python3-pillow: Fix CVE-2023-50447

Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter). References: https://security-tracker.debian.org/tracker/CVE-2023-50447 https://github.com/python-pillow/Pillow/blob/10.2.0/CHANGES.rst Signed-off-by: Rahul Janani Pandi <RahulJanani.Pandi@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Rahul Janani Pandi <RahulJanani.Pandi@windriver.com> 2024-04-08 09:42:28 +0000
committer: Armin Kuster <akuster808@gmail.com> 2024-04-28 13:10:23 -0400
commit: 717462f81159d00336733c62208b55db22ea1fdb (patch)
tree: 40b6ac3e92c71505c35451e7a21417b90049a1bf /meta-python
parent: 0fffd4d4221461efd0d0600634af1f5dcbd846e4 (diff)
download: meta-openembedded-717462f81159d00336733c62208b55db22ea1fdb.tar.gz
5 files changed, 186 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-1.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-1.patch
new file mode 100644
index 0000000000..7de12be5d5
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-1.patch
@@ -0,0 +1,29 @@
+From  3652f431c2d8b9c10bf20b70f284d300d12e814a
+From: Andrew Murray <radarhere@users.noreply.github.com>
+Date:   Sat Oct 28 14:22:39 2023 +1100
+Subject: [PATCH] python3-pillow: Simplified code
+CVE: CVE-2023-50447
+Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/3652f431c2d8b9c10bf20b70f284d300d12e814a]
+Signed-off-by: Rahul Janani Pandi <RahulJanani.Pandi@windriver.com>
+---
+ src/PIL/ImageMath.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
+index ac7d36b69..71872a3fb 100644
+--- a/src/PIL/ImageMath.py
+++ b/src/PIL/ImageMath.py
+@@ -239,7 +239,7 @@ def eval(expression, _dict={}, **kw):
+     args = ops.copy()
+     args.update(_dict)
+     args.update(kw)
+-    for k, v in list(args.items()):
+    for k, v in args.items():
+         if hasattr(v, "im"):
+             args[k] = _Operand(v)
+--
+2.40.0
diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-2.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-2.patch
new file mode 100644
index 0000000000..13fbaf6d78
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-2.patch
@@ -0,0 +1,31 @@
+From  45c726fd4daa63236a8f3653530f297dc87b160a
+From: Eric Soroos <eric-github@soroos.net>
+Date:   Fri Oct 27 11:21:18 2023 +0200
+Subject: [PATCH] python3-pillow: Don't allow __ or builtins in env dictionarys
+CVE: CVE-2023-50447
+Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/45c726fd4daa63236a8f3653530f297dc87b160a]
+Signed-off-by: Rahul Janani Pandi <RahulJanani.Pandi@windriver.com>
+---
+ src/PIL/ImageMath.py | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
+index 71872a3fb..923a8eeae 100644
+--- a/src/PIL/ImageMath.py
+++ b/src/PIL/ImageMath.py
+@@ -240,6 +240,10 @@ def eval(expression, _dict={}, **kw):
+     args.update(_dict)
+     args.update(kw)
+     for k, v in args.items():
+        if '__' in k or hasattr(__builtins__, k):
+            msg = f"'{k}' not allowed"
+            raise ValueError(msg)
+
+         if hasattr(v, "im"):
+             args[k] = _Operand(v)
+--
+2.40.0
diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-3.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-3.patch
new file mode 100644
index 0000000000..bbfc32a6c7
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-3.patch
@@ -0,0 +1,56 @@
+From  0ca3c33c59927e1c7e0c14dbc1eea1dfb2431a80
+From: Andrew Murray <radarhere@users.noreply.github.com>
+Date: Sat, 28 Oct 2023 15:58:52 +1100
+Subject: [PATCH] python3-pillow: Allow ops
+CVE: CVE-2023-50447
+Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/0ca3c33c59927e1c7e0c14dbc1eea1dfb2431a80]
+Signed-off-by: Rahul Janani Pandi <RahulJanani.Pandi@windriver.com>
+---
+ Tests/test_imagemath.py | 5 +++++
+ src/PIL/ImageMath.py    | 9 +++++----
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
+index fe7ac9a7a..ded8c0011 100644
+--- a/Tests/test_imagemath.py
+++ b/Tests/test_imagemath.py
+@@ -63,6 +63,11 @@ def test_prevent_exec(expression):
+         ImageMath.eval(expression)
+def test_prevent_double_underscores():
+    with pytest.raises(ValueError):
+        ImageMath.eval("1", {"__": None})
+
+
+ def test_logical():
+     assert pixel(ImageMath.eval("not A", images)) == 0
+     assert pixel(ImageMath.eval("A and B", images)) == "L 2"
+diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
+index 923a8eeae..c14598a4c 100644
+--- a/src/PIL/ImageMath.py
+++ b/src/PIL/ImageMath.py
+@@ -237,13 +237,14 @@ def eval(expression, _dict={}, **kw):
+     # build execution namespace
+     args = ops.copy()
+-    args.update(_dict)
+-    args.update(kw)
+-    for k, v in args.items():
+-        if '__' in k or hasattr(__builtins__, k):
+    for k in list(_dict.keys()) + list(kw.keys()):
+        if "__" in k or hasattr(__builtins__, k):
+             msg = f"'{k}' not allowed"
+             raise ValueError(msg)
+    args.update(_dict)
+    args.update(kw)
+    for k, v in args.items():
+         if hasattr(v, "im"):
+             args[k] = _Operand(v)
+--
+2.40.0
diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-4.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-4.patch
new file mode 100644
index 0000000000..da3e2c1974
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-4.patch
@@ -0,0 +1,66 @@
+From 557ba59d13de919d04b3fd4cdef8634f7d4b3348
+From: Andrew Murray <radarhere@users.noreply.github.com>
+Date:   Sat Dec 30 09:30:12 2023 +1100
+Subject: [PATCH] python3-pillow: Include further builtins
+CVE: CVE-2023-50447
+Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/557ba59d13de919d04b3fd4cdef8634f7d4b3348]
+Signed-off-by: Rahul Janani Pandi <RahulJanani.Pandi@windriver.com>
+---
+ Tests/test_imagemath.py     | 5 +++++
+ docs/releasenotes/9.4.0.rst | 8 ++++++++
+ src/PIL/ImageMath.py        | 2 +-
+ 3 files changed, 14 insertions(+), 1 deletion(-)
+diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
+index ded8c0011..124687478 100644
+--- a/Tests/test_imagemath.py
+++ b/Tests/test_imagemath.py
+@@ -67,6 +67,11 @@ def test_prevent_double_underscores():
+     with pytest.raises(ValueError):
+         ImageMath.eval("1", {"__": None})
+def test_prevent_builtins():
+    with pytest.raises(ValueError):
+        ImageMath.eval("(lambda: exec('exit()'))()", {"exec": None})
+
+
+ def test_logical():
+     assert pixel(ImageMath.eval("not A", images)) == 0
+diff --git a/docs/releasenotes/9.4.0.rst b/docs/releasenotes/9.4.0.rst
+index 0af5bc8ca..9ca7c9f6f 100644
+--- a/docs/releasenotes/9.4.0.rst
+++ b/docs/releasenotes/9.4.0.rst
+@@ -88,6 +88,14 @@ Pillow attempted to dereference a null pointer in ``ImageFont``, leading to a
+ crash. An error is now raised instead. This has been present since
+ Pillow 8.0.0.
+Restricted environment keys for ImageMath.eval
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+:cve:`2023-50447`: If an attacker has control over the keys passed to the
+``environment`` argument of :py:meth:`PIL.ImageMath.eval`, they may be able to execute
+arbitrary code. To prevent this, keys matching the names of builtins and keys
+containing double underscores will now raise a :py:exc:`ValueError`.
+
+ Other Changes
+ =============
+diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
+index c14598a4c..b2c50bc5b 100644
+--- a/src/PIL/ImageMath.py
+++ b/src/PIL/ImageMath.py
+@@ -238,7 +238,7 @@ def eval(expression, _dict={}, **kw):
+     # build execution namespace
+     args = ops.copy()
+     for k in list(_dict.keys()) + list(kw.keys()):
+-        if "__" in k or hasattr(__builtins__, k):
+        if "__" in k or hasattr(builtins, k):
+             msg = f"'{k}' not allowed"
+             raise ValueError(msg)
+--
+2.40.0
diff --git a/meta-python/recipes-devtools/python/python3-pillow_9.4.0.bb b/meta-python/recipes-devtools/python/python3-pillow_9.4.0.bb
index b9c09127c5..e1d0b30860 100644
--- a/meta-python/recipes-devtools/python/python3-pillow_9.4.0.bb
+++ b/meta-python/recipes-devtools/python/python3-pillow_9.4.0.bb
@@ -10,6 +10,10 @@ SRC_URI = "git://github.com/python-pillow/Pillow.git;branch=main;protocol=https
           file://0001-explicitly-set-compile-options.patch \
           file://run-ptest \
           file://CVE-2023-44271.patch \
+           file://CVE-2023-50447-1.patch \
+           file://CVE-2023-50447-2.patch \
+           file://CVE-2023-50447-3.patch \
+           file://CVE-2023-50447-4.patch \
           "
 SRCREV ?= "82541b6dec8452cb612067fcebba1c5a1a2bfdc8"
author	Rahul Janani Pandi <RahulJanani.Pandi@windriver.com>	2024-04-08 09:42:28 +0000
committer	Armin Kuster <akuster808@gmail.com>	2024-04-28 13:10:23 -0400
commit	717462f81159d00336733c62208b55db22ea1fdb (patch)
tree	40b6ac3e92c71505c35451e7a21417b90049a1bf /meta-python
parent	0fffd4d4221461efd0d0600634af1f5dcbd846e4 (diff)
download	meta-openembedded-717462f81159d00336733c62208b55db22ea1fdb.tar.gz

diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-1.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-1.patch new file mode 100644 index 0000000000..7de12be5d5 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-1.patch
@@ -0,0 +1,29 @@
		1	From 3652f431c2d8b9c10bf20b70f284d300d12e814a
		2	From: Andrew Murray <radarhere@users.noreply.github.com>
		3	Date: Sat Oct 28 14:22:39 2023 +1100
		4	Subject: [PATCH] python3-pillow: Simplified code
		5
		6	CVE: CVE-2023-50447
		7
		8	Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/3652f431c2d8b9c10bf20b70f284d300d12e814a]
		9
		10	Signed-off-by: Rahul Janani Pandi <RahulJanani.Pandi@windriver.com>
		11	---
		12	src/PIL/ImageMath.py \| 2 +-
		13	1 file changed, 1 insertion(+), 1 deletion(-)
		14
		15	diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
		16	index ac7d36b69..71872a3fb 100644
		17	--- a/src/PIL/ImageMath.py
		18	+++ b/src/PIL/ImageMath.py
		19	@@ -239,7 +239,7 @@ def eval(expression, _dict={}, **kw):
		20	args = ops.copy()
		21	args.update(_dict)
		22	args.update(kw)
		23	- for k, v in list(args.items()):
		24	+ for k, v in args.items():
		25	if hasattr(v, "im"):
		26	args[k] = _Operand(v)
		27
		28	--
		29	2.40.0


diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-2.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-2.patch new file mode 100644 index 0000000000..13fbaf6d78 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-2.patch
@@ -0,0 +1,31 @@
		1	From 45c726fd4daa63236a8f3653530f297dc87b160a
		2	From: Eric Soroos <eric-github@soroos.net>
		3	Date: Fri Oct 27 11:21:18 2023 +0200
		4	Subject: [PATCH] python3-pillow: Don't allow __ or builtins in env dictionarys
		5
		6	CVE: CVE-2023-50447
		7
		8	Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/45c726fd4daa63236a8f3653530f297dc87b160a]
		9
		10	Signed-off-by: Rahul Janani Pandi <RahulJanani.Pandi@windriver.com>
		11	---
		12	src/PIL/ImageMath.py \| 4 ++++
		13	1 file changed, 4 insertions(+)
		14
		15	diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
		16	index 71872a3fb..923a8eeae 100644
		17	--- a/src/PIL/ImageMath.py
		18	+++ b/src/PIL/ImageMath.py
		19	@@ -240,6 +240,10 @@ def eval(expression, _dict={}, **kw):
		20	args.update(_dict)
		21	args.update(kw)
		22	for k, v in args.items():
		23	+ if '__' in k or hasattr(__builtins__, k):
		24	+ msg = f"'{k}' not allowed"
		25	+ raise ValueError(msg)
		26	+
		27	if hasattr(v, "im"):
		28	args[k] = _Operand(v)
		29
		30	--
		31	2.40.0


diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-3.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-3.patch new file mode 100644 index 0000000000..bbfc32a6c7 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-3.patch
@@ -0,0 +1,56 @@
		1	From 0ca3c33c59927e1c7e0c14dbc1eea1dfb2431a80
		2	From: Andrew Murray <radarhere@users.noreply.github.com>
		3	Date: Sat, 28 Oct 2023 15:58:52 +1100
		4	Subject: [PATCH] python3-pillow: Allow ops
		5
		6	CVE: CVE-2023-50447
		7
		8	Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/0ca3c33c59927e1c7e0c14dbc1eea1dfb2431a80]
		9
		10	Signed-off-by: Rahul Janani Pandi <RahulJanani.Pandi@windriver.com>
		11	---
		12	Tests/test_imagemath.py \| 5 +++++
		13	src/PIL/ImageMath.py \| 9 +++++----
		14	2 files changed, 10 insertions(+), 4 deletions(-)
		15
		16	diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
		17	index fe7ac9a7a..ded8c0011 100644
		18	--- a/Tests/test_imagemath.py
		19	+++ b/Tests/test_imagemath.py
		20	@@ -63,6 +63,11 @@ def test_prevent_exec(expression):
		21	ImageMath.eval(expression)
		22
		23
		24	+def test_prevent_double_underscores():
		25	+ with pytest.raises(ValueError):
		26	+ ImageMath.eval("1", {"__": None})
		27	+
		28	+
		29	def test_logical():
		30	assert pixel(ImageMath.eval("not A", images)) == 0
		31	assert pixel(ImageMath.eval("A and B", images)) == "L 2"
		32	diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
		33	index 923a8eeae..c14598a4c 100644
		34	--- a/src/PIL/ImageMath.py
		35	+++ b/src/PIL/ImageMath.py
		36	@@ -237,13 +237,14 @@ def eval(expression, _dict={}, **kw):
		37
		38	# build execution namespace
		39	args = ops.copy()
		40	- args.update(_dict)
		41	- args.update(kw)
		42	- for k, v in args.items():
		43	- if '__' in k or hasattr(__builtins__, k):
		44	+ for k in list(_dict.keys()) + list(kw.keys()):
		45	+ if "__" in k or hasattr(__builtins__, k):
		46	msg = f"'{k}' not allowed"
		47	raise ValueError(msg)
		48
		49	+ args.update(_dict)
		50	+ args.update(kw)
		51	+ for k, v in args.items():
		52	if hasattr(v, "im"):
		53	args[k] = _Operand(v)
		54
		55	--
		56	2.40.0


diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-4.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-4.patch new file mode 100644 index 0000000000..da3e2c1974 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-4.patch
@@ -0,0 +1,66 @@
		1	From 557ba59d13de919d04b3fd4cdef8634f7d4b3348
		2	From: Andrew Murray <radarhere@users.noreply.github.com>
		3	Date: Sat Dec 30 09:30:12 2023 +1100
		4	Subject: [PATCH] python3-pillow: Include further builtins
		5
		6	CVE: CVE-2023-50447
		7
		8	Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/557ba59d13de919d04b3fd4cdef8634f7d4b3348]
		9
		10	Signed-off-by: Rahul Janani Pandi <RahulJanani.Pandi@windriver.com>
		11	---
		12	Tests/test_imagemath.py \| 5 +++++
		13	docs/releasenotes/9.4.0.rst \| 8 ++++++++
		14	src/PIL/ImageMath.py \| 2 +-
		15	3 files changed, 14 insertions(+), 1 deletion(-)
		16
		17	diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
		18	index ded8c0011..124687478 100644
		19	--- a/Tests/test_imagemath.py
		20	+++ b/Tests/test_imagemath.py
		21	@@ -67,6 +67,11 @@ def test_prevent_double_underscores():
		22	with pytest.raises(ValueError):
		23	ImageMath.eval("1", {"__": None})
		24
		25	+def test_prevent_builtins():
		26	+ with pytest.raises(ValueError):
		27	+ ImageMath.eval("(lambda: exec('exit()'))()", {"exec": None})
		28	+
		29	+
		30
		31	def test_logical():
		32	assert pixel(ImageMath.eval("not A", images)) == 0
		33	diff --git a/docs/releasenotes/9.4.0.rst b/docs/releasenotes/9.4.0.rst
		34	index 0af5bc8ca..9ca7c9f6f 100644
		35	--- a/docs/releasenotes/9.4.0.rst
		36	+++ b/docs/releasenotes/9.4.0.rst
		37	@@ -88,6 +88,14 @@ Pillow attempted to dereference a null pointer in ``ImageFont``, leading to a
		38	crash. An error is now raised instead. This has been present since
		39	Pillow 8.0.0.
		40
		41	+Restricted environment keys for ImageMath.eval
		42	+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
		43	+
		44	+:cve:`2023-50447`: If an attacker has control over the keys passed to the
		45	+``environment`` argument of :py:meth:`PIL.ImageMath.eval`, they may be able to execute
		46	+arbitrary code. To prevent this, keys matching the names of builtins and keys
		47	+containing double underscores will now raise a :py:exc:`ValueError`.
		48	+
		49	Other Changes
		50	=============
		51
		52	diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
		53	index c14598a4c..b2c50bc5b 100644
		54	--- a/src/PIL/ImageMath.py
		55	+++ b/src/PIL/ImageMath.py
		56	@@ -238,7 +238,7 @@ def eval(expression, _dict={}, **kw):
		57	# build execution namespace
		58	args = ops.copy()
		59	for k in list(_dict.keys()) + list(kw.keys()):
		60	- if "__" in k or hasattr(__builtins__, k):
		61	+ if "__" in k or hasattr(builtins, k):
		62	msg = f"'{k}' not allowed"
		63	raise ValueError(msg)
		64
		65	--
		66	2.40.0


diff --git a/meta-python/recipes-devtools/python/python3-pillow_9.4.0.bb b/meta-python/recipes-devtools/python/python3-pillow_9.4.0.bb index b9c09127c5..e1d0b30860 100644 --- a/meta-python/recipes-devtools/python/python3-pillow_9.4.0.bb +++ b/meta-python/recipes-devtools/python/python3-pillow_9.4.0.bb
@@ -10,6 +10,10 @@ SRC_URI = "git://github.com/python-pillow/Pillow.git;branch=main;protocol=https
10	file://0001-explicitly-set-compile-options.patch \	10	file://0001-explicitly-set-compile-options.patch \
11	file://run-ptest \	11	file://run-ptest \
12	file://CVE-2023-44271.patch \	12	file://CVE-2023-44271.patch \
		13	file://CVE-2023-50447-1.patch \
		14	file://CVE-2023-50447-2.patch \
		15	file://CVE-2023-50447-3.patch \
		16	file://CVE-2023-50447-4.patch \
13	"	17	"
14	SRCREV ?= "82541b6dec8452cb612067fcebba1c5a1a2bfdc8"	18	SRCREV ?= "82541b6dec8452cb612067fcebba1c5a1a2bfdc8"
15		19