diff options
author | Vijay Anusuri <vanusuri@mvista.com> | 2024-02-23 07:44:43 +0530 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2024-03-03 16:38:27 -0500 |
commit | c74ebbddfd9dbe02d3f7422016324451eb218e1e (patch) | |
tree | 73528545bd0c5aaf1cb0590192b67abf2bc1f860 | |
parent | 3c1bd6e007cd2bc6bee06d8784dcce71644401a9 (diff) | |
download | meta-openembedded-c74ebbddfd9dbe02d3f7422016324451eb218e1e.tar.gz |
python3-pillow: Fix for CVE-2023-50447
Upstream-Status: Backport
[https://github.com/python-pillow/Pillow/commit/45c726fd4daa63236a8f3653530f297dc87b160a
&
https://github.com/python-pillow/Pillow/commit/0ca3c33c59927e1c7e0c14dbc1eea1dfb2431a80
&
https://github.com/python-pillow/Pillow/commit/557ba59d13de919d04b3fd4cdef8634f7d4b3348]
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
4 files changed, 132 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-1.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-1.patch new file mode 100644 index 000000000..f9e3c4950 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-1.patch | |||
@@ -0,0 +1,31 @@ | |||
1 | From 45c726fd4daa63236a8f3653530f297dc87b160a Mon Sep 17 00:00:00 2001 | ||
2 | From: Eric Soroos <eric-github@soroos.net> | ||
3 | Date: Fri, 27 Oct 2023 11:21:18 +0200 | ||
4 | Subject: [PATCH] Don't allow __ or builtins in env dictionarys for | ||
5 | ImageMath.eval | ||
6 | |||
7 | Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/45c726fd4daa63236a8f3653530f297dc87b160a] | ||
8 | CVE: CVE-2023-50447 | ||
9 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
10 | --- | ||
11 | src/PIL/ImageMath.py | 4 ++++ | ||
12 | 1 file changed, 4 insertions(+) | ||
13 | |||
14 | diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py | ||
15 | index 392151c10..4cea3855e 100644 | ||
16 | --- a/src/PIL/ImageMath.py | ||
17 | +++ b/src/PIL/ImageMath.py | ||
18 | @@ -261,6 +261,10 @@ def eval(expression, _dict={}, **kw): | ||
19 | args.update(_dict) | ||
20 | args.update(kw) | ||
21 | for k, v in list(args.items()): | ||
22 | + if '__' in k or hasattr(__builtins__, k): | ||
23 | + msg = f"'{k}' not allowed" | ||
24 | + raise ValueError(msg) | ||
25 | + | ||
26 | if hasattr(v, "im"): | ||
27 | args[k] = _Operand(v) | ||
28 | |||
29 | -- | ||
30 | 2.25.1 | ||
31 | |||
diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-2.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-2.patch new file mode 100644 index 000000000..9c5d3fbcd --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-2.patch | |||
@@ -0,0 +1,54 @@ | |||
1 | From 0ca3c33c59927e1c7e0c14dbc1eea1dfb2431a80 Mon Sep 17 00:00:00 2001 | ||
2 | From: Andrew Murray <radarhere@users.noreply.github.com> | ||
3 | Date: Sat, 28 Oct 2023 15:58:52 +1100 | ||
4 | Subject: [PATCH] Allow ops | ||
5 | |||
6 | Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/0ca3c33c59927e1c7e0c14dbc1eea1dfb2431a80] | ||
7 | CVE: CVE-2023-50447 | ||
8 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
9 | --- | ||
10 | Tests/test_imagemath.py | 4 ++++ | ||
11 | src/PIL/ImageMath.py | 9 +++++---- | ||
12 | 2 files changed, 9 insertions(+), 4 deletions(-) | ||
13 | |||
14 | diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py | ||
15 | index da41b3a12..14a58a532 100644 | ||
16 | --- a/Tests/test_imagemath.py | ||
17 | +++ b/Tests/test_imagemath.py | ||
18 | @@ -56,6 +56,10 @@ class TestImageMath(PillowTestCase): | ||
19 | pixel(ImageMath.eval("float(B)**33", images)), "F 8589934592.0" | ||
20 | ) | ||
21 | |||
22 | + def test_prevent_double_underscores(): | ||
23 | + with pytest.raises(ValueError): | ||
24 | + ImageMath.eval("1", {"__": None}) | ||
25 | + | ||
26 | def test_logical(self): | ||
27 | self.assertEqual(pixel(ImageMath.eval("not A", images)), 0) | ||
28 | self.assertEqual(pixel(ImageMath.eval("A and B", images)), "L 2") | ||
29 | diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py | ||
30 | index 4cea3855e..776604e3f 100644 | ||
31 | --- a/src/PIL/ImageMath.py | ||
32 | +++ b/src/PIL/ImageMath.py | ||
33 | @@ -258,13 +258,14 @@ def eval(expression, _dict={}, **kw): | ||
34 | |||
35 | # build execution namespace | ||
36 | args = ops.copy() | ||
37 | - args.update(_dict) | ||
38 | - args.update(kw) | ||
39 | - for k, v in list(args.items()): | ||
40 | - if '__' in k or hasattr(__builtins__, k): | ||
41 | + for k in list(_dict.keys()) + list(kw.keys()): | ||
42 | + if "__" in k or hasattr(__builtins__, k): | ||
43 | msg = f"'{k}' not allowed" | ||
44 | raise ValueError(msg) | ||
45 | |||
46 | + args.update(_dict) | ||
47 | + args.update(kw) | ||
48 | + for k, v in list(args.items()): | ||
49 | if hasattr(v, "im"): | ||
50 | args[k] = _Operand(v) | ||
51 | |||
52 | -- | ||
53 | 2.25.1 | ||
54 | |||
diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-3.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-3.patch new file mode 100644 index 000000000..b93425ee5 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-3.patch | |||
@@ -0,0 +1,44 @@ | |||
1 | From 557ba59d13de919d04b3fd4cdef8634f7d4b3348 Mon Sep 17 00:00:00 2001 | ||
2 | From: Andrew Murray <radarhere@users.noreply.github.com> | ||
3 | Date: Sat, 30 Dec 2023 09:30:12 +1100 | ||
4 | Subject: [PATCH] Include further builtins | ||
5 | |||
6 | Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/557ba59d13de919d04b3fd4cdef8634f7d4b3348] | ||
7 | CVE: CVE-2023-50447 | ||
8 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
9 | --- | ||
10 | Tests/test_imagemath.py | 4 ++++ | ||
11 | src/PIL/ImageMath.py | 2 +- | ||
12 | 2 files changed, 5 insertions(+), 1 deletion(-) | ||
13 | |||
14 | diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py | ||
15 | index 14a58a532..5bba832e2 100644 | ||
16 | --- a/Tests/test_imagemath.py | ||
17 | +++ b/Tests/test_imagemath.py | ||
18 | @@ -60,6 +60,10 @@ class TestImageMath(PillowTestCase): | ||
19 | with pytest.raises(ValueError): | ||
20 | ImageMath.eval("1", {"__": None}) | ||
21 | |||
22 | + def test_prevent_builtins(): | ||
23 | + with pytest.raises(ValueError): | ||
24 | + ImageMath.eval("(lambda: exec('exit()'))()", {"exec": None}) | ||
25 | + | ||
26 | def test_logical(self): | ||
27 | self.assertEqual(pixel(ImageMath.eval("not A", images)), 0) | ||
28 | self.assertEqual(pixel(ImageMath.eval("A and B", images)), "L 2") | ||
29 | diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py | ||
30 | index 776604e3f..c6bc22180 100644 | ||
31 | --- a/src/PIL/ImageMath.py | ||
32 | +++ b/src/PIL/ImageMath.py | ||
33 | @@ -259,7 +259,7 @@ def eval(expression, _dict={}, **kw): | ||
34 | # build execution namespace | ||
35 | args = ops.copy() | ||
36 | for k in list(_dict.keys()) + list(kw.keys()): | ||
37 | - if "__" in k or hasattr(__builtins__, k): | ||
38 | + if "__" in k or hasattr(builtins, k): | ||
39 | msg = f"'{k}' not allowed" | ||
40 | raise ValueError(msg) | ||
41 | |||
42 | -- | ||
43 | 2.25.1 | ||
44 | |||
diff --git a/meta-python/recipes-devtools/python/python3-pillow_6.2.1.bb b/meta-python/recipes-devtools/python/python3-pillow_6.2.1.bb index eda0bd57d..6567b32d0 100644 --- a/meta-python/recipes-devtools/python/python3-pillow_6.2.1.bb +++ b/meta-python/recipes-devtools/python/python3-pillow_6.2.1.bb | |||
@@ -9,6 +9,9 @@ SRC_URI = "git://github.com/python-pillow/Pillow.git;branch=6.2.x;protocol=https | |||
9 | file://0001-support-cross-compiling.patch \ | 9 | file://0001-support-cross-compiling.patch \ |
10 | file://0001-explicitly-set-compile-options.patch \ | 10 | file://0001-explicitly-set-compile-options.patch \ |
11 | file://0001-CVE-2022-45198.patch \ | 11 | file://0001-CVE-2022-45198.patch \ |
12 | file://CVE-2023-50447-1.patch \ | ||
13 | file://CVE-2023-50447-2.patch \ | ||
14 | file://CVE-2023-50447-3.patch \ | ||
12 | " | 15 | " |
13 | SRCREV ?= "6e0f07bbe38def22d36ee176b2efd9ea74b453a6" | 16 | SRCREV ?= "6e0f07bbe38def22d36ee176b2efd9ea74b453a6" |
14 | 17 | ||