On Tue, 20 Jul 2021 06:36:44 +0100 Neil Williams <codeh...@debian.org> wrote: > This has been fixed upstream in version 8.3. The upstream fix can be > backported to 8.1 in unstable. > > This is a tracking bug to ease migration of pillow into bullseye. > > I have an upload ready for unstable.
Attaching the debdiff for this fix ahead of upload to unstable. -- Neil Williams ============= https://linux.codehelp.co.uk/
diffstat for pillow-8.1.2+dfsg pillow-8.1.2+dfsg changelog | 8 ++++++++ patches/CVE-2021-34552.patch | 40 ++++++++++++++++++++++++++++++++++++++++ patches/series | 1 + 3 files changed, 49 insertions(+) diff -Nru pillow-8.1.2+dfsg/debian/changelog pillow-8.1.2+dfsg/debian/changelog --- pillow-8.1.2+dfsg/debian/changelog 2021-06-13 17:11:04.000000000 +0100 +++ pillow-8.1.2+dfsg/debian/changelog 2021-07-20 06:42:31.000000000 +0100 @@ -1,3 +1,11 @@ +pillow (8.1.2+dfsg-0.3) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix "CVE-2021-34552 - buffer overflow in Convert.c. Replace sprintf with + snprintf. Backport upstream change from 8.3 to 8.1. (Closes: #991293) + + -- Neil Williams <codeh...@debian.org> Tue, 20 Jul 2021 06:42:31 +0100 + pillow (8.1.2+dfsg-0.2) unstable; urgency=medium * Non-maintainer upload. diff -Nru pillow-8.1.2+dfsg/debian/patches/CVE-2021-34552.patch pillow-8.1.2+dfsg/debian/patches/CVE-2021-34552.patch --- pillow-8.1.2+dfsg/debian/patches/CVE-2021-34552.patch 1970-01-01 01:00:00.000000000 +0100 +++ pillow-8.1.2+dfsg/debian/patches/CVE-2021-34552.patch 2021-07-19 09:51:59.000000000 +0100 @@ -0,0 +1,40 @@ +From 5f4504bb03f4edeeef8c2633dc5ba03a4c2a8a97 Mon Sep 17 00:00:00 2001 +From: Andrew Murray <radarh...@users.noreply.github.com> +Date: Tue, 15 Jun 2021 15:14:26 +1000 +Subject: [PATCH 1/2] Limit sprintf modes to 10 characters + +From 518ee3722a99d7f7d890db82a20bd81c1c0327fb Mon Sep 17 00:00:00 2001 +From: Andrew Murray <radarh...@users.noreply.github.com> +Date: Wed, 30 Jun 2021 23:47:10 +1000 +Subject: [PATCH 2/2] Use snprintf instead of sprintf + +* https://github.com/python-pillow/Pillow/pull/5567/files +* Replace sprintf with snprintf in src/libImaging/Convert.c + +--- +--- a/src/libImaging/Convert.c ++++ b/src/libImaging/Convert.c +@@ -1664,9 +1664,8 @@ + #ifdef notdef + return (Imaging) ImagingError_ValueError("conversion not supported"); + #else +- static char buf[256]; +- /* FIXME: may overflow if mode is too large */ +- sprintf(buf, "conversion from %s to %s not supported", imIn->mode, mode); ++ static char buf[100]; ++ snprintf(buf, 100, "conversion from %.10s to %.10s not supported", imIn->mode, mode); + return (Imaging) ImagingError_ValueError(buf); + #endif + } +@@ -1724,9 +1723,8 @@ + } + #else + { +- static char buf[256]; +- /* FIXME: may overflow if mode is too large */ +- sprintf(buf, "conversion from %s to %s not supported in convert_transparent", imIn->mode, mode); ++ static char buf[100]; ++ snprintf(buf, 100, "conversion from %.10s to %.10s not supported in convert_transparent", imIn->mode, mode); + return (Imaging) ImagingError_ValueError(buf); + } + #endif diff -Nru pillow-8.1.2+dfsg/debian/patches/series pillow-8.1.2+dfsg/debian/patches/series --- pillow-8.1.2+dfsg/debian/patches/series 2021-06-13 17:10:51.000000000 +0100 +++ pillow-8.1.2+dfsg/debian/patches/series 2021-07-19 09:45:27.000000000 +0100 @@ -7,3 +7,4 @@ CVE-2021-28676.patch CVE-2021-28677.patch CVE-2021-28678.patch +CVE-2021-34552.patch
pgpHIPp3pXh2x.pgp
Description: OpenPGP digital signature
