From a6530881b4a7371beb112ab4fb63420e989799e8 Mon Sep 17 00:00:00 2001
From: MSVSphere Packaging Team <packager@msvsphere-os.ru>
Date: Wed, 3 Jul 2024 03:18:56 +0300
Subject: [PATCH] import python-pillow-5.1.1-21.el8_10

---
 SOURCES/CVE-2023-44271.patch | 91 ++++++++++++++++++++++++++++++++++++
 SOURCES/CVE-2024-28219.patch | 38 +++++++++++++++
 SPECS/python-pillow.spec     | 24 ++++++++--
 3 files changed, 149 insertions(+), 4 deletions(-)
 create mode 100644 SOURCES/CVE-2023-44271.patch
 create mode 100644 SOURCES/CVE-2024-28219.patch

diff --git a/SOURCES/CVE-2023-44271.patch b/SOURCES/CVE-2023-44271.patch
new file mode 100644
index 0000000..140bf5b
--- /dev/null
+++ b/SOURCES/CVE-2023-44271.patch
@@ -0,0 +1,91 @@
+From fc055dbef875b477c27196e10c61f98aeb23d62c Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Fri, 10 Nov 2023 15:39:41 +0100
+Subject: [PATCH] CVE-2023-44271
+
+---
+ docs/reference/ImageFont.rst |  9 +++++++++
+ src/PIL/ImageFont.py         | 12 ++++++++++++
+ 2 files changed, 21 insertions(+)
+
+diff --git a/docs/reference/ImageFont.rst b/docs/reference/ImageFont.rst
+index 76fde44..21b9d9d 100644
+--- a/docs/reference/ImageFont.rst
++++ b/docs/reference/ImageFont.rst
+@@ -17,6 +17,15 @@ OpenType fonts (as well as other font formats supported by the FreeType
+ library). For earlier versions, TrueType support is only available as part of
+ the imToolkit package
+ 
++.. warning::
++    To protect against potential DOS attacks when using arbitrary strings as
++    text input, Pillow will raise a ``ValueError`` if the number of characters
++    is over a certain limit, :py:data:`MAX_STRING_LENGTH`.
++
++    This threshold can be changed by setting
++    :py:data:`MAX_STRING_LENGTH`. It can be disabled by setting
++    ``ImageFont.MAX_STRING_LENGTH = None``.
++
+ Example
+ -------
+ 
+diff --git a/src/PIL/ImageFont.py b/src/PIL/ImageFont.py
+index f3b55e0..7e7b62f 100644
+--- a/src/PIL/ImageFont.py
++++ b/src/PIL/ImageFont.py
+@@ -39,6 +39,8 @@ class _imagingft_not_installed(object):
+     def __getattr__(self, id):
+         raise ImportError("The _imagingft C module is not installed")
+ 
++MAX_STRING_LENGTH = 1_000_000
++
+ 
+ try:
+     from . import _imagingft as core
+@@ -46,6 +48,12 @@ except ImportError:
+     core = _imagingft_not_installed()
+ 
+ 
++def _string_length_check(text):
++    if MAX_STRING_LENGTH is not None and len(text) > MAX_STRING_LENGTH:
++        msg = "too many characters in string"
++        raise ValueError(msg)
++
++
+ # FIXME: add support for pilfont2 format (see FontFile.py)
+ 
+ # --------------------------------------------------------------------
+@@ -109,6 +117,7 @@ class ImageFont(object):
+         self.font = Image.core.font(image.im, data)
+ 
+     def getsize(self, text, *args, **kwargs):
++        _string_length_check(text)
+         return self.font.getsize(text)
+ 
+     def getmask(self, text, mode="", *args, **kwargs):
+@@ -154,6 +163,7 @@ class FreeTypeFont(object):
+         return self.font.ascent, self.font.descent
+ 
+     def getsize(self, text, direction=None, features=None):
++        _string_length_check(text)
+         size, offset = self.font.getsize(text, direction, features)
+         return (size[0] + offset[0], size[1] + offset[1])
+ 
+@@ -164,6 +174,7 @@ class FreeTypeFont(object):
+         return self.getmask2(text, mode, direction=direction, features=features)[0]
+ 
+     def getmask2(self, text, mode="", fill=Image.core.fill, direction=None, features=None, *args, **kwargs):
++        _string_length_check(text)
+         size, offset = self.font.getsize(text, direction, features)
+         im = fill("L", size, 0)
+         self.font.render(text, im.id, mode == "1", direction, features)
+@@ -205,6 +216,7 @@ class TransposedFont(object):
+         self.orientation = orientation  # any 'transpose' argument, or None
+ 
+     def getsize(self, text, *args, **kwargs):
++        _string_length_check(text)
+         w, h = self.font.getsize(text)
+         if self.orientation in (Image.ROTATE_90, Image.ROTATE_270):
+             return h, w
+-- 
+2.41.0
+
diff --git a/SOURCES/CVE-2024-28219.patch b/SOURCES/CVE-2024-28219.patch
new file mode 100644
index 0000000..fe80949
--- /dev/null
+++ b/SOURCES/CVE-2024-28219.patch
@@ -0,0 +1,38 @@
+From 2d30e67ec0b77993de62f975aae29266d8d1f784 Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Thu, 4 Apr 2024 13:01:56 +0200
+Subject: [PATCH] CVE-2024-28219
+
+---
+ src/_imagingcms.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/_imagingcms.c b/src/_imagingcms.c
+index 5e4196c..4169e28 100644
+--- a/src/_imagingcms.c
++++ b/src/_imagingcms.c
+@@ -212,8 +212,8 @@ cms_transform_new(cmsHTRANSFORM transform, char* mode_in, char* mode_out)
+ 
+     self->transform = transform;
+ 
+-    strcpy(self->mode_in, mode_in);
+-    strcpy(self->mode_out, mode_out);
++    strncpy(self->mode_in, mode_in, 8);
++    strncpy(self->mode_out, mode_out, 8);
+ 
+     return (PyObject*) self;
+ }
+@@ -286,8 +286,8 @@ findLCMStype(char* PILmode)
+     }
+ 
+     else {
+-        /* take a wild guess... but you probably should fail instead. */
+-        return TYPE_GRAY_8; /* so there's no buffer overrun... */
++        /* take a wild guess... */
++        return TYPE_GRAY_8;
+     }
+ }
+ 
+-- 
+2.44.0
+
diff --git a/SPECS/python-pillow.spec b/SPECS/python-pillow.spec
index 4b09bd3..b0a312f 100644
--- a/SPECS/python-pillow.spec
+++ b/SPECS/python-pillow.spec
@@ -8,7 +8,7 @@
 
 Name:           python-%{srcname}
 Version:        5.1.1
-Release:        18%{?dist}.1
+Release:        21%{?dist}
 Summary:        Python image processing library
 
 # License: see http://www.pythonware.com/products/pil/license.htm
@@ -113,10 +113,18 @@ Patch19:        CVE-2022-22817.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2042511
 # https://bugzilla.redhat.com/show_bug.cgi?id=2042522
 Patch20:        CVE-2022-22815_CVE-2022-22816.patch
+# CVE-2023-44271 python-pillow: uncontrolled resource consumption when textlength
+# in an ImageDraw instance operates on a long text argument
+# Upstream fix: https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7
+Patch21:        CVE-2023-44271.patch
 # CVE-2023-50447 python-pillow: pillow:Arbitrary Code Execution via the environment parameter
 # Upstream fix: https://github.com/python-pillow/Pillow/commit/02c6183d41c68a8dd080f5739f566bd82485822d
 # Patch rebased and tests converted from pytest to unittests.
-Patch21:        CVE-2023-50447.patch
+Patch22:        CVE-2023-50447.patch
+# CVE-2024-28219 python-pillow: buffer overflow in _imagingcms.c
+# Upstream fix: https://github.com/python-pillow/Pillow/pull/7928
+# Patch rebased. The test requires a binary file and therefore isn't backported.
+Patch23:        CVE-2024-28219.patch
 
 BuildRequires:  freetype-devel
 BuildRequires:  gcc
@@ -261,9 +269,17 @@ popd
 
 
 %changelog
-* Thu Jan 25 2024 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-18.1
+* Thu Apr 04 2024 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-21
+- Security fix for CVE-2024-28219
+Resolves: RHEL-31071
+
+* Thu Jan 25 2024 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-20
 - Security fix for CVE-2023-50447
-Resolves: RHEL-22591
+Resolves: RHEL-22240
+
+* Fri Nov 10 2023 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-19
+- Security fix for CVE-2023-44271
+Resolves: RHEL-15460
 
 * Wed Jul 26 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 5.1.1-18
 - Rebuilt for MSVSphere 8.8