python3-pillow: Fix for CVE-2023-50447

Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/45c726fd4daa63236a8f3653530f297dc87b160a & https://github.com/python-pillow/Pillow/commit/0ca3c33c59927e1c7e0c14dbc1eea1dfb2431a80 & https://github.com/python-pillow/Pillow/commit/557ba59d13de919d04b3fd4cdef8634f7d4b3348] Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2024-02-23 07:44:43 +0530
committer: Armin Kuster <akuster808@gmail.com> 2024-03-03 16:38:27 -0500
commit: c74ebbddfd9dbe02d3f7422016324451eb218e1e (patch)
tree: 73528545bd0c5aaf1cb0590192b67abf2bc1f860
parent: 3c1bd6e007cd2bc6bee06d8784dcce71644401a9 (diff)
download: meta-openembedded-c74ebbddfd9dbe02d3f7422016324451eb218e1e.tar.gz
4 files changed, 132 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-1.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-1.patch
new file mode 100644
index 000000000..f9e3c4950
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-1.patch
@@ -0,0 +1,31 @@
+From 45c726fd4daa63236a8f3653530f297dc87b160a Mon Sep 17 00:00:00 2001
+From: Eric Soroos <eric-github@soroos.net>
+Date: Fri, 27 Oct 2023 11:21:18 +0200
+Subject: [PATCH] Don't allow __ or builtins in env dictionarys for
+ ImageMath.eval
+Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/45c726fd4daa63236a8f3653530f297dc87b160a]
+CVE: CVE-2023-50447
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/PIL/ImageMath.py | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
+index 392151c10..4cea3855e 100644
+--- a/src/PIL/ImageMath.py
+++ b/src/PIL/ImageMath.py
+@@ -261,6 +261,10 @@ def eval(expression, _dict={}, **kw):
+     args.update(_dict)
+     args.update(kw)
+     for k, v in list(args.items()):
+        if '__' in k or hasattr(__builtins__, k):
+            msg = f"'{k}' not allowed"
+            raise ValueError(msg)
+
+         if hasattr(v, "im"):
+             args[k] = _Operand(v)
+ 
+-- 
+2.25.1
diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-2.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-2.patch
new file mode 100644
index 000000000..9c5d3fbcd
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-2.patch
@@ -0,0 +1,54 @@
+From 0ca3c33c59927e1c7e0c14dbc1eea1dfb2431a80 Mon Sep 17 00:00:00 2001
+From: Andrew Murray <radarhere@users.noreply.github.com>
+Date: Sat, 28 Oct 2023 15:58:52 +1100
+Subject: [PATCH] Allow ops
+Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/0ca3c33c59927e1c7e0c14dbc1eea1dfb2431a80]
+CVE: CVE-2023-50447
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ Tests/test_imagemath.py | 4 ++++
+ src/PIL/ImageMath.py    | 9 +++++----
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
+index da41b3a12..14a58a532 100644
+--- a/Tests/test_imagemath.py
+++ b/Tests/test_imagemath.py
+@@ -56,6 +56,10 @@ class TestImageMath(PillowTestCase):
+             pixel(ImageMath.eval("float(B)**33", images)), "F 8589934592.0"
+         )
+ 
+    def test_prevent_double_underscores():
+        with pytest.raises(ValueError):
+            ImageMath.eval("1", {"__": None})
+
+     def test_logical(self):
+         self.assertEqual(pixel(ImageMath.eval("not A", images)), 0)
+         self.assertEqual(pixel(ImageMath.eval("A and B", images)), "L 2")
+diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
+index 4cea3855e..776604e3f 100644
+--- a/src/PIL/ImageMath.py
+++ b/src/PIL/ImageMath.py
+@@ -258,13 +258,14 @@ def eval(expression, _dict={}, **kw):
+ 
+     # build execution namespace
+     args = ops.copy()
+-    args.update(_dict)
+-    args.update(kw)
+-    for k, v in list(args.items()):
+-        if '__' in k or hasattr(__builtins__, k):
+    for k in list(_dict.keys()) + list(kw.keys()):
+        if "__" in k or hasattr(__builtins__, k):
+             msg = f"'{k}' not allowed"
+             raise ValueError(msg)
+ 
+    args.update(_dict)
+    args.update(kw)
+    for k, v in list(args.items()):
+         if hasattr(v, "im"):
+             args[k] = _Operand(v)
+ 
+-- 
+2.25.1
diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-3.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-3.patch
new file mode 100644
index 000000000..b93425ee5
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-3.patch
@@ -0,0 +1,44 @@
+From 557ba59d13de919d04b3fd4cdef8634f7d4b3348 Mon Sep 17 00:00:00 2001
+From: Andrew Murray <radarhere@users.noreply.github.com>
+Date: Sat, 30 Dec 2023 09:30:12 +1100
+Subject: [PATCH] Include further builtins
+Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/557ba59d13de919d04b3fd4cdef8634f7d4b3348]
+CVE: CVE-2023-50447
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ Tests/test_imagemath.py | 4 ++++
+ src/PIL/ImageMath.py    | 2 +-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
+index 14a58a532..5bba832e2 100644
+--- a/Tests/test_imagemath.py
+++ b/Tests/test_imagemath.py
+@@ -60,6 +60,10 @@ class TestImageMath(PillowTestCase):
+         with pytest.raises(ValueError):
+             ImageMath.eval("1", {"__": None})
+ 
+    def test_prevent_builtins():
+        with pytest.raises(ValueError):
+            ImageMath.eval("(lambda: exec('exit()'))()", {"exec": None})
+
+     def test_logical(self):
+         self.assertEqual(pixel(ImageMath.eval("not A", images)), 0)
+         self.assertEqual(pixel(ImageMath.eval("A and B", images)), "L 2")
+diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
+index 776604e3f..c6bc22180 100644
+--- a/src/PIL/ImageMath.py
+++ b/src/PIL/ImageMath.py
+@@ -259,7 +259,7 @@ def eval(expression, _dict={}, **kw):
+     # build execution namespace
+     args = ops.copy()
+     for k in list(_dict.keys()) + list(kw.keys()):
+-        if "__" in k or hasattr(__builtins__, k):
+        if "__" in k or hasattr(builtins, k):
+             msg = f"'{k}' not allowed"
+             raise ValueError(msg)
+ 
+-- 
+2.25.1
diff --git a/meta-python/recipes-devtools/python/python3-pillow_6.2.1.bb b/meta-python/recipes-devtools/python/python3-pillow_6.2.1.bb
index eda0bd57d..6567b32d0 100644
--- a/meta-python/recipes-devtools/python/python3-pillow_6.2.1.bb
+++ b/meta-python/recipes-devtools/python/python3-pillow_6.2.1.bb
@@ -9,6 +9,9 @@ SRC_URI = "git://github.com/python-pillow/Pillow.git;branch=6.2.x;protocol=https
           file://0001-support-cross-compiling.patch \
           file://0001-explicitly-set-compile-options.patch \
           file://0001-CVE-2022-45198.patch \
+           file://CVE-2023-50447-1.patch \
+           file://CVE-2023-50447-2.patch \
+           file://CVE-2023-50447-3.patch \
 "
 SRCREV ?= "6e0f07bbe38def22d36ee176b2efd9ea74b453a6"
author	Vijay Anusuri <vanusuri@mvista.com>	2024-02-23 07:44:43 +0530
committer	Armin Kuster <akuster808@gmail.com>	2024-03-03 16:38:27 -0500
commit	c74ebbddfd9dbe02d3f7422016324451eb218e1e (patch)
tree	73528545bd0c5aaf1cb0590192b67abf2bc1f860
parent	3c1bd6e007cd2bc6bee06d8784dcce71644401a9 (diff)
download	meta-openembedded-c74ebbddfd9dbe02d3f7422016324451eb218e1e.tar.gz

diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-1.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-1.patch new file mode 100644 index 000000000..f9e3c4950 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-1.patch
@@ -0,0 +1,31 @@
		1	From 45c726fd4daa63236a8f3653530f297dc87b160a Mon Sep 17 00:00:00 2001
		2	From: Eric Soroos <eric-github@soroos.net>
		3	Date: Fri, 27 Oct 2023 11:21:18 +0200
		4	Subject: [PATCH] Don't allow __ or builtins in env dictionarys for
		5	ImageMath.eval
		6
		7	Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/45c726fd4daa63236a8f3653530f297dc87b160a]
		8	CVE: CVE-2023-50447
		9	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		10	---
		11	src/PIL/ImageMath.py \| 4 ++++
		12	1 file changed, 4 insertions(+)
		13
		14	diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
		15	index 392151c10..4cea3855e 100644
		16	--- a/src/PIL/ImageMath.py
		17	+++ b/src/PIL/ImageMath.py
		18	@@ -261,6 +261,10 @@ def eval(expression, _dict={}, **kw):
		19	args.update(_dict)
		20	args.update(kw)
		21	for k, v in list(args.items()):
		22	+ if '__' in k or hasattr(__builtins__, k):
		23	+ msg = f"'{k}' not allowed"
		24	+ raise ValueError(msg)
		25	+
		26	if hasattr(v, "im"):
		27	args[k] = _Operand(v)
		28
		29	--
		30	2.25.1
		31


diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-2.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-2.patch new file mode 100644 index 000000000..9c5d3fbcd --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-2.patch
@@ -0,0 +1,54 @@
		1	From 0ca3c33c59927e1c7e0c14dbc1eea1dfb2431a80 Mon Sep 17 00:00:00 2001
		2	From: Andrew Murray <radarhere@users.noreply.github.com>
		3	Date: Sat, 28 Oct 2023 15:58:52 +1100
		4	Subject: [PATCH] Allow ops
		5
		6	Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/0ca3c33c59927e1c7e0c14dbc1eea1dfb2431a80]
		7	CVE: CVE-2023-50447
		8	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		9	---
		10	Tests/test_imagemath.py \| 4 ++++
		11	src/PIL/ImageMath.py \| 9 +++++----
		12	2 files changed, 9 insertions(+), 4 deletions(-)
		13
		14	diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
		15	index da41b3a12..14a58a532 100644
		16	--- a/Tests/test_imagemath.py
		17	+++ b/Tests/test_imagemath.py
		18	@@ -56,6 +56,10 @@ class TestImageMath(PillowTestCase):
		19	pixel(ImageMath.eval("float(B)**33", images)), "F 8589934592.0"
		20	)
		21
		22	+ def test_prevent_double_underscores():
		23	+ with pytest.raises(ValueError):
		24	+ ImageMath.eval("1", {"__": None})
		25	+
		26	def test_logical(self):
		27	self.assertEqual(pixel(ImageMath.eval("not A", images)), 0)
		28	self.assertEqual(pixel(ImageMath.eval("A and B", images)), "L 2")
		29	diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
		30	index 4cea3855e..776604e3f 100644
		31	--- a/src/PIL/ImageMath.py
		32	+++ b/src/PIL/ImageMath.py
		33	@@ -258,13 +258,14 @@ def eval(expression, _dict={}, **kw):
		34
		35	# build execution namespace
		36	args = ops.copy()
		37	- args.update(_dict)
		38	- args.update(kw)
		39	- for k, v in list(args.items()):
		40	- if '__' in k or hasattr(__builtins__, k):
		41	+ for k in list(_dict.keys()) + list(kw.keys()):
		42	+ if "__" in k or hasattr(__builtins__, k):
		43	msg = f"'{k}' not allowed"
		44	raise ValueError(msg)
		45
		46	+ args.update(_dict)
		47	+ args.update(kw)
		48	+ for k, v in list(args.items()):
		49	if hasattr(v, "im"):
		50	args[k] = _Operand(v)
		51
		52	--
		53	2.25.1
		54


diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-3.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-3.patch new file mode 100644 index 000000000..b93425ee5 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-3.patch
@@ -0,0 +1,44 @@
		1	From 557ba59d13de919d04b3fd4cdef8634f7d4b3348 Mon Sep 17 00:00:00 2001
		2	From: Andrew Murray <radarhere@users.noreply.github.com>
		3	Date: Sat, 30 Dec 2023 09:30:12 +1100
		4	Subject: [PATCH] Include further builtins
		5
		6	Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/557ba59d13de919d04b3fd4cdef8634f7d4b3348]
		7	CVE: CVE-2023-50447
		8	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		9	---
		10	Tests/test_imagemath.py \| 4 ++++
		11	src/PIL/ImageMath.py \| 2 +-
		12	2 files changed, 5 insertions(+), 1 deletion(-)
		13
		14	diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
		15	index 14a58a532..5bba832e2 100644
		16	--- a/Tests/test_imagemath.py
		17	+++ b/Tests/test_imagemath.py
		18	@@ -60,6 +60,10 @@ class TestImageMath(PillowTestCase):
		19	with pytest.raises(ValueError):
		20	ImageMath.eval("1", {"__": None})
		21
		22	+ def test_prevent_builtins():
		23	+ with pytest.raises(ValueError):
		24	+ ImageMath.eval("(lambda: exec('exit()'))()", {"exec": None})
		25	+
		26	def test_logical(self):
		27	self.assertEqual(pixel(ImageMath.eval("not A", images)), 0)
		28	self.assertEqual(pixel(ImageMath.eval("A and B", images)), "L 2")
		29	diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
		30	index 776604e3f..c6bc22180 100644
		31	--- a/src/PIL/ImageMath.py
		32	+++ b/src/PIL/ImageMath.py
		33	@@ -259,7 +259,7 @@ def eval(expression, _dict={}, **kw):
		34	# build execution namespace
		35	args = ops.copy()
		36	for k in list(_dict.keys()) + list(kw.keys()):
		37	- if "__" in k or hasattr(__builtins__, k):
		38	+ if "__" in k or hasattr(builtins, k):
		39	msg = f"'{k}' not allowed"
		40	raise ValueError(msg)
		41
		42	--
		43	2.25.1
		44


diff --git a/meta-python/recipes-devtools/python/python3-pillow_6.2.1.bb b/meta-python/recipes-devtools/python/python3-pillow_6.2.1.bb index eda0bd57d..6567b32d0 100644 --- a/meta-python/recipes-devtools/python/python3-pillow_6.2.1.bb +++ b/meta-python/recipes-devtools/python/python3-pillow_6.2.1.bb
@@ -9,6 +9,9 @@ SRC_URI = "git://github.com/python-pillow/Pillow.git;branch=6.2.x;protocol=https
9	file://0001-support-cross-compiling.patch \	9	file://0001-support-cross-compiling.patch \
10	file://0001-explicitly-set-compile-options.patch \	10	file://0001-explicitly-set-compile-options.patch \
11	file://0001-CVE-2022-45198.patch \	11	file://0001-CVE-2022-45198.patch \
		12	file://CVE-2023-50447-1.patch \
		13	file://CVE-2023-50447-2.patch \
		14	file://CVE-2023-50447-3.patch \
12	"	15	"
13	SRCREV ?= "6e0f07bbe38def22d36ee176b2efd9ea74b453a6"	16	SRCREV ?= "6e0f07bbe38def22d36ee176b2efd9ea74b453a6"
14		17