Date: Sat, 13 Feb 2016 10:51:08 +0000 (UTC) From: Kubilay Kocak <koobs@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r408782 - in head/graphics/py-pillow: . files Message-ID: <201602131051.u1DAp8xB074901@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: koobs Date: Sat Feb 13 10:51:08 2016 New Revision: 408782 URL: https://svnweb.freebsd.org/changeset/ports/408782 Log: graphics/py-pillow: Backport security fixes Backport security fixes from 3.1.1 release, resolving the following vulnerabilities: * CVE-2016-0775: Buffer overflow in FLI decoding code * CVE-2016-0740: Buffer overflow in TIFF decoding code * Integer overflow in Resample.c [1] * Buffer overflow in PCD decoder [2] [1] https://github.com/python-pillow/Pillow/issues/1710 [2] https://github.com/python-pillow/Pillow/issues/568 PR: 207053 Submitted by: rakuco MFH: 2016Q1 Security: a8de962a-cf15-11e5-805c-5453ed2e2b49 Added: head/graphics/py-pillow/files/ head/graphics/py-pillow/files/patch-CVE-2016-0740 (contents, props changed) head/graphics/py-pillow/files/patch-CVE-2016-0775 (contents, props changed) head/graphics/py-pillow/files/patch-libImaging-PcdDecode.c (contents, props changed) head/graphics/py-pillow/files/patch-libImaging-Resample.c (contents, props changed) Modified: head/graphics/py-pillow/Makefile Modified: head/graphics/py-pillow/Makefile ============================================================================== --- head/graphics/py-pillow/Makefile Sat Feb 13 10:32:15 2016 (r408781) +++ head/graphics/py-pillow/Makefile Sat Feb 13 10:51:08 2016 (r408782) @@ -3,6 +3,7 @@ PORTNAME= pillow PORTVERSION= 2.9.0 +PORTREVISION= 1 CATEGORIES= graphics python PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} @@ -96,7 +97,7 @@ do-install: ${PYDISTUTILS_SETUP} ${PYDISTUTILS_BUILD_TARGET} ${PYDISTUTILS_BUILDARGS} \ ${PYDISTUTILS_INSTALL_TARGET} ${PYDISTUTILS_INSTALLARGS}) -regression-test: extract +do-test: extract @cd ${WRKSRC} && \ ${PYTHON_CMD} ${PYSETUP} build_ext -i && \ ${PYTHON_CMD} selftest.py Added: head/graphics/py-pillow/files/patch-CVE-2016-0740 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/graphics/py-pillow/files/patch-CVE-2016-0740 Sat Feb 13 10:51:08 2016 (r408782) @@ -0,0 +1,24 @@ +From 6dcbf5bd96b717c58d7b642949da8d323099928e Mon Sep 17 00:00:00 2001 +From: Eric Soroos <eric-github@soroos.net> +Date: Thu, 14 Jan 2016 04:59:19 -0800 +Subject: [PATCH] Fix for buffer overflow in TiffDecode.c CVE-2016-0740 + +--- + Tests/check_libtiff_segfault.py | 23 +++++++++++++++++++++++ + Tests/images/libtiff_segfault.tif | Bin 0 -> 262 bytes + libImaging/TiffDecode.c | 2 +- + 3 files changed, 24 insertions(+), 1 deletion(-) + create mode 100644 Tests/check_libtiff_segfault.py + create mode 100644 Tests/images/libtiff_segfault.tif + +--- libImaging/TiffDecode.c ++++ libImaging/TiffDecode.c +@@ -169,7 +169,7 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, int + char *filename = "tempfile.tif"; + char *mode = "r"; + TIFF *tiff; +- int size; ++ tsize_t size; + + + /* buffer is the encoded file, bytes is the length of the encoded file */ Added: head/graphics/py-pillow/files/patch-CVE-2016-0775 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/graphics/py-pillow/files/patch-CVE-2016-0775 Sat Feb 13 10:51:08 2016 (r408782) @@ -0,0 +1,24 @@ +From bcaaf97f4ff25b3b5b9e8efeda364e17e80858ec Mon Sep 17 00:00:00 2001 +From: wiredfool <eric-github@soroos.net> +Date: Wed, 20 Jan 2016 22:37:28 +0000 +Subject: [PATCH] FLI overflow error fix and testcase CVE-2016-0775 + +--- + Tests/check_fli_overflow.py | 16 ++++++++++++++++ + Tests/images/fli_overflow.fli | Bin 0 -> 4645 bytes + libImaging/FliDecode.c | 2 +- + 3 files changed, 17 insertions(+), 1 deletion(-) + create mode 100644 Tests/check_fli_overflow.py + create mode 100644 Tests/images/fli_overflow.fli + +--- libImaging/FliDecode.c ++++ libImaging/FliDecode.c +@@ -185,7 +185,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes) + /* COPY chunk */ + for (y = 0; y < state->ysize; y++) { + UINT8* buf = (UINT8*) im->image[y]; +- memcpy(buf+x, data, state->xsize); ++ memcpy(buf, data, state->xsize); + data += state->xsize; + } + break; Added: head/graphics/py-pillow/files/patch-libImaging-PcdDecode.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/graphics/py-pillow/files/patch-libImaging-PcdDecode.c Sat Feb 13 10:51:08 2016 (r408782) @@ -0,0 +1,33 @@ +From ae453aa18b66af54e7ff716f4ccb33adca60afd4 Mon Sep 17 00:00:00 2001 +From: wiredfool <eric-github@soroos.net> +Date: Tue, 2 Feb 2016 05:46:26 -0800 +Subject: [PATCH] PCD decoder overruns the shuffle buffer, Fixes #568 + +--- + Tests/images/hopper.pcd | Bin 0 -> 788480 bytes + Tests/test_file_pcd.py | 18 ++++++++++++++++++ + libImaging/PcdDecode.c | 4 ++-- + 3 files changed, 20 insertions(+), 2 deletions(-) + create mode 100644 Tests/images/hopper.pcd + create mode 100644 Tests/test_file_pcd.py + +--- libImaging/PcdDecode.c ++++ libImaging/PcdDecode.c +@@ -47,7 +47,7 @@ ImagingPcdDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes) + out[0] = ptr[x]; + out[1] = ptr[(x+4*state->xsize)/2]; + out[2] = ptr[(x+5*state->xsize)/2]; +- out += 4; ++ out += 3; + } + + state->shuffle((UINT8*) im->image[state->y], +@@ -62,7 +62,7 @@ ImagingPcdDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes) + out[0] = ptr[x+state->xsize]; + out[1] = ptr[(x+4*state->xsize)/2]; + out[2] = ptr[(x+5*state->xsize)/2]; +- out += 4; ++ out += 3; + } + + state->shuffle((UINT8*) im->image[state->y], Added: head/graphics/py-pillow/files/patch-libImaging-Resample.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/graphics/py-pillow/files/patch-libImaging-Resample.c Sat Feb 13 10:51:08 2016 (r408782) @@ -0,0 +1,35 @@ +From 41fae6d9e2da741d2c5464775c7f1a609ea03798 Mon Sep 17 00:00:00 2001 +From: Ned Williamson <nedwilliamson@gmail.com> +Date: Thu, 4 Feb 2016 01:54:12 -0500 +Subject: [PATCH] fix integer overflow in Resample.c + +--- + libImaging/Resample.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- libImaging/Resample.c ++++ libImaging/Resample.c +@@ -138,11 +138,23 @@ ImagingResampleHorizontal(Imaging imIn, int xsize, int filter) + /* maximum number of coofs */ + kmax = (int) ceil(support) * 2 + 1; + ++ // check for overflow ++ if (kmax > 0 && xsize > SIZE_MAX / kmax) ++ return (Imaging) ImagingError_MemoryError(); ++ ++ // sizeof(float) should be greater than 0 ++ if (xsize * kmax > SIZE_MAX / sizeof(float)) ++ return (Imaging) ImagingError_MemoryError(); ++ + /* coefficient buffer */ + kk = malloc(xsize * kmax * sizeof(float)); + if ( ! kk) + return (Imaging) ImagingError_MemoryError(); + ++ // sizeof(int) should be greater than 0 as well ++ if (xsize > SIZE_MAX / (2 * sizeof(int))) ++ return (Imaging) ImagingError_MemoryError(); ++ + xbounds = malloc(xsize * 2 * sizeof(int)); + if ( ! xbounds) { + free(kk);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201602131051.u1DAp8xB074901>