Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
A few non-severe security issues, debdiff below. Cheers, Moritz diff -Nru pillow-5.4.1/debian/changelog pillow-5.4.1/debian/changelog --- pillow-5.4.1/debian/changelog 2020-02-06 20:47:20.000000000 +0100 +++ pillow-5.4.1/debian/changelog 2020-07-22 17:25:31.000000000 +0200 @@ -1,3 +1,9 @@ +pillow (5.4.1-2+deb10u2) buster; urgency=medium + + * CVE-2020-11538 CVE-2020-10378 CVE-2020-10177 + + -- Moritz Mühlenhoff <j...@debian.org> Wed, 22 Jul 2020 19:23:16 +0200 + pillow (5.4.1-2+deb10u1) buster-security; urgency=medium * CVE-2019-16865 CVE-2019-19911 CVE-2020-5311 CVE-2020-5312 CVE-2020-5313 diff -Nru pillow-5.4.1/debian/patches/CVE-2020-10177.patch pillow-5.4.1/debian/patches/CVE-2020-10177.patch --- pillow-5.4.1/debian/patches/CVE-2020-10177.patch 1970-01-01 01:00:00.000000000 +0100 +++ pillow-5.4.1/debian/patches/CVE-2020-10177.patch 2020-07-22 17:19:07.000000000 +0200 @@ -0,0 +1,154 @@ +Backport the following commits: +c66d8aa75436f334f686fe32bca8e414bcdd18e6 +f6926a041b4b544fd2ced3752542afb6c8c19405 +b4e439d6d7fd986cd6b4c7f9ca18830d79dacd44 +c88b0204d7c930e3bd72626ae6ea078571cc0ea7 +c5edc361fd6450f805a6a444723b0f68190b1d0c +8d4f3c0c5f2fecf175aeb895e9c2d6d06d85bdc9 +088ce4df981b70fbec140ee54417bcb49a7dffca +5b490fc413dfab2d52de46a58905c25d9badb650 + +--- pillow-5.4.1.orig/src/libImaging/FliDecode.c ++++ pillow-5.4.1/src/libImaging/FliDecode.c +@@ -24,7 +24,12 @@ + #define I32(ptr)\ + ((ptr)[0] + ((ptr)[1] << 8) + ((ptr)[2] << 16) + ((ptr)[3] << 24)) + +- ++#define ERR_IF_DATA_OOB(offset) \ ++ if ((data + (offset)) > ptr + bytes) {\ ++ state->errcode = IMAGING_CODEC_OVERRUN; \ ++ return -1; \ ++ } ++ + int + ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes) + { +@@ -78,10 +83,12 @@ ImagingFliDecode(Imaging im, ImagingCode + break; /* ignored; handled by Python code */ + case 7: + /* FLI SS2 chunk (word delta) */ ++ /* OOB ok, we've got 4 bytes min on entry */ + lines = I16(data); data += 2; + for (l = y = 0; l < lines && y < state->ysize; l++, y++) { +- UINT8* buf = (UINT8*) im->image[y]; ++ UINT8* local_buf = (UINT8*) im->image[y]; + int p, packets; ++ ERR_IF_DATA_OOB(2) + packets = I16(data); data += 2; + while (packets & 0x8000) { + /* flag word */ +@@ -91,29 +98,33 @@ ImagingFliDecode(Imaging im, ImagingCode + state->errcode = IMAGING_CODEC_OVERRUN; + return -1; + } +- buf = (UINT8*) im->image[y]; ++ local_buf = (UINT8*) im->image[y]; + } else { + /* store last byte (used if line width is odd) */ +- buf[state->xsize-1] = (UINT8) packets; ++ local_buf[state->xsize-1] = (UINT8) packets; + } ++ ERR_IF_DATA_OOB(2) + packets = I16(data); data += 2; + } + for (p = x = 0; p < packets; p++) { ++ ERR_IF_DATA_OOB(2) + x += data[0]; /* pixel skip */ + if (data[1] >= 128) { ++ ERR_IF_DATA_OOB(4) + i = 256-data[1]; /* run */ + if (x + i + i > state->xsize) + break; + for (j = 0; j < i; j++) { +- buf[x++] = data[2]; +- buf[x++] = data[3]; ++ local_buf[x++] = data[2]; ++ local_buf[x++] = data[3]; + } + data += 2 + 2; + } else { + i = 2 * (int) data[1]; /* chunk */ + if (x + i > state->xsize) + break; +- memcpy(buf + x, data + 2, i); ++ ERR_IF_DATA_OOB(2+i) ++ memcpy(local_buf + x, data + 2, i); + data += 2 + i; + x += i; + } +@@ -129,22 +140,27 @@ ImagingFliDecode(Imaging im, ImagingCode + break; + case 12: + /* FLI LC chunk (byte delta) */ ++ /* OOB Check ok, we have 4 bytes min here */ + y = I16(data); ymax = y + I16(data+2); data += 4; + for (; y < ymax && y < state->ysize; y++) { + UINT8* out = (UINT8*) im->image[y]; ++ ERR_IF_DATA_OOB(1) + int p, packets = *data++; + for (p = x = 0; p < packets; p++, x += i) { ++ ERR_IF_DATA_OOB(2) + x += data[0]; /* skip pixels */ + if (data[1] & 0x80) { + i = 256-data[1]; /* run */ + if (x + i > state->xsize) + break; ++ ERR_IF_DATA_OOB(3) + memset(out + x, data[2], i); + data += 3; + } else { + i = data[1]; /* chunk */ + if (x + i > state->xsize) + break; ++ ERR_IF_DATA_OOB(2+i) + memcpy(out + x, data + 2, i); + data += i + 2; + } +@@ -165,14 +181,18 @@ ImagingFliDecode(Imaging im, ImagingCode + break; + case 15: + /* FLI BRUN chunk */ ++ /* OOB, ok, we've got 4 bytes min on entry */ + for (y = 0; y < state->ysize; y++) { + UINT8* out = (UINT8*) im->image[y]; + data += 1; /* ignore packetcount byte */ + for (x = 0; x < state->xsize; x += i) { ++ ERR_IF_DATA_OOB(2) + if (data[0] & 0x80) { + i = 256 - data[0]; +- if (x + i > state->xsize) ++ if (x + i > state->xsize) { + break; /* safety first */ ++ } ++ ERR_IF_DATA_OOB(i+1) + memcpy(out + x, data + 1, i); + data += i + 1; + } else { +@@ -192,9 +212,13 @@ ImagingFliDecode(Imaging im, ImagingCode + break; + case 16: + /* COPY chunk */ ++ if (state->xsize > bytes/state->ysize) { ++ /* not enough data for frame */ ++ return ptr - buf; /* bytes consumed */ ++ } + for (y = 0; y < state->ysize; y++) { +- UINT8* buf = (UINT8*) im->image[y]; +- memcpy(buf, data, state->xsize); ++ UINT8* local_buf = (UINT8*) im->image[y]; ++ memcpy(local_buf, data, state->xsize); + data += state->xsize; + } + break; +@@ -208,6 +232,10 @@ ImagingFliDecode(Imaging im, ImagingCode + return -1; + } + advance = I32(ptr); ++ if (advance < 0 || advance > bytes) { ++ state->errcode = IMAGING_CODEC_OVERRUN; ++ return -1; ++ } + ptr += advance; + bytes -= advance; + } diff -Nru pillow-5.4.1/debian/patches/CVE-2020-10378.patch pillow-5.4.1/debian/patches/CVE-2020-10378.patch --- pillow-5.4.1/debian/patches/CVE-2020-10378.patch 1970-01-01 01:00:00.000000000 +0100 +++ pillow-5.4.1/debian/patches/CVE-2020-10378.patch 2020-07-07 19:31:54.000000000 +0200 @@ -0,0 +1,26 @@ +From 6a83e4324738bb0452fbe8074a995b1c73f08de7 Mon Sep 17 00:00:00 2001 +From: Eric Soroos <eric-git...@soroos.net> +Date: Mon, 9 Mar 2020 20:22:06 +0000 +Subject: [PATCH 2/3] Fix OOB Access on PcxDecode.c + +--- + src/libImaging/PcxDecode.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/src/libImaging/PcxDecode.c b/src/libImaging/PcxDecode.c +index 9e9504ce5f..e5a38f4bec 100644 +--- a/src/libImaging/PcxDecode.c ++++ b/src/libImaging/PcxDecode.c +@@ -22,10 +22,7 @@ ImagingPcxDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt + UINT8 n; + UINT8* ptr; + +- if (strcmp(im->mode, "1") == 0 && state->xsize > state->bytes * 8) { +- state->errcode = IMAGING_CODEC_OVERRUN; +- return -1; +- } else if (strcmp(im->mode, "P") == 0 && state->xsize > state->bytes) { ++ if ((state->xsize * state->bits + 7) / 8 > state->bytes) { + state->errcode = IMAGING_CODEC_OVERRUN; + return -1; + } + diff -Nru pillow-5.4.1/debian/patches/CVE-2020-11538.patch pillow-5.4.1/debian/patches/CVE-2020-11538.patch --- pillow-5.4.1/debian/patches/CVE-2020-11538.patch 1970-01-01 01:00:00.000000000 +0100 +++ pillow-5.4.1/debian/patches/CVE-2020-11538.patch 2020-07-07 19:35:05.000000000 +0200 @@ -0,0 +1,51 @@ +From 394d6a180a4b63a149a223b13e98a3209f837147 Mon Sep 17 00:00:00 2001 +From: Eric Soroos <eric-git...@soroos.net> +Date: Sat, 28 Mar 2020 13:00:46 +0000 +Subject: [PATCH 1/4] Track number of pixels, not the number of runs + +--- + src/libImaging/SgiRleDecode.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/src/libImaging/SgiRleDecode.c ++++ b/src/libImaging/SgiRleDecode.c +@@ -28,6 +28,7 @@ static void read4B(UINT32* dest, UINT8* + static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize) + { + UINT8 pixel, count; ++ int x = 0; + + for (;n > 0; n--) + { +@@ -37,9 +38,10 @@ static int expandrow(UINT8* dest, UINT8* + count = pixel & RLE_MAX_RUN; + if (!count) + return count; +- if (count > xsize) { ++ if (x + count > xsize) { + return -1; + } ++ x += count; + if (pixel & RLE_COPY_FLAG) { + while(count--) { + *dest = *src++; +@@ -63,6 +65,7 @@ static int expandrow2(UINT8* dest, const + { + UINT8 pixel, count; + ++ int x = 0; + + for (;n > 0; n--) + { +@@ -73,9 +76,10 @@ static int expandrow2(UINT8* dest, const + count = pixel & RLE_MAX_RUN; + if (!count) + return count; +- if (count > xsize) { ++ if (x + count > xsize) { + return -1; + } ++ x += count; + if (pixel & RLE_COPY_FLAG) { + while(count--) { + *dest = *src++; diff -Nru pillow-5.4.1/debian/patches/series pillow-5.4.1/debian/patches/series --- pillow-5.4.1/debian/patches/series 2020-02-06 20:12:35.000000000 +0100 +++ pillow-5.4.1/debian/patches/series 2020-07-22 17:22:53.000000000 +0200 @@ -7,3 +7,6 @@ CVE-2020-5311.patch CVE-2020-5312.patch CVE-2020-5313.patch +CVE-2020-10177.patch +CVE-2020-10378.patch +CVE-2020-11538.patch