python3-pillow: Fix CVE-2023-50447

Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code
Execution via the environment parameter, a different vulnerability
than CVE-2022-22817 (which was about the expression parameter).

References:
https://security-tracker.debian.org/tracker/CVE-2023-50447
https://github.com/python-pillow/Pillow/blob/10.2.0/CHANGES.rst

Signed-off-by: Rahul Janani Pandi <RahulJanani.Pandi@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

1 files changed, 31 insertions, 0 deletions

diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-2.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-2.patch
new file mode 100644
index 0000000000..13fbaf6d78
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-2.patch
@@ -0,0 +1,31 @@
+From  45c726fd4daa63236a8f3653530f297dc87b160a
+From: Eric Soroos <eric-github@soroos.net>
+Date:   Fri Oct 27 11:21:18 2023 +0200
+Subject: [PATCH] python3-pillow: Don't allow __ or builtins in env dictionarys
+
+CVE: CVE-2023-50447
+
+Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/45c726fd4daa63236a8f3653530f297dc87b160a]
+
+Signed-off-by: Rahul Janani Pandi <RahulJanani.Pandi@windriver.com>
+---
+ src/PIL/ImageMath.py | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
+index 71872a3fb..923a8eeae 100644
+--- a/src/PIL/ImageMath.py
++++ b/src/PIL/ImageMath.py
+@@ -240,6 +240,10 @@ def eval(expression, _dict={}, **kw):
+     args.update(_dict)
+     args.update(kw)
+     for k, v in args.items():
++        if '__' in k or hasattr(__builtins__, k):
++            msg = f"'{k}' not allowed"
++            raise ValueError(msg)
++
+         if hasattr(v, "im"):
+             args[k] = _Operand(v)
+
+--
+2.40.0