Hello, I have prepared two security updates for pillow / python-imaging in Wheezy and Jessie. Debdiffs are attached. Please let me know if I shall upload the new revisions.
Regards, Markus
diff -Nru pillow-2.6.1/debian/changelog pillow-2.6.1/debian/changelog --- pillow-2.6.1/debian/changelog 2015-03-08 13:00:04.000000000 +0100 +++ pillow-2.6.1/debian/changelog 2016-02-21 16:07:36.000000000 +0100 @@ -1,3 +1,13 @@ +pillow (2.6.1-2+deb8u1) jessie-security; urgency=high + + * Non-maintainer upload. + * CVE-2016-0775: + Fix buffer overflow in FliDecode.c (Closes: #813909) + * Fix buffer overflow in PcdDecode.c. No CVE identifier has been + assigned yet. + + -- Markus Koschany <a...@debian.org> Sun, 21 Feb 2016 16:01:22 +0100 + pillow (2.6.1-2) unstable; urgency=medium * Fix potential PNG decompression DOS. Closes: #776303. CVE-2014-9601. diff -Nru pillow-2.6.1/debian/patches/CVE-2016-0775.patch pillow-2.6.1/debian/patches/CVE-2016-0775.patch --- pillow-2.6.1/debian/patches/CVE-2016-0775.patch 1970-01-01 01:00:00.000000000 +0100 +++ pillow-2.6.1/debian/patches/CVE-2016-0775.patch 2016-02-21 16:07:36.000000000 +0100 @@ -0,0 +1,49 @@ +From: Markus Koschany <a...@debian.org> +Date: Sun, 21 Feb 2016 15:56:11 +0100 +Subject: CVE-2016-0775 + +Fix buffer overflow in FliDecode.c. + +Origin: https://github.com/python-pillow/Pillow/commit/bcaaf97f4ff25b3b5b9e8efeda364e17e80858ec +Debian-Bug: https://bugs.debian.org/813909 +--- + Tests/check_fli_overflow.py | 16 ++++++++++++++++ + libImaging/FliDecode.c | 2 +- + 2 files changed, 17 insertions(+), 1 deletion(-) + create mode 100644 Tests/check_fli_overflow.py + +diff --git a/Tests/check_fli_overflow.py b/Tests/check_fli_overflow.py +new file mode 100644 +index 0000000..d89a827 +--- /dev/null ++++ b/Tests/check_fli_overflow.py +@@ -0,0 +1,16 @@ ++from helper import unittest, PillowTestCase ++from PIL import Image ++ ++TEST_FILE = "Tests/images/fli_overflow.fli" ++ ++ ++class TestFliOverflow(PillowTestCase): ++ def test_fli_overflow(self): ++ ++ # this should not crash with a malloc error or access violation ++ im = Image.open(TEST_FILE) ++ im.load() ++ ++ ++if __name__ == '__main__': ++ unittest.main() +diff --git a/libImaging/FliDecode.c b/libImaging/FliDecode.c +index 75eebe8..6d22c6c 100644 +--- a/libImaging/FliDecode.c ++++ b/libImaging/FliDecode.c +@@ -185,7 +185,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes) + /* COPY chunk */ + for (y = 0; y < state->ysize; y++) { + UINT8* buf = (UINT8*) im->image[y]; +- memcpy(buf+x, data, state->xsize); ++ memcpy(buf, data, state->xsize); + data += state->xsize; + } + break; diff -Nru pillow-2.6.1/debian/patches/PcdDecode.patch pillow-2.6.1/debian/patches/PcdDecode.patch --- pillow-2.6.1/debian/patches/PcdDecode.patch 1970-01-01 01:00:00.000000000 +0100 +++ pillow-2.6.1/debian/patches/PcdDecode.patch 2016-02-21 16:07:36.000000000 +0100 @@ -0,0 +1,60 @@ +From: Markus Koschany <a...@debian.org> +Date: Sun, 21 Feb 2016 15:56:33 +0100 +Subject: PcdDecode + +Fix buffer overflow in PcdDecode.c. + +Origin: https://github.com/python-pillow/Pillow/commit/ae453aa18b66af54e7ff716f4ccb33adca60afd4 +Debian-Bug: https://bugs.debian.org/813909 +--- + Tests/test_file_pcd.py | 18 ++++++++++++++++++ + libImaging/PcdDecode.c | 4 ++-- + 2 files changed, 20 insertions(+), 2 deletions(-) + create mode 100644 Tests/test_file_pcd.py + +diff --git a/Tests/test_file_pcd.py b/Tests/test_file_pcd.py +new file mode 100644 +index 0000000..2401e70 +--- /dev/null ++++ b/Tests/test_file_pcd.py +@@ -0,0 +1,18 @@ ++from helper import unittest, PillowTestCase, hopper ++from PIL import Image ++ ++class TestFilePcd(PillowTestCase): ++ ++ def test_load_raw(self): ++ im = Image.open('Tests/images/hopper.pcd') ++ im.load() # should not segfault. ++ ++ # Note that this image was created with a resized hopper ++ # image, which was then converted to pcd with imagemagick ++ # and the colors are wonky in Pillow. It's unclear if this ++ # is a pillow or a convert issue, as other images not generated ++ # from convert look find on pillow and not imagemagick. ++ ++ #target = hopper().resize((768,512)) ++ #self.assert_image_similar(im, target, 10) ++ +diff --git a/libImaging/PcdDecode.c b/libImaging/PcdDecode.c +index fb6adc6..f923438 100644 +--- a/libImaging/PcdDecode.c ++++ b/libImaging/PcdDecode.c +@@ -47,7 +47,7 @@ ImagingPcdDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes) + out[0] = ptr[x]; + out[1] = ptr[(x+4*state->xsize)/2]; + out[2] = ptr[(x+5*state->xsize)/2]; +- out += 4; ++ out += 3; + } + + state->shuffle((UINT8*) im->image[state->y], +@@ -62,7 +62,7 @@ ImagingPcdDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes) + out[0] = ptr[x+state->xsize]; + out[1] = ptr[(x+4*state->xsize)/2]; + out[2] = ptr[(x+5*state->xsize)/2]; +- out += 4; ++ out += 3; + } + + state->shuffle((UINT8*) im->image[state->y], diff -Nru pillow-2.6.1/debian/patches/series pillow-2.6.1/debian/patches/series --- pillow-2.6.1/debian/patches/series 2015-03-08 12:41:10.000000000 +0100 +++ pillow-2.6.1/debian/patches/series 2016-02-21 16:07:36.000000000 +0100 @@ -2,3 +2,5 @@ toplevel-setup.py generate-webp-file issue1060.diff +CVE-2016-0775.patch +PcdDecode.patch
diff -u python-imaging-1.1.7/debian/changelog
python-imaging-1.1.7/debian/changelog
--- python-imaging-1.1.7/debian/changelog
+++ python-imaging-1.1.7/debian/changelog
@@ -1,3 +1,13 @@
+python-imaging (1.1.7-4+deb7u2) wheezy-security; urgency=high
+
+ * Non-maintainer upload.
+ * CVE-2016-0775:
+ Fix buffer overflow in FliDecode.c (Closes: #813909)
+ * Fix buffer overflow in PcdDecode.c. No CVE identifier has been
+ assigned yet.
+
+ -- Markus Koschany <a...@debian.org> Sun, 21 Feb 2016 15:19:35 +0100
+
python-imaging (1.1.7-4+deb7u1) wheezy-security; urgency=low
* CVE-2014-3589
only in patch2:
unchanged:
--- python-imaging-1.1.7.orig/libImaging/FliDecode.c
+++ python-imaging-1.1.7/libImaging/FliDecode.c
@@ -185,7 +185,7 @@
/* COPY chunk */
for (y = 0; y < state->ysize; y++) {
UINT8* buf = (UINT8*) im->image[y];
- memcpy(buf+x, data, state->xsize);
+ memcpy(buf, data, state->xsize);
data += state->xsize;
}
break;
only in patch2:
unchanged:
--- python-imaging-1.1.7.orig/libImaging/PcdDecode.c
+++ python-imaging-1.1.7/libImaging/PcdDecode.c
@@ -47,7 +47,7 @@
out[0] = ptr[x];
out[1] = ptr[(x+4*state->xsize)/2];
out[2] = ptr[(x+5*state->xsize)/2];
- out += 4;
+ out += 3;
}
state->shuffle((UINT8*) im->image[state->y],
@@ -62,7 +62,7 @@
out[0] = ptr[x+state->xsize];
out[1] = ptr[(x+4*state->xsize)/2];
out[2] = ptr[(x+5*state->xsize)/2];
- out += 4;
+ out += 3;
}
state->shuffle((UINT8*) im->image[state->y],
only in patch2:
unchanged:
--- python-imaging-1.1.7.orig/Tests/check_fli_overflow.py
+++ python-imaging-1.1.7/Tests/check_fli_overflow.py
@@ -0,0 +1,16 @@
+from helper import unittest, PillowTestCase
+from PIL import Image
+
+TEST_FILE = "Tests/images/fli_overflow.fli"
+
+
+class TestFliOverflow(PillowTestCase):
+ def test_fli_overflow(self):
+
+ # this should not crash with a malloc error or access violation
+ im = Image.open(TEST_FILE)
+ im.load()
+
+
+if __name__ == '__main__':
+ unittest.main()
only in patch2:
unchanged:
--- python-imaging-1.1.7.orig/Tests/test_file_pcd.py
+++ python-imaging-1.1.7/Tests/test_file_pcd.py
@@ -0,0 +1,18 @@
+from helper import unittest, PillowTestCase, hopper
+from PIL import Image
+
+class TestFilePcd(PillowTestCase):
+
+ def test_load_raw(self):
+ im = Image.open('Tests/images/hopper.pcd')
+ im.load() # should not segfault.
+
+ # Note that this image was created with a resized hopper
+ # image, which was then converted to pcd with imagemagick
+ # and the colors are wonky in Pillow. It's unclear if this
+ # is a pillow or a convert issue, as other images not generated
+ # from convert look find on pillow and not imagemagick.
+
+ #target = hopper().resize((768,512))
+ #self.assert_image_similar(im, target, 10)
+
signature.asc
Description: OpenPGP digital signature
