Bug#991298: unblock: pillow/8.1.2+dfsg-0.3
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package pillow
8.1.2+dfsg-0.3 includes fix for CVE-2021-34552
unblock pillow/8.1.2+dfsg-0.3
diffstat for pillow-8.1.2+dfsg pillow-8.1.2+dfsg
changelog | 8 ++++++++
patches/CVE-2021-34552.patch | 40 ++++++++++++++++++++++++++++++++++++++++
patches/series | 1 +
3 files changed, 49 insertions(+)
diff -Nru pillow-8.1.2+dfsg/debian/changelog pillow-8.1.2+dfsg/debian/changelog
--- pillow-8.1.2+dfsg/debian/changelog 2021-06-13 17:11:04.000000000 +0100
+++ pillow-8.1.2+dfsg/debian/changelog 2021-07-19 09:52:20.000000000 +0100
@@ -1,3 +1,11 @@
+pillow (8.1.2+dfsg-0.3) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * CVE-2021-34552 - Replace sprintf with snprintf. Backport upstream change
+ from 8.3 to 8.1.
+
+ -- Neil Williams <codehelp@debian.org> Mon, 19 Jul 2021 09:52:20 +0100
+
pillow (8.1.2+dfsg-0.2) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru pillow-8.1.2+dfsg/debian/patches/CVE-2021-34552.patch pillow-8.1.2+dfsg/debian/patches/CVE-2021-34552.patch
--- pillow-8.1.2+dfsg/debian/patches/CVE-2021-34552.patch 1970-01-01 01:00:00.000000000 +0100
+++ pillow-8.1.2+dfsg/debian/patches/CVE-2021-34552.patch 2021-07-19 09:51:59.000000000 +0100
@@ -0,0 +1,40 @@
+From 5f4504bb03f4edeeef8c2633dc5ba03a4c2a8a97 Mon Sep 17 00:00:00 2001
+From: Andrew Murray <radarhere@users.noreply.github.com>
+Date: Tue, 15 Jun 2021 15:14:26 +1000
+Subject: [PATCH 1/2] Limit sprintf modes to 10 characters
+
+From 518ee3722a99d7f7d890db82a20bd81c1c0327fb Mon Sep 17 00:00:00 2001
+From: Andrew Murray <radarhere@users.noreply.github.com>
+Date: Wed, 30 Jun 2021 23:47:10 +1000
+Subject: [PATCH 2/2] Use snprintf instead of sprintf
+
+* https://github.com/python-pillow/Pillow/pull/5567/files
+* Replace sprintf with snprintf in src/libImaging/Convert.c
+
+---
+--- a/src/libImaging/Convert.c
++++ b/src/libImaging/Convert.c
+@@ -1664,9 +1664,8 @@
+ #ifdef notdef
+ return (Imaging) ImagingError_ValueError("conversion not supported");
+ #else
+- static char buf[256];
+- /* FIXME: may overflow if mode is too large */
+- sprintf(buf, "conversion from %s to %s not supported", imIn->mode, mode);
++ static char buf[100];
++ snprintf(buf, 100, "conversion from %.10s to %.10s not supported", imIn->mode, mode);
+ return (Imaging) ImagingError_ValueError(buf);
+ #endif
+ }
+@@ -1724,9 +1723,8 @@
+ }
+ #else
+ {
+- static char buf[256];
+- /* FIXME: may overflow if mode is too large */
+- sprintf(buf, "conversion from %s to %s not supported in convert_transparent", imIn->mode, mode);
++ static char buf[100];
++ snprintf(buf, 100, "conversion from %.10s to %.10s not supported in convert_transparent", imIn->mode, mode);
+ return (Imaging) ImagingError_ValueError(buf);
+ }
+ #endif
diff -Nru pillow-8.1.2+dfsg/debian/patches/series pillow-8.1.2+dfsg/debian/patches/series
--- pillow-8.1.2+dfsg/debian/patches/series 2021-06-13 17:10:51.000000000 +0100
+++ pillow-8.1.2+dfsg/debian/patches/series 2021-07-19 09:45:27.000000000 +0100
@@ -7,3 +7,4 @@
CVE-2021-28676.patch
CVE-2021-28677.patch
CVE-2021-28678.patch
+CVE-2021-34552.patch
Reply to: