Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 13 Feb 2016 10:51:08 +0000 (UTC)
From:      Kubilay Kocak <koobs@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r408782 - in head/graphics/py-pillow: . files
Message-ID:  <201602131051.u1DAp8xB074901@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: koobs
Date: Sat Feb 13 10:51:08 2016
New Revision: 408782
URL: https://svnweb.freebsd.org/changeset/ports/408782

Log:
  graphics/py-pillow: Backport security fixes
  
  Backport security fixes from 3.1.1 release, resolving the following
  vulnerabilities:
  
   * CVE-2016-0775: Buffer overflow in FLI decoding code
   * CVE-2016-0740: Buffer overflow in TIFF decoding code
   * Integer overflow in Resample.c [1]
   * Buffer overflow in PCD decoder [2]
  
  [1] https://github.com/python-pillow/Pillow/issues/1710
  [2] https://github.com/python-pillow/Pillow/issues/568
  
  PR:		207053
  Submitted by:	rakuco
  MFH:		2016Q1
  Security:	a8de962a-cf15-11e5-805c-5453ed2e2b49

Added:
  head/graphics/py-pillow/files/
  head/graphics/py-pillow/files/patch-CVE-2016-0740   (contents, props changed)
  head/graphics/py-pillow/files/patch-CVE-2016-0775   (contents, props changed)
  head/graphics/py-pillow/files/patch-libImaging-PcdDecode.c   (contents, props changed)
  head/graphics/py-pillow/files/patch-libImaging-Resample.c   (contents, props changed)
Modified:
  head/graphics/py-pillow/Makefile

Modified: head/graphics/py-pillow/Makefile
==============================================================================
--- head/graphics/py-pillow/Makefile	Sat Feb 13 10:32:15 2016	(r408781)
+++ head/graphics/py-pillow/Makefile	Sat Feb 13 10:51:08 2016	(r408782)
@@ -3,6 +3,7 @@
 
 PORTNAME=	pillow
 PORTVERSION=	2.9.0
+PORTREVISION=	1
 CATEGORIES=	graphics python
 PKGNAMEPREFIX=	${PYTHON_PKGNAMEPREFIX}
 
@@ -96,7 +97,7 @@ do-install:
 		${PYDISTUTILS_SETUP} ${PYDISTUTILS_BUILD_TARGET} ${PYDISTUTILS_BUILDARGS} \
 		${PYDISTUTILS_INSTALL_TARGET} ${PYDISTUTILS_INSTALLARGS})
 
-regression-test: extract
+do-test: extract
 	@cd ${WRKSRC} && \
 	${PYTHON_CMD} ${PYSETUP} build_ext -i && \
 	${PYTHON_CMD} selftest.py

Added: head/graphics/py-pillow/files/patch-CVE-2016-0740
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/graphics/py-pillow/files/patch-CVE-2016-0740	Sat Feb 13 10:51:08 2016	(r408782)
@@ -0,0 +1,24 @@
+From 6dcbf5bd96b717c58d7b642949da8d323099928e Mon Sep 17 00:00:00 2001
+From: Eric Soroos <eric-github@soroos.net>
+Date: Thu, 14 Jan 2016 04:59:19 -0800
+Subject: [PATCH] Fix for buffer overflow in TiffDecode.c CVE-2016-0740
+
+---
+ Tests/check_libtiff_segfault.py   |  23 +++++++++++++++++++++++
+ Tests/images/libtiff_segfault.tif | Bin 0 -> 262 bytes
+ libImaging/TiffDecode.c           |   2 +-
+ 3 files changed, 24 insertions(+), 1 deletion(-)
+ create mode 100644 Tests/check_libtiff_segfault.py
+ create mode 100644 Tests/images/libtiff_segfault.tif
+
+--- libImaging/TiffDecode.c
++++ libImaging/TiffDecode.c
+@@ -169,7 +169,7 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, int
+ 	char *filename = "tempfile.tif";
+ 	char *mode = "r";
+ 	TIFF *tiff;
+-	int size;
++	tsize_t size;
+ 
+ 
+ 	/* buffer is the encoded file, bytes is the length of the encoded file */

Added: head/graphics/py-pillow/files/patch-CVE-2016-0775
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/graphics/py-pillow/files/patch-CVE-2016-0775	Sat Feb 13 10:51:08 2016	(r408782)
@@ -0,0 +1,24 @@
+From bcaaf97f4ff25b3b5b9e8efeda364e17e80858ec Mon Sep 17 00:00:00 2001
+From: wiredfool <eric-github@soroos.net>
+Date: Wed, 20 Jan 2016 22:37:28 +0000
+Subject: [PATCH] FLI overflow error fix and testcase CVE-2016-0775
+
+---
+ Tests/check_fli_overflow.py   |  16 ++++++++++++++++
+ Tests/images/fli_overflow.fli | Bin 0 -> 4645 bytes
+ libImaging/FliDecode.c        |   2 +-
+ 3 files changed, 17 insertions(+), 1 deletion(-)
+ create mode 100644 Tests/check_fli_overflow.py
+ create mode 100644 Tests/images/fli_overflow.fli
+
+--- libImaging/FliDecode.c
++++ libImaging/FliDecode.c
+@@ -185,7 +185,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
+ 	    /* COPY chunk */
+ 	    for (y = 0; y < state->ysize; y++) {
+ 		UINT8* buf = (UINT8*) im->image[y];
+-		memcpy(buf+x, data, state->xsize);
++		memcpy(buf, data, state->xsize);
+ 		data += state->xsize;
+ 	    }
+ 	    break;

Added: head/graphics/py-pillow/files/patch-libImaging-PcdDecode.c
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/graphics/py-pillow/files/patch-libImaging-PcdDecode.c	Sat Feb 13 10:51:08 2016	(r408782)
@@ -0,0 +1,33 @@
+From ae453aa18b66af54e7ff716f4ccb33adca60afd4 Mon Sep 17 00:00:00 2001
+From: wiredfool <eric-github@soroos.net>
+Date: Tue, 2 Feb 2016 05:46:26 -0800
+Subject: [PATCH] PCD decoder overruns the shuffle buffer, Fixes #568
+
+---
+ Tests/images/hopper.pcd | Bin 0 -> 788480 bytes
+ Tests/test_file_pcd.py  |  18 ++++++++++++++++++
+ libImaging/PcdDecode.c  |   4 ++--
+ 3 files changed, 20 insertions(+), 2 deletions(-)
+ create mode 100644 Tests/images/hopper.pcd
+ create mode 100644 Tests/test_file_pcd.py
+
+--- libImaging/PcdDecode.c
++++ libImaging/PcdDecode.c
+@@ -47,7 +47,7 @@ ImagingPcdDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
+ 	    out[0] = ptr[x];
+ 	    out[1] = ptr[(x+4*state->xsize)/2];
+ 	    out[2] = ptr[(x+5*state->xsize)/2];
+-	    out += 4;
++	    out += 3;
+ 	}
+ 
+ 	state->shuffle((UINT8*) im->image[state->y],
+@@ -62,7 +62,7 @@ ImagingPcdDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
+ 	    out[0] = ptr[x+state->xsize];
+ 	    out[1] = ptr[(x+4*state->xsize)/2];
+ 	    out[2] = ptr[(x+5*state->xsize)/2];
+-	    out += 4;
++	    out += 3;
+ 	}
+ 
+ 	state->shuffle((UINT8*) im->image[state->y],

Added: head/graphics/py-pillow/files/patch-libImaging-Resample.c
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/graphics/py-pillow/files/patch-libImaging-Resample.c	Sat Feb 13 10:51:08 2016	(r408782)
@@ -0,0 +1,35 @@
+From 41fae6d9e2da741d2c5464775c7f1a609ea03798 Mon Sep 17 00:00:00 2001
+From: Ned Williamson <nedwilliamson@gmail.com>
+Date: Thu, 4 Feb 2016 01:54:12 -0500
+Subject: [PATCH] fix integer overflow in Resample.c
+
+---
+ libImaging/Resample.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- libImaging/Resample.c
++++ libImaging/Resample.c
+@@ -138,11 +138,23 @@ ImagingResampleHorizontal(Imaging imIn, int xsize, int filter)
+     /* maximum number of coofs */
+     kmax = (int) ceil(support) * 2 + 1;
+ 
++    // check for overflow
++    if (kmax > 0 && xsize > SIZE_MAX / kmax)
++        return (Imaging) ImagingError_MemoryError();
++
++    // sizeof(float) should be greater than 0
++    if (xsize * kmax > SIZE_MAX / sizeof(float))
++        return (Imaging) ImagingError_MemoryError();
++
+     /* coefficient buffer */
+     kk = malloc(xsize * kmax * sizeof(float));
+     if ( ! kk)
+         return (Imaging) ImagingError_MemoryError();
+ 
++    // sizeof(int) should be greater than 0 as well
++    if (xsize > SIZE_MAX / (2 * sizeof(int)))
++        return (Imaging) ImagingError_MemoryError();
++
+     xbounds = malloc(xsize * 2 * sizeof(int));
+     if ( ! xbounds) {
+         free(kk);



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201602131051.u1DAp8xB074901>