Details: https://nvd.nist.gov/vuln/detail/CVE-2026-25990
Backport the patch referenced by the NVD advisory. Note that the patch contain some new binary test data, which requires "git" PATCHTOOL - other tools fail to apply binary patches. All ptests passed successfully: Testsuite summary TOTAL: 5011 PASS: 4577 SKIP: 431 XFAIL: 3 FAIL: 0 XPASS: 0 ERROR: 0 DURATION: 59 END: /usr/lib/python3-pillow/ptest 2026-03-06T17:58 STOP: ptest-runner TOTAL: 1 FAIL: 0 Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../python3-pillow/CVE-2026-25990.patch | 151 ++++++++++++++++++ .../python/python3-pillow_12.0.0.bb | 5 + 2 files changed, 156 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-pillow/CVE-2026-25990.patch diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2026-25990.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2026-25990.patch new file mode 100644 index 0000000000..e2c12b7b24 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2026-25990.patch @@ -0,0 +1,151 @@ +From 829bd7b5c533e3a58d6f0a0ef4f001ea2605b784 Mon Sep 17 00:00:00 2001 +From: Andrew Murray <[email protected]> +Date: Wed, 11 Feb 2026 10:24:50 +1100 +Subject: [PATCH] Fix OOB Write with invalid tile extents (#9427) + +Co-authored-by: Eric Soroos <[email protected]> + +CVE: CVE-2026-25990 +Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/9000313cc5d4a31bdcdd6d7f0781101abab553aa] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + Tests/images/psd-oob-write-x.psd | Bin 0 -> 1126 bytes + Tests/images/psd-oob-write-y.psd | Bin 0 -> 1126 bytes + Tests/images/psd-oob-write.psd | Bin 0 -> 37212 bytes + Tests/test_file_psd.py | 17 +++++++++++++++++ + Tests/test_imagefile.py | 7 +++++++ + src/decode.c | 3 ++- + src/encode.c | 3 ++- + 7 files changed, 28 insertions(+), 2 deletions(-) + create mode 100644 Tests/images/psd-oob-write-x.psd + create mode 100644 Tests/images/psd-oob-write-y.psd + create mode 100644 Tests/images/psd-oob-write.psd + +diff --git a/Tests/images/psd-oob-write-x.psd b/Tests/images/psd-oob-write-x.psd +new file mode 100644 +index 0000000000000000000000000000000000000000..86359f4cb7e826a69a8e69a4b85947498ec18923 +GIT binary patch +literal 1126 +zcma)5J!lkB5dL=WC-F>3z$=1SY;juU8Wp`VZp09|z;cO@XbSh|ZgXUJ@7TRX4pIuX +z0SkW`qZT&S+FIBOg5VE`wTL!~HWJqFz0GA0$%PEez3<J;H#cu)wx%1)P>@QFhrkNP +zAuvV#TGJPoazEr{TAAgkKpC9EmzOT6P~@#DuSJ<hm6j=CQFnxTwjbr^06*x3jRjp> +zUAwN0ePiq~9H(A1?WlXnFzSMFu>5&1Gvi%V<T^NJq;=A1Mm8UyF=Ec{hCSkS$ +zx&q%PF54TXL;Re0He`XsABEjY@ppk;iB&?B!<EK7-&Q8p+#zfYVS6L=8FQX76~_;l +zUtLYHBk-2Mz8AALDPjf_&EVQH&kFSv7O;pV7|>uLMjIY_sPYVGiO`^5AHhE<`36}Q +zS#8*4Tt){zOv#6s0b?jxZ==?^v(ltY=s@91lKeUijNJuxx0B@W<0RRA0^~jeuY!!< +z*#T<5Y2VIll}EtTZQ#Z0%x2vKUfuy_K6TB|l>Z~PO>MP+pU;5FHQ>ZspmZbc8-2o$ +zryqb7_Nx8{c<>N7<1+X9h<A^Zu-~^sWA^&TIbWq-;U;II5Gs4$Lb}sM=`V`S4mzQq +zq_OJ*N=Y~EO*ibs9I}Y<;-F3647CKEJ-4w57a=DQb9#=9>9@HB$WwFjZhIlIc)`9T +z6kgJL@)8%N^RTLn0liQ+`%UH?s%V<N0_v=&k0$F$eOV>)+x7mhM3JvQ>aRNJ<v*Wo +Br)B^E + +literal 0 +HcmV?d00001 + +diff --git a/Tests/images/psd-oob-write-y.psd b/Tests/images/psd-oob-write-y.psd +new file mode 100644 +index 0000000000000000000000000000000000000000..73498266a7d732ad70be649718229fa5f07997b7 +GIT binary patch +literal 1126 +zcma)5O=uHQ5dL=a(;8b^Foz-@_7FWa7ZuI1ZpBhbVM!~r+JpO(Y(sZ9VK++&coe)A +zJot05>cNX=y?XE}2!cN#o<;Pc=tau<y|;-Qq$v(e-uGtao6MV;t?9-p6r_^lA+Ul; +z2ux8w*YxF;+&6idRpxmrP==@Q<)sTM6nU%4Yf<J=rDaA~)IFh|?ML|qzz=$1V@cQ6 +zH?C?EUl@A?N2%vcJL+CAjJjYPEWh5$%y?53xeksQYn^tQk<ABaj99R{VUPGa@wuH| +zSKzzEWqZqXh@TSAhb)lzy|7y;{wlC5u}X+?xYk(Y+see6JA$ndY;T1=W6m<B;`jmc +ztLrIt1im4#@5QW5ikQJvGq|$KvqC+AB`jkF1~gcR(T0Z}syqW)A~fjN$MBC!zCo5n +zRvR`M7tw(aQ}Q8Zz!*x_+o*Nsv@|JGI#BqOBtK396Ssl=-6Z+_FiG|w0lAOBiy-57 +z_JG<?+IKTs<pD5r6L|JAvsrh5=eK~l4_z}f<^PCnQ(G<I`x9V#132~?C|yhYMxXHG +z@jGCRy{f+g?%fAYxy-#e=G~Jd{O#MJF@yeb&X=i|xXGC)gv#JsNO!s@{YA0aK_~Q+ +zG<I`HDe0!Y?S`G0Ll!Y!9JJ}1qn4nv=Qg(CBIE>OPS24s{WiA%d1_AHZ7(DiFOZT@ +z1~9EBFYiTZJFF^Wz(S#J_M6N(Qqe4Z1=LwlA5GSi`m##ox9j~=340;B^S{69u$O-T +DuU)5R + +literal 0 +HcmV?d00001 + +diff --git a/Tests/images/psd-oob-write.psd b/Tests/images/psd-oob-write.psd +new file mode 100644 +index 0000000000000000000000000000000000000000..65a4472cf263a94277952c06903709afb0c8213f +GIT binary patch +literal 37212 +zcmeI!I|{-;5CG8e2f;Js6jo_XXCVk)LDH$<2|S2L%6V+#=3`?OM1sW|nCvc@*<D_> +zMR_>JEc#fa;nZao?R<!Q8IecK-|IB4yX<SKuD|O3S4FwoU#_=vGZZ&X^GNwj%T3Bv +zzi(EzJ?WeF%<9jci0uU7lnIa>L4W`O0t5&U7$GptyKKZoln@|5fB*pk1ildPmiYor +z3jqQI2oNCfHv$oNL4W`O0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N +z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ +t009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+0D&I~yZ}A8uQLDu + +literal 0 +HcmV?d00001 + +diff --git a/Tests/test_file_psd.py b/Tests/test_file_psd.py +index 38a88cd17..63db7b26a 100644 +--- a/Tests/test_file_psd.py ++++ b/Tests/test_file_psd.py +@@ -184,3 +184,20 @@ def test_layer_crashes(test_file: str) -> None: + assert isinstance(im, PsdImagePlugin.PsdImageFile) + with pytest.raises(SyntaxError): + im.layers ++ ++ [email protected]( ++ "test_file", ++ [ ++ "Tests/images/psd-oob-write.psd", ++ "Tests/images/psd-oob-write-x.psd", ++ "Tests/images/psd-oob-write-y.psd", ++ ], ++) ++def test_bounds_crash(test_file: str) -> None: ++ with Image.open(test_file) as im: ++ assert isinstance(im, PsdImagePlugin.PsdImageFile) ++ im.seek(im.n_frames) ++ ++ with pytest.raises(ValueError): ++ im.load() +diff --git a/Tests/test_imagefile.py b/Tests/test_imagefile.py +index 7dfb3abf9..2ef9fe2b9 100644 +--- a/Tests/test_imagefile.py ++++ b/Tests/test_imagefile.py +@@ -169,6 +169,13 @@ class TestImageFile: + with pytest.raises(ValueError, match="Tile offset cannot be negative"): + im.load() + ++ @pytest.mark.parametrize("xy", ((-1, 0), (0, -1))) ++ def test_negative_tile_extents(self, xy: tuple[int, int]) -> None: ++ im = Image.new("1", (1, 1)) ++ fp = BytesIO() ++ with pytest.raises(SystemError, match="tile cannot extend outside image"): ++ ImageFile._save(im, fp, [ImageFile._Tile("raw", xy + (1, 1), 0, "1")]) ++ + def test_no_format(self) -> None: + buf = BytesIO(b"\x00" * 255) + +diff --git a/src/decode.c b/src/decode.c +index 051623ed4..7ec461c0e 100644 +--- a/src/decode.c ++++ b/src/decode.c +@@ -186,7 +186,8 @@ _setimage(ImagingDecoderObject *decoder, PyObject *args) { + state->ysize = y1 - y0; + } + +- if (state->xsize <= 0 || state->xsize + state->xoff > (int)im->xsize || ++ if (state->xoff < 0 || state->xsize <= 0 || ++ state->xsize + state->xoff > (int)im->xsize || state->yoff < 0 || + state->ysize <= 0 || state->ysize + state->yoff > (int)im->ysize) { + PyErr_SetString(PyExc_ValueError, "tile cannot extend outside image"); + return NULL; +diff --git a/src/encode.c b/src/encode.c +index b1d0181e0..117bf2164 100644 +--- a/src/encode.c ++++ b/src/encode.c +@@ -254,7 +254,8 @@ _setimage(ImagingEncoderObject *encoder, PyObject *args) { + state->ysize = y1 - y0; + } + +- if (state->xsize <= 0 || state->xsize + state->xoff > im->xsize || ++ if (state->xoff < 0 || state->xsize <= 0 || ++ state->xsize + state->xoff > im->xsize || state->yoff < 0 || + state->ysize <= 0 || state->ysize + state->yoff > im->ysize) { + PyErr_SetString(PyExc_SystemError, "tile cannot extend outside image"); + return NULL; diff --git a/meta-python/recipes-devtools/python/python3-pillow_12.0.0.bb b/meta-python/recipes-devtools/python/python3-pillow_12.0.0.bb index 4db5db1572..34b462ca4f 100644 --- a/meta-python/recipes-devtools/python/python3-pillow_12.0.0.bb +++ b/meta-python/recipes-devtools/python/python3-pillow_12.0.0.bb @@ -7,6 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=a1b708da743e3fc0e5c35e92daac0bf8" SRC_URI = "git://github.com/python-pillow/Pillow.git;branch=main;protocol=https;tag=${PV} \ file://0001-support-cross-compiling.patch \ + file://CVE-2026-25990.patch \ " SRCREV = "693df7b42c666f88c719f9973be0ad71607328e0" @@ -65,3 +66,7 @@ CVE_PRODUCT = "pillow" RPROVIDES:${PN} += "python3-imaging" BBCLASSEXTEND = "native" + +# CVE-2026-25990.patch in SRC_URI contains a binary blob, which needs to +# be applied with git +PATCHTOOL = "git"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#124920): https://lists.openembedded.org/g/openembedded-devel/message/124920 Mute This Topic: https://lists.openembedded.org/mt/118175879/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
