python3-pillow: fix CVE-2026-40192

Backport commit[1] which fixes this vulnerability as mentioned NVD report in [2]. [1] https://github.com/python-pillow/Pillow/commit/3cb854e8b2bab43f40e342e665f9340d861aa628 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-40192 [3] https://security-tracker.debian.org/tracker/CVE-2026-40192 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-06-14 05:49:57 +00:00 · 2026-04-28 11:29:53 +05:30
parent 955189fbcb
commit fdf83ebd28
2 changed files with 51 additions and 0 deletions
@@ -0,0 +1,50 @@
+From 3cb854e8b2bab43f40e342e665f9340d861aa628 Mon Sep 17 00:00:00 2001
+From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
+Date: Wed, 1 Apr 2026 00:02:08 +0300
+Subject: [PATCH] Only read as much data from gzip-decompressed data as
+ necessary (#9521)
+
+CVE: CVE-2026-40192
+Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/3cb854e8b2bab43f40e342e665f9340d861aa628]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/PIL/FitsImagePlugin.py | 23 ++++++++++++-----------
+ 1 file changed, 12 insertions(+), 11 deletions(-)
+
+diff --git a/src/PIL/FitsImagePlugin.py b/src/PIL/FitsImagePlugin.py
+index 071918925..7791adc50 100644
+--- a/src/PIL/FitsImagePlugin.py
+++ b/src/PIL/FitsImagePlugin.py
+@@ -124,17 +124,18 @@ class FitsGzipDecoder(ImageFile.PyDecoder):
+ 
+     def decode(self, buffer):
+         assert self.fd is not None
+-        value = gzip.decompress(self.fd.read())
+-
+-        rows = []
+-        offset = 0
+-        number_of_bits = min(self.args[0] // 8, 4)
+-        for y in range(self.state.ysize):
+-            row = bytearray()
+-            for x in range(self.state.xsize):
+-                row += value[offset + (4 - number_of_bits) : offset + 4]
+-                offset += 4
+-            rows.append(row)
+        with gzip.open(self.fd) as fp:
+            value = fp.read(self.state.xsize * self.state.ysize * 4)
+
+            rows = []
+            offset = 0
+            number_of_bits = min(self.args[0] // 8, 4)
+            for y in range(self.state.ysize):
+                row = bytearray()
+                for x in range(self.state.xsize):
+                    row += value[offset + (4 - number_of_bits) : offset + 4]
+                    offset += 4
+                rows.append(row)
+         self.set_as_raw(bytes([pixel for row in rows[::-1] for pixel in row]))
+         return -1, 0
+ 
+-- 
+2.50.1
+
@@ -9,6 +9,7 @@ SRC_URI = "git://github.com/python-pillow/Pillow.git;branch=main;protocol=https
           file://0001-support-cross-compiling.patch \
           file://run-ptest \
           file://CVE-2026-25990.patch \
+           file://CVE-2026-40192.patch \
           "
 SRCREV = "5c89d88eee199ba53f64581ea39b6a1bc52feb1a"