diff options
author | spz <spz> | 2014-05-15 06:23:05 +0000 |
---|---|---|
committer | spz <spz> | 2014-05-15 06:23:05 +0000 |
commit | 0c7e7b2c7d57eb57d11f6b1051c6cc9036f61bf7 (patch) | |
tree | 3fd77d8509f5003993193250d70c197784ee4bfd /graphics/py-imaging/patches | |
parent | 104493155d740af5492b9fafd7308daa8e235872 (diff) | |
download | pkgsrc-0c7e7b2c7d57eb57d11f6b1051c6cc9036f61bf7.tar.gz |
patches for CVE-2014-1932 and CVE-2014-1933 taken from
https://github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7
Diffstat (limited to 'graphics/py-imaging/patches')
4 files changed, 92 insertions, 0 deletions
diff --git a/graphics/py-imaging/patches/patch-PIL_EpsImagePlugin.py b/graphics/py-imaging/patches/patch-PIL_EpsImagePlugin.py new file mode 100644 index 00000000000..1e9bac626a6 --- /dev/null +++ b/graphics/py-imaging/patches/patch-PIL_EpsImagePlugin.py @@ -0,0 +1,17 @@ +$NetBSD: patch-PIL_EpsImagePlugin.py,v 1.1 2014/05/15 06:23:06 spz Exp $ + +patch for CVE-2014-1932 and CVE-2014-1933 taken from +https://github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7 + +--- PIL/EpsImagePlugin.py.orig 2009-11-01 00:44:11.000000000 +0000 ++++ PIL/EpsImagePlugin.py +@@ -44,7 +44,8 @@ def Ghostscript(tile, size, fp): + + import tempfile, os + +- file = tempfile.mktemp() ++ out_fd, file = tempfile.mkstemp() ++ os.close(out_fd) + + # Build ghostscript command + command = ["gs", diff --git a/graphics/py-imaging/patches/patch-PIL_Image.py b/graphics/py-imaging/patches/patch-PIL_Image.py new file mode 100644 index 00000000000..d8cc1d518d9 --- /dev/null +++ b/graphics/py-imaging/patches/patch-PIL_Image.py @@ -0,0 +1,28 @@ +$NetBSD: patch-PIL_Image.py,v 1.1 2014/05/15 06:23:06 spz Exp $ + +patch for CVE-2014-1932 and CVE-2014-1933 taken from +https://github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7 + +--- PIL/Image.py.orig 2009-11-15 15:51:25.000000000 +0000 ++++ PIL/Image.py +@@ -482,14 +482,17 @@ class Image: + self.readonly = 0 + + def _dump(self, file=None, format=None): +- import tempfile ++ import tempfile, os + if not file: +- file = tempfile.mktemp() ++ f, file = tempfile.mkstemp(format or '') ++ os.close(f) ++ + self.load() + if not format or format == "PPM": + self.im.save_ppm(file) + else: +- file = file + "." + format ++ if file.endswith(format): ++ file = file + "." + format + self.save(file, format) + return file + diff --git a/graphics/py-imaging/patches/patch-PIL_IptcImagePlugin.py b/graphics/py-imaging/patches/patch-PIL_IptcImagePlugin.py new file mode 100644 index 00000000000..d7de6765c6a --- /dev/null +++ b/graphics/py-imaging/patches/patch-PIL_IptcImagePlugin.py @@ -0,0 +1,18 @@ +$NetBSD: patch-PIL_IptcImagePlugin.py,v 1.1 2014/05/15 06:23:06 spz Exp $ + +patch for CVE-2014-1932 and CVE-2014-1933 taken from +https://github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7 + +--- PIL/IptcImagePlugin.py.orig 2009-11-01 00:44:12.000000000 +0000 ++++ PIL/IptcImagePlugin.py +@@ -173,8 +173,8 @@ class IptcImageFile(ImageFile.ImageFile) + self.fp.seek(offset) + + # Copy image data to temporary file +- outfile = tempfile.mktemp() +- o = open(outfile, "wb") ++ o_fd, outfile = tempfile.mkstemp(text=False) ++ o = os.fdopen(o_fd) + if encoding == "raw": + # To simplify access to the extracted file, + # prepend a PPM header diff --git a/graphics/py-imaging/patches/patch-PIL_JpegImagePlugin.py b/graphics/py-imaging/patches/patch-PIL_JpegImagePlugin.py new file mode 100644 index 00000000000..dcb94da278f --- /dev/null +++ b/graphics/py-imaging/patches/patch-PIL_JpegImagePlugin.py @@ -0,0 +1,29 @@ +$NetBSD: patch-PIL_JpegImagePlugin.py,v 1.1 2014/05/15 06:23:06 spz Exp $ + +patch for CVE-2014-1932 and CVE-2014-1933 taken from +https://github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7 + +--- PIL/JpegImagePlugin.py.orig 2009-11-01 00:44:12.000000000 +0000 ++++ PIL/JpegImagePlugin.py +@@ -344,13 +344,17 @@ class JpegImageFile(ImageFile.ImageFile) + # ALTERNATIVE: handle JPEGs via the IJG command line utilities + + import tempfile, os +- file = tempfile.mktemp() +- os.system("djpeg %s >%s" % (self.filename, file)) ++ f, path = tempfile.mkstemp() ++ os.close(f) ++ if os.path.exists(self.filename): ++ os.system("djpeg '%s' >'%s'" % (self.filename, path)) ++ else: ++ raise ValueError("Invalid Filename") + + try: +- self.im = Image.core.open_ppm(file) ++ self.im = Image.core.open_ppm(path) + finally: +- try: os.unlink(file) ++ try: os.unlink(path) + except: pass + + self.mode = self.im.mode |