CaROS/meta-openembedded
3
1
Fork 0
mirror of git://git.openembedded.org/meta-openembedded synced 2026-01-01 13:58:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

python3-pillow: Security fix for CVE-2022-45198

Browse Source 
Fix for CVE-2022-45198: Improper Handling of Highly Compressed GIF Data
Backport from 884437f8a2

Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
Shubham Kulkarni 2023-02-03 16:42:09 +05:30 committed by Armin Kuster
parent 1172ebfa20
commit eadcdb97d4
2 changed files with 27 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
meta-python/recipes-devtools/python/python3-pillow/0001-CVE-2022-45198.patch Normal file
View File

@ -0,0 +1,26 @@
From 7df88fc2319852ace202a650703d631200080e3b Mon Sep 17 00:00:00 2001
From: Andrew Murray <radarhere@users.noreply.github.com>
Date: Thu, 30 Jun 2022 12:47:35 +1000
Subject: [PATCH] Added GIF decompression bomb check
Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/884437f8a2b953a0abd2a3b130a87fcfb438092e]
CVE: CVE-2022-45198
Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
---
src/PIL/GifImagePlugin.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/PIL/GifImagePlugin.py b/src/PIL/GifImagePlugin.py
index 9d8e96f..c477fdd 100644
--- a/src/PIL/GifImagePlugin.py
+++ b/src/PIL/GifImagePlugin.py
@@ -238,6 +238,7 @@ class GifImageFile(ImageFile.ImageFile):
x1, y1 = x0 + i16(s[4:]), y0 + i16(s[6:])
if x1 > self.size[0] or y1 > self.size[1]:
self._size = max(x1, self.size[0]), max(y1, self.size[1])
+ Image._decompression_bomb_check(self._size)
self.dispose_extent = x0, y0, x1, y1
flags = i8(s[8])
--
2.7.4

1
meta-python/recipes-devtools/python/python3-pillow_6.2.1.bb
View File

@ -8,6 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=55c0f320370091249c1755c0d2b48e89"
SRC_URI = "git://github.com/python-pillow/Pillow.git;branch=6.2.x;protocol=https \
file://0001-support-cross-compiling.patch \
file://0001-explicitly-set-compile-options.patch \
file://0001-CVE-2022-45198.patch \
"
SRCREV ?= "6e0f07bbe38def22d36ee176b2efd9ea74b453a6"