- CVE-2026-25990: out-of-bounds write when opening a specially crafted PSD image (bsc#1258125)

added CVE-2026-25990.patch

CVE-2026-25990.patch

@@ -0,0 +1,58 @@
+From 54ba4db542ad3c7b918812a4e2d69c27735a3199 Mon Sep 17 00:00:00 2001
+From: Andrew Murray <3112309+radarhere@users.noreply.github.com>
+Date: Wed, 11 Feb 2026 10:24:50 +1100
+Subject: [PATCH] Fix OOB Write with invalid tile extents (#9427)
+
+Co-authored-by: Eric Soroos <eric-github@soroos.net>
+---
+ Tests/test_imagefile.py          |   7 +++++++
+ src/decode.c                     |   3 ++-
+ src/encode.c                     |   3 ++-
+ 9 files changed, 53 insertions(+), 2 deletions(-)
+
+Index: pillow-11.3.0/Tests/test_imagefile.py
+===================================================================
+--- pillow-11.3.0.orig/Tests/test_imagefile.py
++++ pillow-11.3.0/Tests/test_imagefile.py
+@@ -169,6 +169,13 @@ class TestImageFile:
+         with pytest.raises(OSError):
+             p.close()
+ 
++    @pytest.mark.parametrize("xy", ((-1, 0), (0, -1)))
++    def test_negative_tile_extents(self, xy: tuple[int, int]) -> None:
++        im = Image.new("1", (1, 1))
++        fp = BytesIO()
++        with pytest.raises(SystemError, match="tile cannot extend outside image"):
++            ImageFile._save(im, fp, [ImageFile._Tile("raw", xy + (1, 1), 0, "1")])
++
+     def test_no_format(self) -> None:
+         buf = BytesIO(b"\x00" * 255)
+ 
+Index: pillow-11.3.0/src/decode.c
+===================================================================
+--- pillow-11.3.0.orig/src/decode.c
++++ pillow-11.3.0/src/decode.c
+@@ -186,7 +186,8 @@ _setimage(ImagingDecoderObject *decoder,
+         state->ysize = y1 - y0;
+     }
+ 
+-    if (state->xsize <= 0 || state->xsize + state->xoff > (int)im->xsize ||
++    if (state->xoff < 0 || state->xsize <= 0 ||
++        state->xsize + state->xoff > (int)im->xsize || state->yoff < 0 ||
+         state->ysize <= 0 || state->ysize + state->yoff > (int)im->ysize) {
+         PyErr_SetString(PyExc_ValueError, "tile cannot extend outside image");
+         return NULL;
+Index: pillow-11.3.0/src/encode.c
+===================================================================
+--- pillow-11.3.0.orig/src/encode.c
++++ pillow-11.3.0/src/encode.c
+@@ -254,7 +254,8 @@ _setimage(ImagingEncoderObject *encoder,
+         state->ysize = y1 - y0;
+     }
+ 
+-    if (state->xsize <= 0 || state->xsize + state->xoff > im->xsize ||
++    if (state->xoff < 0 || state->xsize <= 0 ||
++        state->xsize + state->xoff > im->xsize || state->yoff < 0 ||
+         state->ysize <= 0 || state->ysize + state->yoff > im->ysize) {
+         PyErr_SetString(PyExc_SystemError, "tile cannot extend outside image");
+         return NULL;

python-Pillow.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Feb 12 12:46:18 UTC 2026 - Nico Krapp <nico.krapp@suse.com>
+
+- CVE-2026-25990: out-of-bounds write when opening a specially crafted PSD image (bsc#1258125)
+  added CVE-2026-25990.patch
+
 -------------------------------------------------------------------
 Wed Jul  2 07:29:33 UTC 2025 - Nico Krapp <nico.krapp@suse.com>
 

python-Pillow.spec

@@ -25,7 +25,9 @@ License:        HPND
 URL:            https://python-pillow.org/
 Source:         https://files.pythonhosted.org/packages/source/p/pillow/pillow-%{version}.tar.gz
 # PATCH-FIX-UPSTREAM as per https://github.com/python-pillow/Pillow/issues/8831
-Patch:          libwebp150.patch
+Patch0:         libwebp150.patch
+# PATCH-FIX-UPSTREAM CVE-2026-25990.patch bsc#1258125 gh#python-Pillow/Pillow@54ba4db
+Patch1:         CVE-2026-25990.patch
 BuildRequires:  %{python_module devel >= 3.8}
 BuildRequires:  %{python_module olefile}
 BuildRequires:  %{python_module pip}