1 files changed, 66 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-4.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-4.patch
new file mode 100644
index 0000000000..da3e2c1974
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-4.patch
@@ -0,0 +1,66 @@
+From 557ba59d13de919d04b3fd4cdef8634f7d4b3348
+From: Andrew Murray <radarhere@users.noreply.github.com>
+Date:   Sat Dec 30 09:30:12 2023 +1100
+Subject: [PATCH] python3-pillow: Include further builtins
+CVE: CVE-2023-50447
+Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/557ba59d13de919d04b3fd4cdef8634f7d4b3348]
+Signed-off-by: Rahul Janani Pandi <RahulJanani.Pandi@windriver.com>
+---
+ Tests/test_imagemath.py     | 5 +++++
+ docs/releasenotes/9.4.0.rst | 8 ++++++++
+ src/PIL/ImageMath.py        | 2 +-
+ 3 files changed, 14 insertions(+), 1 deletion(-)
+diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
+index ded8c0011..124687478 100644
+--- a/Tests/test_imagemath.py
+++ b/Tests/test_imagemath.py
+@@ -67,6 +67,11 @@ def test_prevent_double_underscores():
+     with pytest.raises(ValueError):
+         ImageMath.eval("1", {"__": None})
+def test_prevent_builtins():
+    with pytest.raises(ValueError):
+        ImageMath.eval("(lambda: exec('exit()'))()", {"exec": None})
+
+
+ def test_logical():
+     assert pixel(ImageMath.eval("not A", images)) == 0
+diff --git a/docs/releasenotes/9.4.0.rst b/docs/releasenotes/9.4.0.rst
+index 0af5bc8ca..9ca7c9f6f 100644
+--- a/docs/releasenotes/9.4.0.rst
+++ b/docs/releasenotes/9.4.0.rst
+@@ -88,6 +88,14 @@ Pillow attempted to dereference a null pointer in ``ImageFont``, leading to a
+ crash. An error is now raised instead. This has been present since
+ Pillow 8.0.0.
+Restricted environment keys for ImageMath.eval
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+:cve:`2023-50447`: If an attacker has control over the keys passed to the
+``environment`` argument of :py:meth:`PIL.ImageMath.eval`, they may be able to execute
+arbitrary code. To prevent this, keys matching the names of builtins and keys
+containing double underscores will now raise a :py:exc:`ValueError`.
+
+ Other Changes
+ =============
+diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
+index c14598a4c..b2c50bc5b 100644
+--- a/src/PIL/ImageMath.py
+++ b/src/PIL/ImageMath.py
+@@ -238,7 +238,7 @@ def eval(expression, _dict={}, **kw):
+     # build execution namespace
+     args = ops.copy()
+     for k in list(_dict.keys()) + list(kw.keys()):
+-        if "__" in k or hasattr(__builtins__, k):
+        if "__" in k or hasattr(builtins, k):
+             msg = f"'{k}' not allowed"
+             raise ValueError(msg)
+--
+2.40.0

diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-4.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-4.patch new file mode 100644 index 0000000000..da3e2c1974 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-4.patch
@@ -0,0 +1,66 @@
	1	From 557ba59d13de919d04b3fd4cdef8634f7d4b3348
	2	From: Andrew Murray <radarhere@users.noreply.github.com>
	3	Date: Sat Dec 30 09:30:12 2023 +1100
	4	Subject: [PATCH] python3-pillow: Include further builtins
	5
	6	CVE: CVE-2023-50447
	7
	8	Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/557ba59d13de919d04b3fd4cdef8634f7d4b3348]
	9
	10	Signed-off-by: Rahul Janani Pandi <RahulJanani.Pandi@windriver.com>
	11	---
	12	Tests/test_imagemath.py \| 5 +++++
	13	docs/releasenotes/9.4.0.rst \| 8 ++++++++
	14	src/PIL/ImageMath.py \| 2 +-
	15	3 files changed, 14 insertions(+), 1 deletion(-)
	16
	17	diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
	18	index ded8c0011..124687478 100644
	19	--- a/Tests/test_imagemath.py
	20	+++ b/Tests/test_imagemath.py
	21	@@ -67,6 +67,11 @@ def test_prevent_double_underscores():
	22	with pytest.raises(ValueError):
	23	ImageMath.eval("1", {"__": None})
	24
	25	+def test_prevent_builtins():
	26	+ with pytest.raises(ValueError):
	27	+ ImageMath.eval("(lambda: exec('exit()'))()", {"exec": None})
	28	+
	29	+
	30
	31	def test_logical():
	32	assert pixel(ImageMath.eval("not A", images)) == 0
	33	diff --git a/docs/releasenotes/9.4.0.rst b/docs/releasenotes/9.4.0.rst
	34	index 0af5bc8ca..9ca7c9f6f 100644
	35	--- a/docs/releasenotes/9.4.0.rst
	36	+++ b/docs/releasenotes/9.4.0.rst
	37	@@ -88,6 +88,14 @@ Pillow attempted to dereference a null pointer in ``ImageFont``, leading to a
	38	crash. An error is now raised instead. This has been present since
	39	Pillow 8.0.0.
	40
	41	+Restricted environment keys for ImageMath.eval
	42	+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
	43	+
	44	+:cve:`2023-50447`: If an attacker has control over the keys passed to the
	45	+``environment`` argument of :py:meth:`PIL.ImageMath.eval`, they may be able to execute
	46	+arbitrary code. To prevent this, keys matching the names of builtins and keys
	47	+containing double underscores will now raise a :py:exc:`ValueError`.
	48	+
	49	Other Changes
	50	=============
	51
	52	diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
	53	index c14598a4c..b2c50bc5b 100644
	54	--- a/src/PIL/ImageMath.py
	55	+++ b/src/PIL/ImageMath.py
	56	@@ -238,7 +238,7 @@ def eval(expression, _dict={}, **kw):
	57	# build execution namespace
	58	args = ops.copy()
	59	for k in list(_dict.keys()) + list(kw.keys()):
	60	- if "__" in k or hasattr(__builtins__, k):
	61	+ if "__" in k or hasattr(builtins, k):
	62	msg = f"'{k}' not allowed"
	63	raise ValueError(msg)
	64
	65	--
	66	2.40.0