From: Soumya Sambu <[email protected]> In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy.
References: https://nvd.nist.gov/vuln/detail/CVE-2024-28219 https://security-tracker.debian.org/tracker/CVE-2024-28219 Upstream patch: https://github.com/python-pillow/Pillow/commit/2a93aba5cfcf6e241ab4f9392c13e3b74032c061 Signed-off-by: Soumya Sambu <[email protected]> --- .../python3-pillow/CVE-2024-28219.patch | 43 +++++++++++++++++++ .../python/python3-pillow_9.4.0.bb | 1 + 2 files changed, 44 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-pillow/CVE-2024-28219.patch diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2024-28219.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2024-28219.patch new file mode 100644 index 0000000000..3509b108eb --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2024-28219.patch @@ -0,0 +1,43 @@ +From 2a93aba5cfcf6e241ab4f9392c13e3b74032c061 Mon Sep 17 00:00:00 2001 +From: Andrew Murray <[email protected]> +Date: Thu, 22 Feb 2024 18:56:26 +1100 +Subject: [PATCH] Use strncpy to avoid buffer overflow + +CVE: CVE-2024-28219 + +Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/2a93aba5cfcf6e241ab4f9392c13e3b74032c061] + +Signed-off-by: Soumya Sambu <[email protected]> +--- + src/_imagingcms.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/_imagingcms.c b/src/_imagingcms.c +index 9b5a121d7..b839f09f0 100644 +--- a/src/_imagingcms.c ++++ b/src/_imagingcms.c +@@ -201,8 +201,8 @@ cms_transform_new(cmsHTRANSFORM transform, char *mode_in, char *mode_out) { + + self->transform = transform; + +- strcpy(self->mode_in, mode_in); +- strcpy(self->mode_out, mode_out); ++ strncpy(self->mode_in, mode_in, 8); ++ strncpy(self->mode_out, mode_out, 8); + + return (PyObject *)self; + } +@@ -244,8 +244,8 @@ findLCMStype(char *PILmode) { + } + + else { +- /* take a wild guess... but you probably should fail instead. */ +- return TYPE_GRAY_8; /* so there's no buffer overrun... */ ++ /* take a wild guess... */ ++ return TYPE_GRAY_8; + } + } + +-- +2.40.0 + diff --git a/meta-python/recipes-devtools/python/python3-pillow_9.4.0.bb b/meta-python/recipes-devtools/python/python3-pillow_9.4.0.bb index e42e58be80..ffc2c00fb1 100644 --- a/meta-python/recipes-devtools/python/python3-pillow_9.4.0.bb +++ b/meta-python/recipes-devtools/python/python3-pillow_9.4.0.bb @@ -14,6 +14,7 @@ SRC_URI = "git://github.com/python-pillow/Pillow.git;branch=main;protocol=https file://CVE-2023-50447-2.patch \ file://CVE-2023-50447-3.patch \ file://CVE-2023-50447-4.patch \ + file://CVE-2024-28219.patch \ " SRCREV ?= "82541b6dec8452cb612067fcebba1c5a1a2bfdc8" -- 2.40.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#121371): https://lists.openembedded.org/g/openembedded-devel/message/121371 Mute This Topic: https://lists.openembedded.org/mt/116168867/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
