2 files changed, 51 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2026-40192.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2026-40192.patch
new file mode 100644
index 0000000000..7e8170eec6
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2026-40192.patch
@@ -0,0 +1,50 @@
+From 3cb854e8b2bab43f40e342e665f9340d861aa628 Mon Sep 17 00:00:00 2001
+From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
+Date: Wed, 1 Apr 2026 00:02:08 +0300
+Subject: [PATCH] Only read as much data from gzip-decompressed data as
+ necessary (#9521)
+CVE: CVE-2026-40192
+Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/3cb854e8b2bab43f40e342e665f9340d861aa628]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/PIL/FitsImagePlugin.py | 23 ++++++++++++-----------
+ 1 file changed, 12 insertions(+), 11 deletions(-)
+diff --git a/src/PIL/FitsImagePlugin.py b/src/PIL/FitsImagePlugin.py
+index 071918925..7791adc50 100644
+--- a/src/PIL/FitsImagePlugin.py
+++ b/src/PIL/FitsImagePlugin.py
+@@ -124,17 +124,18 @@ class FitsGzipDecoder(ImageFile.PyDecoder):
+ 
+     def decode(self, buffer):
+         assert self.fd is not None
+-        value = gzip.decompress(self.fd.read())
+-
+-        rows = []
+-        offset = 0
+-        number_of_bits = min(self.args[0] // 8, 4)
+-        for y in range(self.state.ysize):
+-            row = bytearray()
+-            for x in range(self.state.xsize):
+-                row += value[offset + (4 - number_of_bits) : offset + 4]
+-                offset += 4
+-            rows.append(row)
+        with gzip.open(self.fd) as fp:
+            value = fp.read(self.state.xsize * self.state.ysize * 4)
+
+            rows = []
+            offset = 0
+            number_of_bits = min(self.args[0] // 8, 4)
+            for y in range(self.state.ysize):
+                row = bytearray()
+                for x in range(self.state.xsize):
+                    row += value[offset + (4 - number_of_bits) : offset + 4]
+                    offset += 4
+                rows.append(row)
+         self.set_as_raw(bytes([pixel for row in rows[::-1] for pixel in row]))
+         return -1, 0
+ 
+-- 
+2.50.1
diff --git a/meta-python/recipes-devtools/python/python3-pillow_10.3.0.bb b/meta-python/recipes-devtools/python/python3-pillow_10.3.0.bb
index a81bcca215..9f1ef87a46 100644
--- a/meta-python/recipes-devtools/python/python3-pillow_10.3.0.bb
+++ b/meta-python/recipes-devtools/python/python3-pillow_10.3.0.bb
@@ -9,6 +9,7 @@ SRC_URI = "git://github.com/python-pillow/Pillow.git;branch=main;protocol=https
           file://0001-support-cross-compiling.patch \
           file://run-ptest \
           file://CVE-2026-25990.patch \
+           file://CVE-2026-40192.patch \
           "
 SRCREV = "5c89d88eee199ba53f64581ea39b6a1bc52feb1a"

diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2026-40192.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2026-40192.patch new file mode 100644 index 0000000000..7e8170eec6 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2026-40192.patch
@@ -0,0 +1,50 @@
		1	From 3cb854e8b2bab43f40e342e665f9340d861aa628 Mon Sep 17 00:00:00 2001
		2	From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
		3	Date: Wed, 1 Apr 2026 00:02:08 +0300
		4	Subject: [PATCH] Only read as much data from gzip-decompressed data as
		5	necessary (#9521)
		6
		7	CVE: CVE-2026-40192
		8	Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/3cb854e8b2bab43f40e342e665f9340d861aa628]
		9	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		10	---
		11	src/PIL/FitsImagePlugin.py \| 23 ++++++++++++-----------
		12	1 file changed, 12 insertions(+), 11 deletions(-)
		13
		14	diff --git a/src/PIL/FitsImagePlugin.py b/src/PIL/FitsImagePlugin.py
		15	index 071918925..7791adc50 100644
		16	--- a/src/PIL/FitsImagePlugin.py
		17	+++ b/src/PIL/FitsImagePlugin.py
		18	@@ -124,17 +124,18 @@ class FitsGzipDecoder(ImageFile.PyDecoder):
		19
		20	def decode(self, buffer):
		21	assert self.fd is not None
		22	- value = gzip.decompress(self.fd.read())
		23	-
		24	- rows = []
		25	- offset = 0
		26	- number_of_bits = min(self.args[0] // 8, 4)
		27	- for y in range(self.state.ysize):
		28	- row = bytearray()
		29	- for x in range(self.state.xsize):
		30	- row += value[offset + (4 - number_of_bits) : offset + 4]
		31	- offset += 4
		32	- rows.append(row)
		33	+ with gzip.open(self.fd) as fp:
		34	+ value = fp.read(self.state.xsize * self.state.ysize * 4)
		35	+
		36	+ rows = []
		37	+ offset = 0
		38	+ number_of_bits = min(self.args[0] // 8, 4)
		39	+ for y in range(self.state.ysize):
		40	+ row = bytearray()
		41	+ for x in range(self.state.xsize):
		42	+ row += value[offset + (4 - number_of_bits) : offset + 4]
		43	+ offset += 4
		44	+ rows.append(row)
		45	self.set_as_raw(bytes([pixel for row in rows[::-1] for pixel in row]))
		46	return -1, 0
		47
		48	--
		49	2.50.1
		50


diff --git a/meta-python/recipes-devtools/python/python3-pillow_10.3.0.bb b/meta-python/recipes-devtools/python/python3-pillow_10.3.0.bb index a81bcca215..9f1ef87a46 100644 --- a/meta-python/recipes-devtools/python/python3-pillow_10.3.0.bb +++ b/meta-python/recipes-devtools/python/python3-pillow_10.3.0.bb
@@ -9,6 +9,7 @@ SRC_URI = "git://github.com/python-pillow/Pillow.git;branch=main;protocol=https
9	file://0001-support-cross-compiling.patch \	9	file://0001-support-cross-compiling.patch \
10	file://run-ptest \	10	file://run-ptest \
11	file://CVE-2026-25990.patch \	11	file://CVE-2026-25990.patch \
		12	file://CVE-2026-40192.patch \
12	"	13	"
13	SRCREV = "5c89d88eee199ba53f64581ea39b6a1bc52feb1a"	14	SRCREV = "5c89d88eee199ba53f64581ea39b6a1bc52feb1a"
14		15