diff -u python-imaging-1.1.7/debian/changelog python-imaging-1.1.7/debian/changelog --- python-imaging-1.1.7/debian/changelog +++ python-imaging-1.1.7/debian/changelog @@ -1,3 +1,14 @@ +python-imaging (1.1.7-4ubuntu0.12.04.2) precise-security; urgency=medium + + * SECURITY UPDATE: Fixes for buffer overflows + - PIL/IcnsImagePlugin.py, libImaging/PcdDecode.c, libImaging/FliDecode.c + - CVE-2016-0775 + - CVE-2016-2533 + - CVE-2014-3596 + - Kudos to Andrew Drake and Eric Soroos for discovering these issues. + + -- Emily Ratliff Fri, 09 Sep 2016 14:45:49 -0500 + python-imaging (1.1.7-4ubuntu0.12.04.1) precise-security; urgency=medium * SECURITY UPDATE: insecure use of temporary files only in patch2: unchanged: --- python-imaging-1.1.7.orig/PIL/IcnsImagePlugin.py +++ python-imaging-1.1.7/PIL/IcnsImagePlugin.py @@ -115,6 +115,8 @@ i = HEADERSIZE while i < filesize: sig, blocksize = nextheader(fobj) + if blocksize <= 0: + raise SyntaxError('invalid block header') i = i + HEADERSIZE blocksize = blocksize - HEADERSIZE dct[sig] = (i, blocksize) only in patch2: unchanged: --- python-imaging-1.1.7.orig/libImaging/PcdDecode.c +++ python-imaging-1.1.7/libImaging/PcdDecode.c @@ -47,7 +47,7 @@ out[0] = ptr[x]; out[1] = ptr[(x+4*state->xsize)/2]; out[2] = ptr[(x+5*state->xsize)/2]; - out += 4; + out += 3; } state->shuffle((UINT8*) im->image[state->y], @@ -62,7 +62,7 @@ out[0] = ptr[x+state->xsize]; out[1] = ptr[(x+4*state->xsize)/2]; out[2] = ptr[(x+5*state->xsize)/2]; - out += 4; + out += 3; } state->shuffle((UINT8*) im->image[state->y], only in patch2: unchanged: --- python-imaging-1.1.7.orig/libImaging/FliDecode.c +++ python-imaging-1.1.7/libImaging/FliDecode.c @@ -185,7 +185,7 @@ /* COPY chunk */ for (y = 0; y < state->ysize; y++) { UINT8* buf = (UINT8*) im->image[y]; - memcpy(buf+x, data, state->xsize); + memcpy(buf, data, state->xsize); data += state->xsize; } break;