--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package pillow/5.4.1-2+deb10u2
- From: Moritz Muehlenhoff <jmm@debian.org>
- Date: Fri, 24 Jul 2020 21:00:53 +0200
- Message-id: <159561725385.236357.3437840001868848582.reportbug@hullmann.westfalen.local>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
A few non-severe security issues, debdiff below.
Cheers,
Moritz
diff -Nru pillow-5.4.1/debian/changelog pillow-5.4.1/debian/changelog
--- pillow-5.4.1/debian/changelog 2020-02-06 20:47:20.000000000 +0100
+++ pillow-5.4.1/debian/changelog 2020-07-22 17:25:31.000000000 +0200
@@ -1,3 +1,9 @@
+pillow (5.4.1-2+deb10u2) buster; urgency=medium
+
+ * CVE-2020-11538 CVE-2020-10378 CVE-2020-10177
+
+ -- Moritz Mühlenhoff <jmm@debian.org> Wed, 22 Jul 2020 19:23:16 +0200
+
pillow (5.4.1-2+deb10u1) buster-security; urgency=medium
* CVE-2019-16865 CVE-2019-19911 CVE-2020-5311 CVE-2020-5312 CVE-2020-5313
diff -Nru pillow-5.4.1/debian/patches/CVE-2020-10177.patch pillow-5.4.1/debian/patches/CVE-2020-10177.patch
--- pillow-5.4.1/debian/patches/CVE-2020-10177.patch 1970-01-01 01:00:00.000000000 +0100
+++ pillow-5.4.1/debian/patches/CVE-2020-10177.patch 2020-07-22 17:19:07.000000000 +0200
@@ -0,0 +1,154 @@
+Backport the following commits:
+c66d8aa75436f334f686fe32bca8e414bcdd18e6
+f6926a041b4b544fd2ced3752542afb6c8c19405
+b4e439d6d7fd986cd6b4c7f9ca18830d79dacd44
+c88b0204d7c930e3bd72626ae6ea078571cc0ea7
+c5edc361fd6450f805a6a444723b0f68190b1d0c
+8d4f3c0c5f2fecf175aeb895e9c2d6d06d85bdc9
+088ce4df981b70fbec140ee54417bcb49a7dffca
+5b490fc413dfab2d52de46a58905c25d9badb650
+
+--- pillow-5.4.1.orig/src/libImaging/FliDecode.c
++++ pillow-5.4.1/src/libImaging/FliDecode.c
+@@ -24,7 +24,12 @@
+ #define I32(ptr)\
+ ((ptr)[0] + ((ptr)[1] << 8) + ((ptr)[2] << 16) + ((ptr)[3] << 24))
+
+-
++#define ERR_IF_DATA_OOB(offset) \
++ if ((data + (offset)) > ptr + bytes) {\
++ state->errcode = IMAGING_CODEC_OVERRUN; \
++ return -1; \
++ }
++
+ int
+ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
+ {
+@@ -78,10 +83,12 @@ ImagingFliDecode(Imaging im, ImagingCode
+ break; /* ignored; handled by Python code */
+ case 7:
+ /* FLI SS2 chunk (word delta) */
++ /* OOB ok, we've got 4 bytes min on entry */
+ lines = I16(data); data += 2;
+ for (l = y = 0; l < lines && y < state->ysize; l++, y++) {
+- UINT8* buf = (UINT8*) im->image[y];
++ UINT8* local_buf = (UINT8*) im->image[y];
+ int p, packets;
++ ERR_IF_DATA_OOB(2)
+ packets = I16(data); data += 2;
+ while (packets & 0x8000) {
+ /* flag word */
+@@ -91,29 +98,33 @@ ImagingFliDecode(Imaging im, ImagingCode
+ state->errcode = IMAGING_CODEC_OVERRUN;
+ return -1;
+ }
+- buf = (UINT8*) im->image[y];
++ local_buf = (UINT8*) im->image[y];
+ } else {
+ /* store last byte (used if line width is odd) */
+- buf[state->xsize-1] = (UINT8) packets;
++ local_buf[state->xsize-1] = (UINT8) packets;
+ }
++ ERR_IF_DATA_OOB(2)
+ packets = I16(data); data += 2;
+ }
+ for (p = x = 0; p < packets; p++) {
++ ERR_IF_DATA_OOB(2)
+ x += data[0]; /* pixel skip */
+ if (data[1] >= 128) {
++ ERR_IF_DATA_OOB(4)
+ i = 256-data[1]; /* run */
+ if (x + i + i > state->xsize)
+ break;
+ for (j = 0; j < i; j++) {
+- buf[x++] = data[2];
+- buf[x++] = data[3];
++ local_buf[x++] = data[2];
++ local_buf[x++] = data[3];
+ }
+ data += 2 + 2;
+ } else {
+ i = 2 * (int) data[1]; /* chunk */
+ if (x + i > state->xsize)
+ break;
+- memcpy(buf + x, data + 2, i);
++ ERR_IF_DATA_OOB(2+i)
++ memcpy(local_buf + x, data + 2, i);
+ data += 2 + i;
+ x += i;
+ }
+@@ -129,22 +140,27 @@ ImagingFliDecode(Imaging im, ImagingCode
+ break;
+ case 12:
+ /* FLI LC chunk (byte delta) */
++ /* OOB Check ok, we have 4 bytes min here */
+ y = I16(data); ymax = y + I16(data+2); data += 4;
+ for (; y < ymax && y < state->ysize; y++) {
+ UINT8* out = (UINT8*) im->image[y];
++ ERR_IF_DATA_OOB(1)
+ int p, packets = *data++;
+ for (p = x = 0; p < packets; p++, x += i) {
++ ERR_IF_DATA_OOB(2)
+ x += data[0]; /* skip pixels */
+ if (data[1] & 0x80) {
+ i = 256-data[1]; /* run */
+ if (x + i > state->xsize)
+ break;
++ ERR_IF_DATA_OOB(3)
+ memset(out + x, data[2], i);
+ data += 3;
+ } else {
+ i = data[1]; /* chunk */
+ if (x + i > state->xsize)
+ break;
++ ERR_IF_DATA_OOB(2+i)
+ memcpy(out + x, data + 2, i);
+ data += i + 2;
+ }
+@@ -165,14 +181,18 @@ ImagingFliDecode(Imaging im, ImagingCode
+ break;
+ case 15:
+ /* FLI BRUN chunk */
++ /* OOB, ok, we've got 4 bytes min on entry */
+ for (y = 0; y < state->ysize; y++) {
+ UINT8* out = (UINT8*) im->image[y];
+ data += 1; /* ignore packetcount byte */
+ for (x = 0; x < state->xsize; x += i) {
++ ERR_IF_DATA_OOB(2)
+ if (data[0] & 0x80) {
+ i = 256 - data[0];
+- if (x + i > state->xsize)
++ if (x + i > state->xsize) {
+ break; /* safety first */
++ }
++ ERR_IF_DATA_OOB(i+1)
+ memcpy(out + x, data + 1, i);
+ data += i + 1;
+ } else {
+@@ -192,9 +212,13 @@ ImagingFliDecode(Imaging im, ImagingCode
+ break;
+ case 16:
+ /* COPY chunk */
++ if (state->xsize > bytes/state->ysize) {
++ /* not enough data for frame */
++ return ptr - buf; /* bytes consumed */
++ }
+ for (y = 0; y < state->ysize; y++) {
+- UINT8* buf = (UINT8*) im->image[y];
+- memcpy(buf, data, state->xsize);
++ UINT8* local_buf = (UINT8*) im->image[y];
++ memcpy(local_buf, data, state->xsize);
+ data += state->xsize;
+ }
+ break;
+@@ -208,6 +232,10 @@ ImagingFliDecode(Imaging im, ImagingCode
+ return -1;
+ }
+ advance = I32(ptr);
++ if (advance < 0 || advance > bytes) {
++ state->errcode = IMAGING_CODEC_OVERRUN;
++ return -1;
++ }
+ ptr += advance;
+ bytes -= advance;
+ }
diff -Nru pillow-5.4.1/debian/patches/CVE-2020-10378.patch pillow-5.4.1/debian/patches/CVE-2020-10378.patch
--- pillow-5.4.1/debian/patches/CVE-2020-10378.patch 1970-01-01 01:00:00.000000000 +0100
+++ pillow-5.4.1/debian/patches/CVE-2020-10378.patch 2020-07-07 19:31:54.000000000 +0200
@@ -0,0 +1,26 @@
+From 6a83e4324738bb0452fbe8074a995b1c73f08de7 Mon Sep 17 00:00:00 2001
+From: Eric Soroos <eric-github@soroos.net>
+Date: Mon, 9 Mar 2020 20:22:06 +0000
+Subject: [PATCH 2/3] Fix OOB Access on PcxDecode.c
+
+---
+ src/libImaging/PcxDecode.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/src/libImaging/PcxDecode.c b/src/libImaging/PcxDecode.c
+index 9e9504ce5f..e5a38f4bec 100644
+--- a/src/libImaging/PcxDecode.c
++++ b/src/libImaging/PcxDecode.c
+@@ -22,10 +22,7 @@ ImagingPcxDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt
+ UINT8 n;
+ UINT8* ptr;
+
+- if (strcmp(im->mode, "1") == 0 && state->xsize > state->bytes * 8) {
+- state->errcode = IMAGING_CODEC_OVERRUN;
+- return -1;
+- } else if (strcmp(im->mode, "P") == 0 && state->xsize > state->bytes) {
++ if ((state->xsize * state->bits + 7) / 8 > state->bytes) {
+ state->errcode = IMAGING_CODEC_OVERRUN;
+ return -1;
+ }
+
diff -Nru pillow-5.4.1/debian/patches/CVE-2020-11538.patch pillow-5.4.1/debian/patches/CVE-2020-11538.patch
--- pillow-5.4.1/debian/patches/CVE-2020-11538.patch 1970-01-01 01:00:00.000000000 +0100
+++ pillow-5.4.1/debian/patches/CVE-2020-11538.patch 2020-07-07 19:35:05.000000000 +0200
@@ -0,0 +1,51 @@
+From 394d6a180a4b63a149a223b13e98a3209f837147 Mon Sep 17 00:00:00 2001
+From: Eric Soroos <eric-github@soroos.net>
+Date: Sat, 28 Mar 2020 13:00:46 +0000
+Subject: [PATCH 1/4] Track number of pixels, not the number of runs
+
+---
+ src/libImaging/SgiRleDecode.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/src/libImaging/SgiRleDecode.c
++++ b/src/libImaging/SgiRleDecode.c
+@@ -28,6 +28,7 @@ static void read4B(UINT32* dest, UINT8*
+ static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
+ {
+ UINT8 pixel, count;
++ int x = 0;
+
+ for (;n > 0; n--)
+ {
+@@ -37,9 +38,10 @@ static int expandrow(UINT8* dest, UINT8*
+ count = pixel & RLE_MAX_RUN;
+ if (!count)
+ return count;
+- if (count > xsize) {
++ if (x + count > xsize) {
+ return -1;
+ }
++ x += count;
+ if (pixel & RLE_COPY_FLAG) {
+ while(count--) {
+ *dest = *src++;
+@@ -63,6 +65,7 @@ static int expandrow2(UINT8* dest, const
+ {
+ UINT8 pixel, count;
+
++ int x = 0;
+
+ for (;n > 0; n--)
+ {
+@@ -73,9 +76,10 @@ static int expandrow2(UINT8* dest, const
+ count = pixel & RLE_MAX_RUN;
+ if (!count)
+ return count;
+- if (count > xsize) {
++ if (x + count > xsize) {
+ return -1;
+ }
++ x += count;
+ if (pixel & RLE_COPY_FLAG) {
+ while(count--) {
+ *dest = *src++;
diff -Nru pillow-5.4.1/debian/patches/series pillow-5.4.1/debian/patches/series
--- pillow-5.4.1/debian/patches/series 2020-02-06 20:12:35.000000000 +0100
+++ pillow-5.4.1/debian/patches/series 2020-07-22 17:22:53.000000000 +0200
@@ -7,3 +7,6 @@
CVE-2020-5311.patch
CVE-2020-5312.patch
CVE-2020-5313.patch
+CVE-2020-10177.patch
+CVE-2020-10378.patch
+CVE-2020-11538.patch
--- End Message ---