python3-pillow: patch CVE-2026-25990

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-25990

Backport the patch referenced by the NVD advisory.

Note that the patch contain some new binary test data, which
requires "git" PATCHTOOL - other tools fail to apply binary patches.

All ptests passed successfully:

Testsuite summary
TOTAL: 5011
PASS: 4577
SKIP: 431
XFAIL: 3
FAIL: 0
XPASS: 0
ERROR: 0
DURATION: 59
END: /usr/lib/python3-pillow/ptest
2026-03-06T17:58
STOP: ptest-runner
TOTAL: 1 FAIL: 0

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>

1 files changed, 5 insertions, 0 deletions

diff --git a/meta-python/recipes-devtools/python/python3-pillow_12.0.0.bb b/meta-python/recipes-devtools/python/python3-pillow_12.0.0.bb
index 4db5db1572..34b462ca4f 100644
--- a/meta-python/recipes-devtools/python/python3-pillow_12.0.0.bb
+++ b/meta-python/recipes-devtools/python/python3-pillow_12.0.0.bb
@@ -7,6 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=a1b708da743e3fc0e5c35e92daac0bf8"
 
 SRC_URI = "git://github.com/python-pillow/Pillow.git;branch=main;protocol=https;tag=${PV} \
            file://0001-support-cross-compiling.patch \
+           file://CVE-2026-25990.patch \
            "
 SRCREV = "693df7b42c666f88c719f9973be0ad71607328e0"
 
@@ -65,3 +66,7 @@ CVE_PRODUCT = "pillow"
 RPROVIDES:${PN} += "python3-imaging"
 
 BBCLASSEXTEND = "native"
+
+# CVE-2026-25990.patch in SRC_URI contains a binary blob, which needs to
+# be applied with git
+PATCHTOOL = "git"