From 598b0030da36025f3276442f9dc7401993a15b5a Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Wed, 21 Feb 2024 03:18:53 +0300 Subject: [PATCH] import python-pillow-5.1.1-18.el8_9.1 --- SOURCES/CVE-2023-50447.patch | 46 ++++++++++++++++++++++++++++++++++++ SPECS/python-pillow.spec | 12 ++++++++-- 2 files changed, 56 insertions(+), 2 deletions(-) create mode 100644 SOURCES/CVE-2023-50447.patch diff --git a/SOURCES/CVE-2023-50447.patch b/SOURCES/CVE-2023-50447.patch new file mode 100644 index 0000000..9c5cae5 --- /dev/null +++ b/SOURCES/CVE-2023-50447.patch @@ -0,0 +1,46 @@ +From 5c3db10f7a9cafd9b2d145a40864a445b2ee6edc Mon Sep 17 00:00:00 2001 +From: Eric Soroos +Date: Thu, 25 Jan 2024 13:23:56 +0100 +Subject: [PATCH] Don't allow __ or builtins in env dictionarys for + ImageMath.eval + +--- + Tests/test_imagemath.py | 5 +++++ + src/PIL/ImageMath.py | 5 +++++ + 2 files changed, 10 insertions(+) + +diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py +index d3b7ba3..2467078 100644 +--- a/Tests/test_imagemath.py ++++ b/Tests/test_imagemath.py +@@ -63,6 +63,11 @@ class TestImageMath(PillowTestCase): + self.assertRaises(ValueError, ImageMath.eval("(lambda: exec('pass'))()")) + self.assertRaises(ValueError, ImageMath.eval("(lambda: (lambda: exec('pass'))())()")) + ++ def test_prevent_double_underscores(self): ++ self.assertRaises(ValueError, ImageMath.eval("1", {"__": None})) ++ ++ def test_prevent_builtins(self): ++ self.assertRaises(ValueError, ImageMath.eval("(lambda: exec('exit()'))()", {"exec": None})) + + def test_logical(self): + self.assertEqual(pixel(ImageMath.eval("not A", images)), 0) +diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py +index 13839e4..94108cf 100644 +--- a/src/PIL/ImageMath.py ++++ b/src/PIL/ImageMath.py +@@ -257,6 +257,11 @@ def eval(expression, _dict={}, **kw): + + # build execution namespace + args = ops.copy() ++ for k in list(_dict.keys()) + list(kw.keys()): ++ if "__" in k or hasattr(builtins, k): ++ msg = f"'{k}' not allowed" ++ raise ValueError(msg) ++ + args.update(_dict) + args.update(kw) + for k, v in list(args.items()): +-- +2.43.0 + diff --git a/SPECS/python-pillow.spec b/SPECS/python-pillow.spec index 5515a5f..4b09bd3 100644 --- a/SPECS/python-pillow.spec +++ b/SPECS/python-pillow.spec @@ -8,7 +8,7 @@ Name: python-%{srcname} Version: 5.1.1 -Release: 18%{?dist} +Release: 18%{?dist}.1 Summary: Python image processing library # License: see http://www.pythonware.com/products/pil/license.htm @@ -113,6 +113,10 @@ Patch19: CVE-2022-22817.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2042511 # https://bugzilla.redhat.com/show_bug.cgi?id=2042522 Patch20: CVE-2022-22815_CVE-2022-22816.patch +# CVE-2023-50447 python-pillow: pillow:Arbitrary Code Execution via the environment parameter +# Upstream fix: https://github.com/python-pillow/Pillow/commit/02c6183d41c68a8dd080f5739f566bd82485822d +# Patch rebased and tests converted from pytest to unittests. +Patch21: CVE-2023-50447.patch BuildRequires: freetype-devel BuildRequires: gcc @@ -257,13 +261,17 @@ popd %changelog +* Thu Jan 25 2024 Lumír Balhar - 5.1.1-18.1 +- Security fix for CVE-2023-50447 +Resolves: RHEL-22591 + * Wed Jul 26 2023 MSVSphere Packaging Team - 5.1.1-18 - Rebuilt for MSVSphere 8.8 * Fri Feb 11 2022 Charalampos Stratakis - 5.1.1-18 - Fixup for CVE-2022-22817 - Security fixes for CVE-2022-22815, CVE-2022-22816 -Resolves: rhbz#2042522 +Resolves: rhbz#2042511, rhbz#2042522 * Fri Feb 04 2022 Charalampos Stratakis - 5.1.1-17 - Fix for CVE-2022-22817