python3-pillow: fix CVE-2026-40192

Backport commit[1] which fixes this vulnerability as mentioned NVD report in [2]. [1] https://github.com/python-pillow/Pillow/commit/3cb854e8b2bab43f40e342e665f9340d861aa628 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-40192 [3] https://security-tracker.debian.org/tracker/CVE-2026-40192 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
author: Hitendra Prajapati <hprajapati@mvista.com> 2026-04-28 11:29:53 +0530
committer: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-04-29 10:14:29 +0530
commit: fdf83ebd289465a9534b8110a43a03a6cb2e9a5b (patch)
tree: a55e5cd1da4dd2234104509f3dde054f9e34bcfb /meta-python/recipes-devtools/python/python3-pillow
parent: 955189fbcb749b2a14191f4a19fa083d0ca24ce1 (diff)
download: meta-openembedded-fdf83ebd289465a9534b8110a43a03a6cb2e9a5b.tar.gz
1 files changed, 50 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2026-40192.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2026-40192.patch
new file mode 100644
index 0000000000..7e8170eec6
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2026-40192.patch
@@ -0,0 +1,50 @@
+From 3cb854e8b2bab43f40e342e665f9340d861aa628 Mon Sep 17 00:00:00 2001
+From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
+Date: Wed, 1 Apr 2026 00:02:08 +0300
+Subject: [PATCH] Only read as much data from gzip-decompressed data as
+ necessary (#9521)
+CVE: CVE-2026-40192
+Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/3cb854e8b2bab43f40e342e665f9340d861aa628]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/PIL/FitsImagePlugin.py | 23 ++++++++++++-----------
+ 1 file changed, 12 insertions(+), 11 deletions(-)
+diff --git a/src/PIL/FitsImagePlugin.py b/src/PIL/FitsImagePlugin.py
+index 071918925..7791adc50 100644
+--- a/src/PIL/FitsImagePlugin.py
+++ b/src/PIL/FitsImagePlugin.py
+@@ -124,17 +124,18 @@ class FitsGzipDecoder(ImageFile.PyDecoder):
+ 
+     def decode(self, buffer):
+         assert self.fd is not None
+-        value = gzip.decompress(self.fd.read())
+-
+-        rows = []
+-        offset = 0
+-        number_of_bits = min(self.args[0] // 8, 4)
+-        for y in range(self.state.ysize):
+-            row = bytearray()
+-            for x in range(self.state.xsize):
+-                row += value[offset + (4 - number_of_bits) : offset + 4]
+-                offset += 4
+-            rows.append(row)
+        with gzip.open(self.fd) as fp:
+            value = fp.read(self.state.xsize * self.state.ysize * 4)
+
+            rows = []
+            offset = 0
+            number_of_bits = min(self.args[0] // 8, 4)
+            for y in range(self.state.ysize):
+                row = bytearray()
+                for x in range(self.state.xsize):
+                    row += value[offset + (4 - number_of_bits) : offset + 4]
+                    offset += 4
+                rows.append(row)
+         self.set_as_raw(bytes([pixel for row in rows[::-1] for pixel in row]))
+         return -1, 0
+ 
+-- 
+2.50.1
author	Hitendra Prajapati <hprajapati@mvista.com>	2026-04-28 11:29:53 +0530
committer	Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-04-29 10:14:29 +0530
commit	fdf83ebd289465a9534b8110a43a03a6cb2e9a5b (patch)
tree	a55e5cd1da4dd2234104509f3dde054f9e34bcfb /meta-python/recipes-devtools/python/python3-pillow
parent	955189fbcb749b2a14191f4a19fa083d0ca24ce1 (diff)
download	meta-openembedded-fdf83ebd289465a9534b8110a43a03a6cb2e9a5b.tar.gz

diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2026-40192.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2026-40192.patch new file mode 100644 index 0000000000..7e8170eec6 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2026-40192.patch
@@ -0,0 +1,50 @@
	1	From 3cb854e8b2bab43f40e342e665f9340d861aa628 Mon Sep 17 00:00:00 2001
	2	From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
	3	Date: Wed, 1 Apr 2026 00:02:08 +0300
	4	Subject: [PATCH] Only read as much data from gzip-decompressed data as
	5	necessary (#9521)
	6
	7	CVE: CVE-2026-40192
	8	Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/3cb854e8b2bab43f40e342e665f9340d861aa628]
	9	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
	10	---
	11	src/PIL/FitsImagePlugin.py \| 23 ++++++++++++-----------
	12	1 file changed, 12 insertions(+), 11 deletions(-)
	13
	14	diff --git a/src/PIL/FitsImagePlugin.py b/src/PIL/FitsImagePlugin.py
	15	index 071918925..7791adc50 100644
	16	--- a/src/PIL/FitsImagePlugin.py
	17	+++ b/src/PIL/FitsImagePlugin.py
	18	@@ -124,17 +124,18 @@ class FitsGzipDecoder(ImageFile.PyDecoder):
	19
	20	def decode(self, buffer):
	21	assert self.fd is not None
	22	- value = gzip.decompress(self.fd.read())
	23	-
	24	- rows = []
	25	- offset = 0
	26	- number_of_bits = min(self.args[0] // 8, 4)
	27	- for y in range(self.state.ysize):
	28	- row = bytearray()
	29	- for x in range(self.state.xsize):
	30	- row += value[offset + (4 - number_of_bits) : offset + 4]
	31	- offset += 4
	32	- rows.append(row)
	33	+ with gzip.open(self.fd) as fp:
	34	+ value = fp.read(self.state.xsize * self.state.ysize * 4)
	35	+
	36	+ rows = []
	37	+ offset = 0
	38	+ number_of_bits = min(self.args[0] // 8, 4)
	39	+ for y in range(self.state.ysize):
	40	+ row = bytearray()
	41	+ for x in range(self.state.xsize):
	42	+ row += value[offset + (4 - number_of_bits) : offset + 4]
	43	+ offset += 4
	44	+ rows.append(row)
	45	self.set_as_raw(bytes([pixel for row in rows[::-1] for pixel in row]))
	46	return -1, 0
	47
	48	--
	49	2.50.1
	50