[python-pillow/f19] Fix CVE-2014-3007, CVE-2014-1933 followup
Sandro Mani
smani at fedoraproject.org
Wed Nov 12 16:50:26 UTC 2014
commit 49d1f690948d962c363bbe10487bbda25db97f31
Author: Sandro Mani <manisandro at gmail.com>
Date: Wed Nov 12 17:50:09 2014 +0100
Fix CVE-2014-3007, CVE-2014-1933 followup
python-pillow-archs.patch | 7 ++--
python-pillow.spec | 9 ++++-
python-pillow_CVE-2014-1933.patch | 39 ++++++++++++++------
python-pillow_CVE-2014-3007.patch | 72 +++++++++++++++++++++++++++++++++++++
python-pillow_CVE-2014-3589.patch | 21 ++---------
python-pillow_bytearray.patch | 2 +-
python-pillow_endian.patch | 6 ++-
7 files changed, 121 insertions(+), 35 deletions(-)
---
diff --git a/python-pillow-archs.patch b/python-pillow-archs.patch
index 465dadf..2fae31a 100644
--- a/python-pillow-archs.patch
+++ b/python-pillow-archs.patch
@@ -1,6 +1,7 @@
-diff -rupN python-imaging-Pillow-2f4207c/setup.py python-imaging-Pillow-2f4207c-new/setup.py
---- python-imaging-Pillow-2f4207c/setup.py 2013-03-18 22:22:00.000000000 +0100
-+++ python-imaging-Pillow-2f4207c-new/setup.py 2013-03-19 00:58:58.629486821 +0100
+diff --git a/setup.py b/setup.py
+index 65b8b1e..dab01f4 100644
+--- a/setup.py
++++ b/setup.py
@@ -138,6 +138,30 @@ class pil_build_ext(build_ext):
elif platform_ in ["i386", "i686", "32bit"]:
_add_directory(library_dirs, "/usr/lib/i386-linux-gnu")
diff --git a/python-pillow.spec b/python-pillow.spec
index 0f16eef..e30919a 100644
--- a/python-pillow.spec
+++ b/python-pillow.spec
@@ -23,7 +23,7 @@
Name: python-pillow
Version: 2.0.0
-Release: 15%{?snap}%{?dist}
+Release: 16%{?snap}%{?dist}
Summary: Python image processing library
# License: see http://www.pythonware.com/products/pil/license.htm
@@ -44,6 +44,9 @@ Patch2: python-pillow_bytearray.patch
Patch3: python-pillow_CVE-2014-1933.patch
# Backport patch for CVE-2014-3589
Patch4: python-pillow_CVE-2014-3589.patch
+# Backport patch for CVE-2014-3007
+Patch5: python-pillow_CVE-2014-3007.patch
+
BuildRequires: python2-devel
BuildRequires: python-setuptools
@@ -212,6 +215,7 @@ PIL image wrapper for Qt.
%patch2 -p1 -b .bytearray
%patch3 -p1
%patch4 -p1
+%patch5 -p1
%if %{with_python3}
# Create Python 3 source tree
@@ -369,6 +373,9 @@ popd
%endif
%changelog
+* Wed Nov 12 2014 Sandro Mani <manisandro at gmail.com> - 2.0.0-16.gitd1c6db8
+- Fix CVE-2014-3007 (rhbz #1163343), update CVE-2014-1933 to fix one more mktemp usage
+
* Mon Nov 10 2014 Sandro Mani <manisandro at gmail.com> - 2.0.0-15.gitd1c6db8
- CVE-2014-1933 followup (https://github.com/python-pillow/Pillow/pull/605)
diff --git a/python-pillow_CVE-2014-1933.patch b/python-pillow_CVE-2014-1933.patch
index 260f859..4730da2 100644
--- a/python-pillow_CVE-2014-1933.patch
+++ b/python-pillow_CVE-2014-1933.patch
@@ -1,6 +1,21 @@
-diff -rupN python-imaging-Pillow-d1c6db8/PIL/Image.py python-imaging-Pillow-d1c6db8-new/PIL/Image.py
---- python-imaging-Pillow-d1c6db8/PIL/Image.py 2013-04-19 02:11:52.000000000 +0200
-+++ python-imaging-Pillow-d1c6db8-new/PIL/Image.py 2014-04-22 13:45:51.717681776 +0200
+diff --git a/PIL/EpsImagePlugin.py b/PIL/EpsImagePlugin.py
+index bc0ed43..e09f4bd 100644
+--- a/PIL/EpsImagePlugin.py
++++ b/PIL/EpsImagePlugin.py
+@@ -59,7 +59,8 @@ def Ghostscript(tile, size, fp):
+
+ import tempfile, os
+
+- file = tempfile.mktemp()
++ fd, file = tempfile.mkstemp()
++ os.close(fd)
+
+ # Build ghostscript command
+ command = ["gs",
+diff --git a/PIL/Image.py b/PIL/Image.py
+index 72d15e2..f079bd9 100644
+--- a/PIL/Image.py
++++ b/PIL/Image.py
@@ -484,14 +484,20 @@ class Image:
self.readonly = 0
@@ -25,10 +40,11 @@ diff -rupN python-imaging-Pillow-d1c6db8/PIL/Image.py python-imaging-Pillow-d1c6
self.save(file, format)
return file
-diff -rupN python-imaging-Pillow-d1c6db8/PIL/IptcImagePlugin.py python-imaging-Pillow-d1c6db8-new/PIL/IptcImagePlugin.py
---- python-imaging-Pillow-d1c6db8/PIL/IptcImagePlugin.py 2013-04-19 02:11:52.000000000 +0200
-+++ python-imaging-Pillow-d1c6db8-new/PIL/IptcImagePlugin.py 2014-04-22 13:44:15.887112401 +0200
-@@ -172,8 +172,8 @@ class IptcImageFile(ImageFile.ImageFile)
+diff --git a/PIL/IptcImagePlugin.py b/PIL/IptcImagePlugin.py
+index 02e3360..708a483 100644
+--- a/PIL/IptcImagePlugin.py
++++ b/PIL/IptcImagePlugin.py
+@@ -172,8 +172,8 @@ class IptcImageFile(ImageFile.ImageFile):
self.fp.seek(offset)
# Copy image data to temporary file
@@ -39,10 +55,11 @@ diff -rupN python-imaging-Pillow-d1c6db8/PIL/IptcImagePlugin.py python-imaging-P
if encoding == "raw":
# To simplify access to the extracted file,
# prepend a PPM header
-diff -rupN python-imaging-Pillow-d1c6db8/PIL/JpegImagePlugin.py python-imaging-Pillow-d1c6db8-new/PIL/JpegImagePlugin.py
---- python-imaging-Pillow-d1c6db8/PIL/JpegImagePlugin.py 2013-04-19 02:11:52.000000000 +0200
-+++ python-imaging-Pillow-d1c6db8-new/PIL/JpegImagePlugin.py 2014-04-22 13:44:15.887112401 +0200
-@@ -343,13 +343,17 @@ class JpegImageFile(ImageFile.ImageFile)
+diff --git a/PIL/JpegImagePlugin.py b/PIL/JpegImagePlugin.py
+index 1c260dd..d00d675 100644
+--- a/PIL/JpegImagePlugin.py
++++ b/PIL/JpegImagePlugin.py
+@@ -343,13 +343,17 @@ class JpegImageFile(ImageFile.ImageFile):
# ALTERNATIVE: handle JPEGs via the IJG command line utilities
import tempfile, os
diff --git a/python-pillow_CVE-2014-3007.patch b/python-pillow_CVE-2014-3007.patch
new file mode 100644
index 0000000..e2b7560
--- /dev/null
+++ b/python-pillow_CVE-2014-3007.patch
@@ -0,0 +1,72 @@
+diff --git a/PIL/GifImagePlugin.py b/PIL/GifImagePlugin.py
+index fc2b95e..a55f5a7 100644
+--- a/PIL/GifImagePlugin.py
++++ b/PIL/GifImagePlugin.py
+@@ -312,13 +312,36 @@ def _save_netpbm(im, fp, filename):
+ # below for information on how to enable this.
+
+ import os
++ from subprocess import Popen, check_call, PIPE, CalledProcessError
+ file = im._dump()
+ if im.mode != "RGB":
+- os.system("ppmtogif %s >%s" % (file, filename))
++ with open(filename, 'wb') as f:
++ check_call(["ppmtogif", file], stdout=f)
+ else:
+- os.system("ppmquant 256 %s | ppmtogif >%s" % (file, filename))
+- try: os.unlink(file)
+- except: pass
++ with open(filename, 'wb') as f:
++
++ # Pipe ppmquant output into ppmtogif
++ # "ppmquant 256 %s | ppmtogif > %s" % (file, filename)
++ quant_cmd = ["ppmquant", "256", file]
++ togif_cmd = ["ppmtogif"]
++ quant_proc = Popen(quant_cmd, stdout=PIPE)
++ togif_proc = Popen(togif_cmd, stdin=quant_proc.stdout, stdout=f)
++
++ # Allow ppmquant to receive SIGPIPE if ppmtogif exits
++ quant_proc.stdout.close()
++
++ retcode = quant_proc.wait()
++ if retcode:
++ raise CalledProcessError(retcode, quant_cmd)
++
++ retcode = togif_proc.wait()
++ if retcode:
++ raise CalledProcessError(retcode, togif_cmd)
++
++ try:
++ os.unlink(file)
++ except:
++ pass
+
+
+ # --------------------------------------------------------------------
+diff --git a/PIL/JpegImagePlugin.py b/PIL/JpegImagePlugin.py
+index d00d675..284acf7 100644
+--- a/PIL/JpegImagePlugin.py
++++ b/PIL/JpegImagePlugin.py
+@@ -346,7 +346,8 @@ class JpegImageFile(ImageFile.ImageFile):
+ f, path = tempfile.mkstemp()
+ os.close(f)
+ if os.path.exists(self.filename):
+- os.system("djpeg '%s' >'%s'" % (self.filename, path))
++ with open(path, 'wb') as f:
++ subprocess.check_call(["djpeg", self.filename], stdout=f)
+ else:
+ raise ValueError("Invalid Filename")
+
+@@ -571,8 +572,10 @@ def _save(im, fp, filename):
+ def _save_cjpeg(im, fp, filename):
+ # ALTERNATIVE: handle JPEGs via the IJG command line utilities.
+ import os
+- file = im._dump()
+- os.system("cjpeg %s >%s" % (file, filename))
++ import subprocess
++ tempfile = im._dump()
++ with open(filename, 'wb') as f:
++ subprocess.check_call(["cjpeg", tempfile], stdout=f)
+ try: os.unlink(file)
+ except: pass
+
diff --git a/python-pillow_CVE-2014-3589.patch b/python-pillow_CVE-2014-3589.patch
index d3d2e14..3ccdacc 100644
--- a/python-pillow_CVE-2014-3589.patch
+++ b/python-pillow_CVE-2014-3589.patch
@@ -1,6 +1,7 @@
-diff -rupN python-imaging-Pillow-3c2496e/PIL/IcnsImagePlugin.py python-imaging-Pillow-3c2496e-new/PIL/IcnsImagePlugin.py
---- python-imaging-Pillow-3c2496e/PIL/IcnsImagePlugin.py 2013-10-02 19:07:32.000000000 +0200
-+++ python-imaging-Pillow-3c2496e-new/PIL/IcnsImagePlugin.py 2014-08-17 01:04:32.377879291 +0200
+diff --git a/PIL/IcnsImagePlugin.py b/PIL/IcnsImagePlugin.py
+index 8fac130..8df0723 100644
+--- a/PIL/IcnsImagePlugin.py
++++ b/PIL/IcnsImagePlugin.py
@@ -120,6 +120,8 @@ class IcnsFile:
i = HEADERSIZE
while i < filesize:
@@ -10,17 +11,3 @@ diff -rupN python-imaging-Pillow-3c2496e/PIL/IcnsImagePlugin.py python-imaging-P
i = i + HEADERSIZE
blocksize = blocksize - HEADERSIZE
dct[sig] = (i, blocksize)
-diff -rupN python-imaging-Pillow-3c2496e/Tests/check_icns_dos.py python-imaging-Pillow-3c2496e-new/Tests/check_icns_dos.py
---- python-imaging-Pillow-3c2496e/Tests/check_icns_dos.py 1970-01-01 01:00:00.000000000 +0100
-+++ python-imaging-Pillow-3c2496e-new/Tests/check_icns_dos.py 2014-08-17 01:03:45.016879619 +0200
-@@ -0,0 +1,10 @@
-+# Tests potential DOS of IcnsImagePlugin with 0 length block.
-+# Run from anywhere that PIL is importable.
-+
-+from PIL import Image
-+from io import BytesIO
-+
-+if bytes is str:
-+ Image.open(BytesIO(bytes('icns\x00\x00\x00\x10hang\x00\x00\x00\x00')))
-+else:
-+ Image.open(BytesIO(bytes('icns\x00\x00\x00\x10hang\x00\x00\x00\x00', 'latin-1')))
diff --git a/python-pillow_bytearray.patch b/python-pillow_bytearray.patch
index 1b8d2f0..21f0e5c 100644
--- a/python-pillow_bytearray.patch
+++ b/python-pillow_bytearray.patch
@@ -1,5 +1,5 @@
diff --git a/PIL/Image.py b/PIL/Image.py
-index cafc5a2..794ee49 100644
+index cafc5a2..72d15e2 100644
--- a/PIL/Image.py
+++ b/PIL/Image.py
@@ -718,7 +718,7 @@ class Image:
diff --git a/python-pillow_endian.patch b/python-pillow_endian.patch
index 20e4dd7..5e4af21 100644
--- a/python-pillow_endian.patch
+++ b/python-pillow_endian.patch
@@ -1,5 +1,7 @@
---- python-imaging-Pillow-d1c6db8/Tests/test_numpy.py 2013-04-19 02:11:52.000000000 +0200
-+++ python-imaging-Pillow-d1c6db8/Tests/test_numpy.py 2013-05-07 23:50:38.425987793 +0200
+diff --git a/Tests/test_numpy.py b/Tests/test_numpy.py
+index 3253c2b..5f8097e 100644
+--- a/Tests/test_numpy.py
++++ b/Tests/test_numpy.py
@@ -41,7 +41,10 @@ def test_numpy_to_image():
assert_exception(TypeError, lambda: to_image(numpy.uint64))
More information about the scm-commits
mailing list