python-pillow/Pillow
1
1
Fork 0
mirror of https://github.com/python-pillow/Pillow.git synced 2025-08-12 08:14:45 +03:00
Code Issues Packages Projects Releases Wiki Activity

BE-164-cve-2021-25289_B

Browse Source 
Add binary files that are needed for testing. The code changes that
fixed the CVE were made in an earlier release. This just adds the files
that show the CVE has been fixed.

commit cbfdde7b1f
Author: Eric Soroos eric-github@soroos.net
Date:   Sun Jan 3 21:35:32 2021 +0100
Incorrect error code checking in TiffDecode.c

* since Pillow 8.1.0
* CVE-2021-25289
This commit is contained in:
Frederick Price 2023-04-10 17:37:01 -04:00
parent 3a855cb647
commit e7a2ab62b7
4 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES.rst
View File

@ -8,6 +8,9 @@ Changelog (Pillow)
- Fix CVE-2020-35654 - Fix CVE-2020-35654
[rickprice] [rickprice]
- Catch TiffDecode heap-based buffer overflow. CVE 2021-25289
Add test files that show the CVE was fixed
[rickprice]
6.2.2.4 (2023-03-29) 6.2.2.4 (2023-03-29)
------------------ ------------------

BIN
Tests/images/crash-0e16d3bfb83be87356d026d66919deaefca44dac.tif Normal file
View File

Binary file not shown.

BIN
Tests/images/crash-1152ec2d1a1a71395b6f2ce6721c38924d025bf3.tif Normal file
View File

Binary file not shown.

3
docs/releasenotes/6.2.2.5.rst
View File

@ -1,4 +1,4 @@
6.2.2.4 6.2.2.5
------- -------
Security Security
@ -8,4 +8,5 @@ This release addresses several critical CVEs.
:cve:`CVE-2020-35654`: In Pillow before 8.1.0, TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. :cve:`CVE-2020-35654`: In Pillow before 8.1.0, TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode.
:cve:`CVE-2021-25289`: Catch TiffDecode heap-based buffer overflow. Add test files that show the CVE was fixed