Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package pillow 8.1.2+dfsg-0.3 includes fix for CVE-2021-34552 unblock pillow/8.1.2+dfsg-0.3
diffstat for pillow-8.1.2+dfsg pillow-8.1.2+dfsg changelog | 8 ++++++++ patches/CVE-2021-34552.patch | 40 ++++++++++++++++++++++++++++++++++++++++ patches/series | 1 + 3 files changed, 49 insertions(+) diff -Nru pillow-8.1.2+dfsg/debian/changelog pillow-8.1.2+dfsg/debian/changelog --- pillow-8.1.2+dfsg/debian/changelog 2021-06-13 17:11:04.000000000 +0100 +++ pillow-8.1.2+dfsg/debian/changelog 2021-07-19 09:52:20.000000000 +0100 @@ -1,3 +1,11 @@ +pillow (8.1.2+dfsg-0.3) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * CVE-2021-34552 - Replace sprintf with snprintf. Backport upstream change + from 8.3 to 8.1. + + -- Neil Williams <codeh...@debian.org> Mon, 19 Jul 2021 09:52:20 +0100 + pillow (8.1.2+dfsg-0.2) unstable; urgency=medium * Non-maintainer upload. diff -Nru pillow-8.1.2+dfsg/debian/patches/CVE-2021-34552.patch pillow-8.1.2+dfsg/debian/patches/CVE-2021-34552.patch --- pillow-8.1.2+dfsg/debian/patches/CVE-2021-34552.patch 1970-01-01 01:00:00.000000000 +0100 +++ pillow-8.1.2+dfsg/debian/patches/CVE-2021-34552.patch 2021-07-19 09:51:59.000000000 +0100 @@ -0,0 +1,40 @@ +From 5f4504bb03f4edeeef8c2633dc5ba03a4c2a8a97 Mon Sep 17 00:00:00 2001 +From: Andrew Murray <radarh...@users.noreply.github.com> +Date: Tue, 15 Jun 2021 15:14:26 +1000 +Subject: [PATCH 1/2] Limit sprintf modes to 10 characters + +From 518ee3722a99d7f7d890db82a20bd81c1c0327fb Mon Sep 17 00:00:00 2001 +From: Andrew Murray <radarh...@users.noreply.github.com> +Date: Wed, 30 Jun 2021 23:47:10 +1000 +Subject: [PATCH 2/2] Use snprintf instead of sprintf + +* https://github.com/python-pillow/Pillow/pull/5567/files +* Replace sprintf with snprintf in src/libImaging/Convert.c + +--- +--- a/src/libImaging/Convert.c ++++ b/src/libImaging/Convert.c +@@ -1664,9 +1664,8 @@ + #ifdef notdef + return (Imaging) ImagingError_ValueError("conversion not supported"); + #else +- static char buf[256]; +- /* FIXME: may overflow if mode is too large */ +- sprintf(buf, "conversion from %s to %s not supported", imIn->mode, mode); ++ static char buf[100]; ++ snprintf(buf, 100, "conversion from %.10s to %.10s not supported", imIn->mode, mode); + return (Imaging) ImagingError_ValueError(buf); + #endif + } +@@ -1724,9 +1723,8 @@ + } + #else + { +- static char buf[256]; +- /* FIXME: may overflow if mode is too large */ +- sprintf(buf, "conversion from %s to %s not supported in convert_transparent", imIn->mode, mode); ++ static char buf[100]; ++ snprintf(buf, 100, "conversion from %.10s to %.10s not supported in convert_transparent", imIn->mode, mode); + return (Imaging) ImagingError_ValueError(buf); + } + #endif diff -Nru pillow-8.1.2+dfsg/debian/patches/series pillow-8.1.2+dfsg/debian/patches/series --- pillow-8.1.2+dfsg/debian/patches/series 2021-06-13 17:10:51.000000000 +0100 +++ pillow-8.1.2+dfsg/debian/patches/series 2021-07-19 09:45:27.000000000 +0100 @@ -7,3 +7,4 @@ CVE-2021-28676.patch CVE-2021-28677.patch CVE-2021-28678.patch +CVE-2021-34552.patch
