|
1 # Patch based on fix to CVE-2014-1932, CVE-2014-1933 from |
|
2 # https://github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7 |
|
3 # plus subsequent fixes at |
|
4 # https://github.com/python-imaging/Pillow/commit/844ed441deb6b75d3048fa111977188ed47f0b76 |
|
5 # and |
|
6 # https://github.com/python-imaging/Pillow/commit/86d5c5c3894f58895f31287081cdd146f5fe00f7 |
|
7 # |
|
8 # Patch to be contributed upstream to PIL version 1.1.7 |
|
9 |
|
10 diff -rup Imaging-1.1.7-orig/PIL/EpsImagePlugin.py Imaging-1.1.7/PIL/EpsImagePlugin.py |
|
11 --- Imaging-1.1.7-orig/PIL/EpsImagePlugin.py 2009-10-31 17:44:11.000000000 -0700 |
|
12 +++ Imaging-1.1.7/PIL/EpsImagePlugin.py 2014-04-07 09:59:16.000000000 -0700 |
|
13 @@ -44,7 +44,8 @@ def Ghostscript(tile, size, fp): |
|
14 |
|
15 import tempfile, os |
|
16 |
|
17 - file = tempfile.mktemp() |
|
18 + out_fd, file = tempfile.mkstemp() |
|
19 + os.close(out_fd) |
|
20 |
|
21 # Build ghostscript command |
|
22 command = ["gs", |
|
23 diff -rup Imaging-1.1.7-orig/PIL/Image.py Imaging-1.1.7/PIL/Image.py |
|
24 --- Imaging-1.1.7-orig/PIL/Image.py 2009-11-15 07:51:25.000000000 -0800 |
|
25 +++ Imaging-1.1.7/PIL/Image.py 2014-04-08 15:57:22.704420000 -0700 |
|
26 @@ -482,14 +482,20 @@ class Image: |
|
27 self.readonly = 0 |
|
28 |
|
29 def _dump(self, file=None, format=None): |
|
30 - import tempfile |
|
31 + import tempfile, os |
|
32 + suffix = '' |
|
33 + if format: |
|
34 + suffix = '.' + format |
|
35 if not file: |
|
36 - file = tempfile.mktemp() |
|
37 + f, file = tempfile.mkstemp(suffix) |
|
38 + os.close(f) |
|
39 + |
|
40 self.load() |
|
41 if not format or format == "PPM": |
|
42 self.im.save_ppm(file) |
|
43 else: |
|
44 - file = file + "." + format |
|
45 + if not file.endswith(format): |
|
46 + file = file + "." + format |
|
47 self.save(file, format) |
|
48 return file |
|
49 |
|
50 diff -rup Imaging-1.1.7-orig/PIL/IptcImagePlugin.py Imaging-1.1.7/PIL/IptcImagePlugin.py |
|
51 --- Imaging-1.1.7-orig/PIL/IptcImagePlugin.py 2009-10-31 17:44:12.000000000 -0700 |
|
52 +++ Imaging-1.1.7/PIL/IptcImagePlugin.py 2014-04-04 11:37:00.000000000 -0700 |
|
53 @@ -173,8 +173,8 @@ class IptcImageFile(ImageFile.ImageFile) |
|
54 self.fp.seek(offset) |
|
55 |
|
56 # Copy image data to temporary file |
|
57 - outfile = tempfile.mktemp() |
|
58 - o = open(outfile, "wb") |
|
59 + o_fd, outfile = tempfile.mkstemp() |
|
60 + o = os.fdopen(o_fd) |
|
61 if encoding == "raw": |
|
62 # To simplify access to the extracted file, |
|
63 # prepend a PPM header |
|
64 diff -rup Imaging-1.1.7-orig/PIL/JpegImagePlugin.py Imaging-1.1.7/PIL/JpegImagePlugin.py |
|
65 --- Imaging-1.1.7-orig/PIL/JpegImagePlugin.py 2009-10-31 17:44:12.000000000 -0700 |
|
66 +++ Imaging-1.1.7/PIL/JpegImagePlugin.py 2014-04-07 10:03:37.000000000 -0700 |
|
67 @@ -344,13 +344,17 @@ class JpegImageFile(ImageFile.ImageFile) |
|
68 # ALTERNATIVE: handle JPEGs via the IJG command line utilities |
|
69 |
|
70 import tempfile, os |
|
71 - file = tempfile.mktemp() |
|
72 - os.system("djpeg %s >%s" % (self.filename, file)) |
|
73 + f, path = tempfile.mkstemp() |
|
74 + os.close(f) |
|
75 + if os.path.exists(self.filename): |
|
76 + os.system("djpeg '%s' >'%s'" % (self.filename, path)) |
|
77 + else: |
|
78 + raise ValueError("Invalid Filename") |
|
79 |
|
80 try: |
|
81 - self.im = Image.core.open_ppm(file) |
|
82 + self.im = Image.core.open_ppm(path) |
|
83 finally: |
|
84 - try: os.unlink(file) |
|
85 + try: os.unlink(path) |
|
86 except: pass |
|
87 |
|
88 self.mode = self.im.mode |