diff options
| author |   mingli.yu@windriver.com <mingli.yu@windriver.com> | 2016-07-20 14:00:07 +0800 |
|---|---|---|
| committer |   Martin Jansa <Martin.Jansa@gmail.com> | 2016-07-29 11:00:59 +0200 |
| commit | b142ab5a0b4d5f88c658aeac1ee1c2752d72891f (patch) | |
| tree | b02d4e82416a339f67e6d57c543fb4c2859ab5f6 /meta-python/recipes-devtools/python | |
| parent | 639864337308268996c648d1fc607f54554f59e6 (diff) | |
| download | meta-openembedded-contrib-b142ab5a0b4d5f88c658aeac1ee1c2752d72891f.tar.gz | |
python-imaging: Fix CVE-2016-2533
* PCD decoder overruns the shuffle buffer, Fixes #568
the patch comes from:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2533
https://github.com/python-pillow/Pillow/commit/ae453aa18b66af54e7ff716f4ccb33adca60afd4#diff-8ff6909c159597e22288ad818938fd6b
Signed-off-by: Li Wang <li.wang@windriver.com>
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Diffstat (limited to 'meta-python/recipes-devtools/python')
| -rw-r--r-- | meta-python/recipes-devtools/python/python-imaging/python-imaging-CVE-2016-2533.patch | 38 | ||||
| -rw-r--r-- | meta-python/recipes-devtools/python/python-imaging_1.1.7.bb | 4 |
2 files changed, 41 insertions, 1 deletions
diff --git a/meta-python/recipes-devtools/python/python-imaging/python-imaging-CVE-2016-2533.patch b/meta-python/recipes-devtools/python/python-imaging/python-imaging-CVE-2016-2533.patch new file mode 100644 index 0000000000..b01136f9ac --- /dev/null +++ b/meta-python/recipes-devtools/python/python-imaging/python-imaging-CVE-2016-2533.patch @@ -0,0 +1,38 @@ +python-imaging: CVE-2016-2533 + +the patch comes from: +https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2533 +https://github.com/python-pillow/Pillow/commit/ae453aa18b66af54e7ff716f4ccb33adca60afd4#diff-8ff6909c159597e22288ad818938fd6b + +PCD decoder overruns the shuffle buffer, Fixes #568 + +Signed-off-by: Li Wang <li.wang@windriver.com> +--- + libImaging/PcdDecode.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libImaging/PcdDecode.c b/libImaging/PcdDecode.c +index b6898e3..c02d005 100644 +--- a/libImaging/PcdDecode.c ++++ b/libImaging/PcdDecode.c +@@ -47,7 +47,7 @@ ImagingPcdDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes) + out[0] = ptr[x]; + out[1] = ptr[(x+4*state->xsize)/2]; + out[2] = ptr[(x+5*state->xsize)/2]; +- out += 4; ++ out += 3; + } + + state->shuffle((UINT8*) im->image[state->y], +@@ -62,7 +62,7 @@ ImagingPcdDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes) + out[0] = ptr[x+state->xsize]; + out[1] = ptr[(x+4*state->xsize)/2]; + out[2] = ptr[(x+5*state->xsize)/2]; +- out += 4; ++ out += 3; + } + + state->shuffle((UINT8*) im->image[state->y], +-- +1.7.9.5 + diff --git a/meta-python/recipes-devtools/python/python-imaging_1.1.7.bb b/meta-python/recipes-devtools/python/python-imaging_1.1.7.bb index d2f1a8c0b3..60dd7d0a36 100644 --- a/meta-python/recipes-devtools/python/python-imaging_1.1.7.bb +++ b/meta-python/recipes-devtools/python/python-imaging_1.1.7.bb @@ -10,7 +10,9 @@ SRC_URI = "http://effbot.org/downloads/Imaging-${PV}.tar.gz \ file://0001-python-imaging-setup.py-force-paths-for-zlib-freetyp.patch \ file://allow.to.disable.some.features.patch \ file://fix-freetype-includes.patch \ - file://remove-host-libdir.patch" + file://remove-host-libdir.patch \ + file://python-imaging-CVE-2016-2533.patch \ +" SRC_URI[md5sum] = "fc14a54e1ce02a0225be8854bfba478e" SRC_URI[sha256sum] = "895bc7c2498c8e1f9b99938f1a40dc86b3f149741f105cf7c7bd2e0725405211" |