From 0c7e7b2c7d57eb57d11f6b1051c6cc9036f61bf7 Mon Sep 17 00:00:00 2001 From: spz Date: Thu, 15 May 2014 06:23:05 +0000 Subject: patches for CVE-2014-1932 and CVE-2014-1933 taken from https://github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7 --- graphics/py-imaging/Makefile | 4 +-- graphics/py-imaging/distinfo | 6 ++++- .../py-imaging/patches/patch-PIL_EpsImagePlugin.py | 17 +++++++++++++ graphics/py-imaging/patches/patch-PIL_Image.py | 28 +++++++++++++++++++++ .../patches/patch-PIL_IptcImagePlugin.py | 18 ++++++++++++++ .../patches/patch-PIL_JpegImagePlugin.py | 29 ++++++++++++++++++++++ 6 files changed, 99 insertions(+), 3 deletions(-) create mode 100644 graphics/py-imaging/patches/patch-PIL_EpsImagePlugin.py create mode 100644 graphics/py-imaging/patches/patch-PIL_Image.py create mode 100644 graphics/py-imaging/patches/patch-PIL_IptcImagePlugin.py create mode 100644 graphics/py-imaging/patches/patch-PIL_JpegImagePlugin.py (limited to 'graphics/py-imaging') diff --git a/graphics/py-imaging/Makefile b/graphics/py-imaging/Makefile index 0ff3e0fcb82..fca2e6e1331 100644 --- a/graphics/py-imaging/Makefile +++ b/graphics/py-imaging/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.48 2014/05/09 07:37:08 wiz Exp $ +# $NetBSD: Makefile,v 1.49 2014/05/15 06:23:05 spz Exp $ DISTNAME= Imaging-1.1.7 PKGNAME= ${PYPKGPREFIX}-imaging-1.1.7 -PKGREVISION= 7 +PKGREVISION= 8 CATEGORIES= graphics python MASTER_SITES= http://effbot.org/media/downloads/ diff --git a/graphics/py-imaging/distinfo b/graphics/py-imaging/distinfo index 280a4f839db..3b1e7179033 100644 --- a/graphics/py-imaging/distinfo +++ b/graphics/py-imaging/distinfo @@ -1,8 +1,12 @@ -$NetBSD: distinfo,v 1.15 2013/12/11 23:55:11 markd Exp $ +$NetBSD: distinfo,v 1.16 2014/05/15 06:23:05 spz Exp $ SHA1 (python/Imaging-1.1.7.tar.gz) = 76c37504251171fda8da8e63ecb8bc42a69a5c81 RMD160 (python/Imaging-1.1.7.tar.gz) = 9af570fe100e250a4860314341fe3e6d695d7fde Size (python/Imaging-1.1.7.tar.gz) = 498749 bytes +SHA1 (patch-PIL_EpsImagePlugin.py) = fbeb7b6091a3011363197c68be999280ba7282aa +SHA1 (patch-PIL_Image.py) = 871994b3c8823c90ae23e6248762e403192e33fc +SHA1 (patch-PIL_IptcImagePlugin.py) = bb809394b8c6f6e5b79aa1c90f429c3362e812e3 +SHA1 (patch-PIL_JpegImagePlugin.py) = d4fd6d5d60ea011def2e42460d7faa2e0f47b65e SHA1 (patch-_imagingft.c) = b935ce5ebdd57061ace324f7b53055113782f89c SHA1 (patch-ab) = 4d6b80cf6792c860baf7650b22263c441f057c89 SHA1 (patch-ac) = 2ad2a988c7fdddb34812959ddfd60442282a48ea diff --git a/graphics/py-imaging/patches/patch-PIL_EpsImagePlugin.py b/graphics/py-imaging/patches/patch-PIL_EpsImagePlugin.py new file mode 100644 index 00000000000..1e9bac626a6 --- /dev/null +++ b/graphics/py-imaging/patches/patch-PIL_EpsImagePlugin.py @@ -0,0 +1,17 @@ +$NetBSD: patch-PIL_EpsImagePlugin.py,v 1.1 2014/05/15 06:23:06 spz Exp $ + +patch for CVE-2014-1932 and CVE-2014-1933 taken from +https://github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7 + +--- PIL/EpsImagePlugin.py.orig 2009-11-01 00:44:11.000000000 +0000 ++++ PIL/EpsImagePlugin.py +@@ -44,7 +44,8 @@ def Ghostscript(tile, size, fp): + + import tempfile, os + +- file = tempfile.mktemp() ++ out_fd, file = tempfile.mkstemp() ++ os.close(out_fd) + + # Build ghostscript command + command = ["gs", diff --git a/graphics/py-imaging/patches/patch-PIL_Image.py b/graphics/py-imaging/patches/patch-PIL_Image.py new file mode 100644 index 00000000000..d8cc1d518d9 --- /dev/null +++ b/graphics/py-imaging/patches/patch-PIL_Image.py @@ -0,0 +1,28 @@ +$NetBSD: patch-PIL_Image.py,v 1.1 2014/05/15 06:23:06 spz Exp $ + +patch for CVE-2014-1932 and CVE-2014-1933 taken from +https://github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7 + +--- PIL/Image.py.orig 2009-11-15 15:51:25.000000000 +0000 ++++ PIL/Image.py +@@ -482,14 +482,17 @@ class Image: + self.readonly = 0 + + def _dump(self, file=None, format=None): +- import tempfile ++ import tempfile, os + if not file: +- file = tempfile.mktemp() ++ f, file = tempfile.mkstemp(format or '') ++ os.close(f) ++ + self.load() + if not format or format == "PPM": + self.im.save_ppm(file) + else: +- file = file + "." + format ++ if file.endswith(format): ++ file = file + "." + format + self.save(file, format) + return file + diff --git a/graphics/py-imaging/patches/patch-PIL_IptcImagePlugin.py b/graphics/py-imaging/patches/patch-PIL_IptcImagePlugin.py new file mode 100644 index 00000000000..d7de6765c6a --- /dev/null +++ b/graphics/py-imaging/patches/patch-PIL_IptcImagePlugin.py @@ -0,0 +1,18 @@ +$NetBSD: patch-PIL_IptcImagePlugin.py,v 1.1 2014/05/15 06:23:06 spz Exp $ + +patch for CVE-2014-1932 and CVE-2014-1933 taken from +https://github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7 + +--- PIL/IptcImagePlugin.py.orig 2009-11-01 00:44:12.000000000 +0000 ++++ PIL/IptcImagePlugin.py +@@ -173,8 +173,8 @@ class IptcImageFile(ImageFile.ImageFile) + self.fp.seek(offset) + + # Copy image data to temporary file +- outfile = tempfile.mktemp() +- o = open(outfile, "wb") ++ o_fd, outfile = tempfile.mkstemp(text=False) ++ o = os.fdopen(o_fd) + if encoding == "raw": + # To simplify access to the extracted file, + # prepend a PPM header diff --git a/graphics/py-imaging/patches/patch-PIL_JpegImagePlugin.py b/graphics/py-imaging/patches/patch-PIL_JpegImagePlugin.py new file mode 100644 index 00000000000..dcb94da278f --- /dev/null +++ b/graphics/py-imaging/patches/patch-PIL_JpegImagePlugin.py @@ -0,0 +1,29 @@ +$NetBSD: patch-PIL_JpegImagePlugin.py,v 1.1 2014/05/15 06:23:06 spz Exp $ + +patch for CVE-2014-1932 and CVE-2014-1933 taken from +https://github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7 + +--- PIL/JpegImagePlugin.py.orig 2009-11-01 00:44:12.000000000 +0000 ++++ PIL/JpegImagePlugin.py +@@ -344,13 +344,17 @@ class JpegImageFile(ImageFile.ImageFile) + # ALTERNATIVE: handle JPEGs via the IJG command line utilities + + import tempfile, os +- file = tempfile.mktemp() +- os.system("djpeg %s >%s" % (self.filename, file)) ++ f, path = tempfile.mkstemp() ++ os.close(f) ++ if os.path.exists(self.filename): ++ os.system("djpeg '%s' >'%s'" % (self.filename, path)) ++ else: ++ raise ValueError("Invalid Filename") + + try: +- self.im = Image.core.open_ppm(file) ++ self.im = Image.core.open_ppm(path) + finally: +- try: os.unlink(file) ++ try: os.unlink(path) + except: pass + + self.mode = self.im.mode -- cgit v1.2.3