diff -Nru pillow-3.1.2/debian/changelog pillow-3.1.2/debian/changelog
--- pillow-3.1.2/debian/changelog	2021-01-13 19:24:40.000000000 +0000
+++ pillow-3.1.2/debian/changelog	2021-03-11 12:52:18.000000000 +0000
@@ -1,3 +1,17 @@
+pillow (3.1.2-0ubuntu1.6) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: negative-offset memcpy with an invalid size
+    - debian/patches/CVE-2021-25290.patch: add extra check to
+      libImaging/TiffDecode.c.
+    - CVE-2021-25290
+  * SECURITY UPDATE: DoS via invalid reported size
+    - debian/patches/CVE-2021-2792x.patch: check reported sizes in
+      PIL/IcnsImagePlugin.py, PIL/IcoImagePlugin.py.
+    - CVE-2021-27922
+    - CVE-2021-27923
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 11 Mar 2021 07:51:05 -0500
+
 pillow (3.1.2-0ubuntu1.5) xenial-security; urgency=medium
 
   * SECURITY UPDATE: buffer over-read via PCX file
diff -Nru pillow-3.1.2/debian/patches/CVE-2021-25290.patch pillow-3.1.2/debian/patches/CVE-2021-25290.patch
--- pillow-3.1.2/debian/patches/CVE-2021-25290.patch	1970-01-01 00:00:00.000000000 +0000
+++ pillow-3.1.2/debian/patches/CVE-2021-25290.patch	2021-03-11 12:46:05.000000000 +0000
@@ -0,0 +1,39 @@
+Backport of:
+
+From 86f02f7c70862a0954bfe8133736d352db978eaa Mon Sep 17 00:00:00 2001
+From: Eric Soroos <eric-github@soroos.net>
+Date: Fri, 8 Jan 2021 18:45:42 +0100
+Subject: [PATCH] Fix negative size read in TiffDecode.c
+
+* Caught by oss-fuzz runs
+* CVE-2021-25290
+---
+ ...-0c7e0e8e11ce787078f00b5b0ca409a167f070e0.tif | Bin 0 -> 2529 bytes
+ ...-1185209cf7655b5aed8ae5e77784dfdd18ab59e9.tif | Bin 0 -> 1931 bytes
+ ...-338516dbd2f0e83caddb8ce256c22db3bd6dc40f.tif | Bin 0 -> 4682 bytes
+ ...-4f085cc12ece8cde18758d42608bed6a2a2cfb1c.tif | Bin 0 -> 4050 bytes
+ ...-86214e58da443d2b80820cff9677a38a33dcbbca.tif | Bin 0 -> 286 bytes
+ ...-f46f5b2f43c370fe65706c11449f567ecc345e74.tif | Bin 0 -> 1844 bytes
+ Tests/test_tiff_crashes.py                       |   8 +++++++-
+ src/libImaging/TiffDecode.c                      |   4 ++++
+ 8 files changed, 11 insertions(+), 1 deletion(-)
+ create mode 100644 Tests/images/crash-0c7e0e8e11ce787078f00b5b0ca409a167f070e0.tif
+ create mode 100644 Tests/images/crash-1185209cf7655b5aed8ae5e77784dfdd18ab59e9.tif
+ create mode 100644 Tests/images/crash-338516dbd2f0e83caddb8ce256c22db3bd6dc40f.tif
+ create mode 100644 Tests/images/crash-4f085cc12ece8cde18758d42608bed6a2a2cfb1c.tif
+ create mode 100644 Tests/images/crash-86214e58da443d2b80820cff9677a38a33dcbbca.tif
+ create mode 100644 Tests/images/crash-f46f5b2f43c370fe65706c11449f567ecc345e74.tif
+
+--- a/libImaging/TiffDecode.c
++++ b/libImaging/TiffDecode.c
+@@ -36,6 +36,10 @@ tsize_t _tiffReadProc(thandle_t hdata, t
+ 	TRACE(("_tiffReadProc: %d \n", (int)size));
+ 	dump_state(state);
+ 
++	if (state->loc > state->eof) {
++		TIFFError("_tiffReadProc", "Invalid Read at loc %d, eof: %d", state->loc, state->eof);
++		return 0;
++	}
+ 	to_read = min(size, min(state->size, (tsize_t)state->eof) - (tsize_t)state->loc);
+ 	TRACE(("to_read: %d\n", (int)to_read));
+ 
diff -Nru pillow-3.1.2/debian/patches/CVE-2021-2792x.patch pillow-3.1.2/debian/patches/CVE-2021-2792x.patch
--- pillow-3.1.2/debian/patches/CVE-2021-2792x.patch	1970-01-01 00:00:00.000000000 +0000
+++ pillow-3.1.2/debian/patches/CVE-2021-2792x.patch	2021-03-11 12:50:50.000000000 +0000
@@ -0,0 +1,51 @@
+Backport of:
+
+From 480f6819b592d7f07b9a9a52a7656c10bbe07442 Mon Sep 17 00:00:00 2001
+From: Eric Soroos <eric-github@soroos.net>
+Date: Wed, 24 Feb 2021 23:27:07 +0100
+Subject: [PATCH] Fix Memory DOS in Icns, Ico and Blp Image Plugins
+
+Some container plugins that could contain images of other formats,
+such as the ICNS format, did not properly check the reported size of
+the contained image. These images could cause arbitrariliy large
+memory allocations.
+
+This is fixed for all locations where individual *ImageFile classes
+are created without going through the usual Image.open method.
+---
+ ...d3316a4109213ca96fb8a256a0bfefdece1461.icns | Bin 0 -> 240915 bytes
+ Tests/test_file_icns.py                        |   6 ++++++
+ src/PIL/BlpImagePlugin.py                      |   1 +
+ src/PIL/IcnsImagePlugin.py                     |   2 ++
+ src/PIL/IcoImagePlugin.py                      |   1 +
+ 5 files changed, 10 insertions(+)
+ create mode 100644 Tests/images/oom-8ed3316a4109213ca96fb8a256a0bfefdece1461.icns
+
+--- a/PIL/IcnsImagePlugin.py
++++ b/PIL/IcnsImagePlugin.py
+@@ -111,6 +111,7 @@ def read_png_or_jpeg2000(fobj, start_len
+     if sig[:8] == b'\x89PNG\x0d\x0a\x1a\x0a':
+         fobj.seek(start)
+         im = PngImagePlugin.PngImageFile(fobj)
++        Image._decompression_bomb_check(im.size)
+         return {"RGBA": im}
+     elif sig[:4] == b'\xff\x4f\xff\x51' \
+             or sig[:4] == b'\x0d\x0a\x87\x0a' \
+@@ -123,6 +124,7 @@ def read_png_or_jpeg2000(fobj, start_len
+         jp2kstream = fobj.read(length)
+         f = io.BytesIO(jp2kstream)
+         im = Jpeg2KImagePlugin.Jpeg2KImageFile(f)
++        Image._decompression_bomb_check(im.size)
+         if im.mode != 'RGBA':
+             im = im.convert('RGBA')
+         return {"RGBA": im}
+--- a/PIL/IcoImagePlugin.py
++++ b/PIL/IcoImagePlugin.py
+@@ -164,6 +164,7 @@ class IcoFile(object):
+         if data[:8] == PngImagePlugin._MAGIC:
+             # png frame
+             im = PngImagePlugin.PngImageFile(self.buf)
++            Image._decompression_bomb_check(im.size)
+         else:
+             # XOR + AND mask bmp frame
+             im = BmpImagePlugin.DibImageFile(self.buf)
diff -Nru pillow-3.1.2/debian/patches/series pillow-3.1.2/debian/patches/series
--- pillow-3.1.2/debian/patches/series	2021-01-13 15:51:31.000000000 +0000
+++ pillow-3.1.2/debian/patches/series	2021-03-11 12:49:49.000000000 +0000
@@ -24,3 +24,5 @@
 CVE-2020-10994-1.patch
 CVE-2020-10994-2.patch
 CVE-2020-35653.patch
+CVE-2021-25290.patch
+CVE-2021-2792x.patch