 960885-done@bugs.debian.org, 960974-done@bugs.debian.org, 961019-done@bugs.debian.org, 961212-done@bugs.debian.org, 961275-done@bugs.debian.org, 961379-done@bugs.debian.org, 961439-done@bugs.debian.org, 961441-done@bugs.debian.org, 961514-done@bugs.debian.org, 961803-done@bugs.debian.org, 961833-done@bugs.debian.org, 961921-done@bugs.debian.org, 961936-done@bugs.debian.org, 961944-done@bugs.debian.org, 961978-done@bugs.debian.org, 962059-done@bugs.debian.org, 962067-done@bugs.debian.org, 962160-done@bugs.debian.org, 962227-done@bugs.debian.org, 962237-done@bugs.debian.org, 962255-done@bugs.debian.org, 962306-done@bugs.debian.org, 962982-done@bugs.debian.org, 963024-done@bugs.debian.org, 963267-done@bugs.debian.org, 963591-done@bugs.debian.org, 963595-done@bugs.debian.org, 963694-done@bugs.debian.org, 963796-done@bugs.debian.org, 963940-done@bugs.debian.org, 963986-done@bugs.debian.org, 964146-done@bugs.debian.org, 964158-done@bugs.debian.org, 964228-done@bugs.debian.org, 964338-done@bugs.debian.org, 964346-done@bugs.debian.org, 964350-done@bugs.debian.org, 964397-done@bugs.debian.org, 964412-done@bugs.debian.org, 964417-done@bugs.debian.org, 964422-done@bugs.debian.org, 964435-done@bugs.debian.org, 964574-done@bugs.debian.org, 964589-done@bugs.debian.org, 964712-done@bugs.debian.org, 964714-done@bugs.debian.org, 964715-done@bugs.debian.org, 964726-done@bugs.debian.org, 964740-done@bugs.debian.org, 964792-done@bugs.debian.org, 964807-done@bugs.debian.org, 964808-done@bugs.debian.org, 964860-done@bugs.debian.org, 964868-done@bugs.debian.org, 964898-done@bugs.debian.org, 964986-done@bugs.debian.org, 965116-done@bugs.debian.org, 965117-done@bugs.debian.org, 965257-done@bugs.debian.org, 965377-done@bugs.debian.org, 966151-done@bugs.debian.org, 966213-done@bugs.debian.org, 966247-done@bugs.debian.org, 966272-done@bugs.debian.org, 966310-done@bugs.debian.org
• Subject: Closing bugs for fixes included in 10.5 point release
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sat, 01 Aug 2020 12:51:28 +0100
• Message-id: <43535efb498a168cf81452ca0c326f004f46adc6.camel@adam-barratt.org.uk>

Package: release.debian.org
Version: 10.5

Hi,

Each of these bugs relates to an update that was included in today's
stable point release.

Regards,

Adam

--- End Message ---