diff options
Diffstat (limited to 'meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-4.patch')
-rw-r--r-- | meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-4.patch | 66 |
1 files changed, 66 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-4.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-4.patch new file mode 100644 index 0000000000..da3e2c1974 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-4.patch @@ -0,0 +1,66 @@ +From 557ba59d13de919d04b3fd4cdef8634f7d4b3348 +From: Andrew Murray <radarhere@users.noreply.github.com> +Date: Sat Dec 30 09:30:12 2023 +1100 +Subject: [PATCH] python3-pillow: Include further builtins + +CVE: CVE-2023-50447 + +Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/557ba59d13de919d04b3fd4cdef8634f7d4b3348] + +Signed-off-by: Rahul Janani Pandi <RahulJanani.Pandi@windriver.com> +--- + Tests/test_imagemath.py | 5 +++++ + docs/releasenotes/9.4.0.rst | 8 ++++++++ + src/PIL/ImageMath.py | 2 +- + 3 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py +index ded8c0011..124687478 100644 +--- a/Tests/test_imagemath.py ++++ b/Tests/test_imagemath.py +@@ -67,6 +67,11 @@ def test_prevent_double_underscores(): + with pytest.raises(ValueError): + ImageMath.eval("1", {"__": None}) + ++def test_prevent_builtins(): ++ with pytest.raises(ValueError): ++ ImageMath.eval("(lambda: exec('exit()'))()", {"exec": None}) ++ ++ + + def test_logical(): + assert pixel(ImageMath.eval("not A", images)) == 0 +diff --git a/docs/releasenotes/9.4.0.rst b/docs/releasenotes/9.4.0.rst +index 0af5bc8ca..9ca7c9f6f 100644 +--- a/docs/releasenotes/9.4.0.rst ++++ b/docs/releasenotes/9.4.0.rst +@@ -88,6 +88,14 @@ Pillow attempted to dereference a null pointer in ``ImageFont``, leading to a + crash. An error is now raised instead. This has been present since + Pillow 8.0.0. + ++Restricted environment keys for ImageMath.eval ++^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ++ ++:cve:`2023-50447`: If an attacker has control over the keys passed to the ++``environment`` argument of :py:meth:`PIL.ImageMath.eval`, they may be able to execute ++arbitrary code. To prevent this, keys matching the names of builtins and keys ++containing double underscores will now raise a :py:exc:`ValueError`. ++ + Other Changes + ============= + +diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py +index c14598a4c..b2c50bc5b 100644 +--- a/src/PIL/ImageMath.py ++++ b/src/PIL/ImageMath.py +@@ -238,7 +238,7 @@ def eval(expression, _dict={}, **kw): + # build execution namespace + args = ops.copy() + for k in list(_dict.keys()) + list(kw.keys()): +- if "__" in k or hasattr(__builtins__, k): ++ if "__" in k or hasattr(builtins, k): + msg = f"'{k}' not allowed" + raise ValueError(msg) + +-- +2.40.0 |