import python-pillow-5.1.1-18.el8_5
This commit is contained in:
parent
6f74b40d18
commit
348a191152
69
SOURCES/CVE-2022-22815_CVE-2022-22816.patch
Normal file
69
SOURCES/CVE-2022-22815_CVE-2022-22816.patch
Normal file
@ -0,0 +1,69 @@
|
||||
diff --git a/Tests/test_imagepath.py b/Tests/test_imagepath.py
|
||||
index 98a6d34..733fd29 100644
|
||||
--- a/Tests/test_imagepath.py
|
||||
+++ b/Tests/test_imagepath.py
|
||||
@@ -67,6 +67,11 @@ class TestImagePath(PillowTestCase):
|
||||
p = ImagePath.Path(arr.tostring())
|
||||
self.assertEqual(list(p), [(0.0, 1.0)])
|
||||
|
||||
+ def test_getbbox(self):
|
||||
+ for coords in (0,1):
|
||||
+ p = ImagePath.Path(coords)
|
||||
+ self.assertEqual(p.getbbox(), (0.0, 0.0, 0.0, 0.0))
|
||||
+
|
||||
def test_overflow_segfault(self):
|
||||
# Some Pythons fail getting the argument as an integer, and it falls
|
||||
# through to the sequence. Seeing this on 32-bit Windows.
|
||||
diff --git a/src/path.c b/src/path.c
|
||||
index eb1e065..5215f87 100644
|
||||
--- a/src/path.c
|
||||
+++ b/src/path.c
|
||||
@@ -62,7 +62,7 @@ alloc_array(Py_ssize_t count)
|
||||
PyErr_NoMemory();
|
||||
return NULL;
|
||||
}
|
||||
- xy = malloc(2 * count * sizeof(double) + 1);
|
||||
+ xy = calloc(2 * count + 1, sizeof(double));
|
||||
if (!xy)
|
||||
PyErr_NoMemory();
|
||||
return xy;
|
||||
@@ -330,18 +330,27 @@ path_getbbox(PyPathObject* self, PyObject* args)
|
||||
|
||||
xy = self->xy;
|
||||
|
||||
- x0 = x1 = xy[0];
|
||||
- y0 = y1 = xy[1];
|
||||
-
|
||||
- for (i = 1; i < self->count; i++) {
|
||||
- if (xy[i+i] < x0)
|
||||
- x0 = xy[i+i];
|
||||
- if (xy[i+i] > x1)
|
||||
- x1 = xy[i+i];
|
||||
- if (xy[i+i+1] < y0)
|
||||
- y0 = xy[i+i+1];
|
||||
- if (xy[i+i+1] > y1)
|
||||
- y1 = xy[i+i+1];
|
||||
+ if (self->count == 0) {
|
||||
+ x0 = x1 = 0;
|
||||
+ y0 = y1 = 0;
|
||||
+ } else {
|
||||
+ x0 = x1 = xy[0];
|
||||
+ y0 = y1 = xy[1];
|
||||
+
|
||||
+ for (i = 1; i < self->count; i++) {
|
||||
+ if (xy[i + i] < x0) {
|
||||
+ x0 = xy[i + i];
|
||||
+ }
|
||||
+ if (xy[i + i] > x1) {
|
||||
+ x1 = xy[i + i];
|
||||
+ }
|
||||
+ if (xy[i + i + 1] < y0) {
|
||||
+ y0 = xy[i + i + 1];
|
||||
+ }
|
||||
+ if (xy[i + i + 1] > y1) {
|
||||
+ y1 = xy[i + i + 1];
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
|
||||
return Py_BuildValue("dddd", x0, y0, x1, y1);
|
41
SOURCES/CVE-2022-22817.patch
Normal file
41
SOURCES/CVE-2022-22817.patch
Normal file
@ -0,0 +1,41 @@
|
||||
diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
|
||||
index 2329b74..d3b7ba3 100644
|
||||
--- a/Tests/test_imagemath.py
|
||||
+++ b/Tests/test_imagemath.py
|
||||
@@ -58,6 +58,12 @@ class TestImageMath(PillowTestCase):
|
||||
self.assertEqual(pixel(
|
||||
ImageMath.eval("float(B)**33", images)), "F 8589934592.0")
|
||||
|
||||
+ def test_prevent_exec(self):
|
||||
+ self.assertRaises(ValueError, ImageMath.eval("exec('pass')"))
|
||||
+ self.assertRaises(ValueError, ImageMath.eval("(lambda: exec('pass'))()"))
|
||||
+ self.assertRaises(ValueError, ImageMath.eval("(lambda: (lambda: exec('pass'))())()"))
|
||||
+
|
||||
+
|
||||
def test_logical(self):
|
||||
self.assertEqual(pixel(ImageMath.eval("not A", images)), 0)
|
||||
self.assertEqual(pixel(ImageMath.eval("A and B", images)), "L 2")
|
||||
diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
|
||||
index c5bea70..13839e4 100644
|
||||
--- a/src/PIL/ImageMath.py
|
||||
+++ b/src/PIL/ImageMath.py
|
||||
@@ -263,7 +263,18 @@ def eval(expression, _dict={}, **kw):
|
||||
if hasattr(v, "im"):
|
||||
args[k] = _Operand(v)
|
||||
|
||||
- out = builtins.eval(expression, args)
|
||||
+ compiled_code = compile(expression, "<string>", "eval")
|
||||
+ def scan(code):
|
||||
+ for const in code.co_consts:
|
||||
+ if type(const) == type(compiled_code):
|
||||
+ scan(const)
|
||||
+
|
||||
+ for name in code.co_names:
|
||||
+ if name not in args and name != "abs":
|
||||
+ raise ValueError(f"'{name}' not allowed")
|
||||
+
|
||||
+ scan(compiled_code)
|
||||
+ out = builtins.eval(expression, {"__builtins": {"abs": abs}}, args)
|
||||
try:
|
||||
return out.im
|
||||
except AttributeError:
|
@ -8,7 +8,7 @@
|
||||
|
||||
Name: python-%{srcname}
|
||||
Version: 5.1.1
|
||||
Release: 16%{?dist}
|
||||
Release: 18%{?dist}
|
||||
Summary: Python image processing library
|
||||
|
||||
# License: see http://www.pythonware.com/products/pil/license.htm
|
||||
@ -99,6 +99,20 @@ Patch17: CVE-2021-28678.patch
|
||||
# Upstream fix: https://github.com/python-pillow/Pillow/pull/5567
|
||||
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1982378
|
||||
Patch18: CVE-2021-34552.patch
|
||||
# CVE-2022-22817: PIL.ImageMath.eval allows evaluation of arbitrary expressions
|
||||
# Upstream fixes:
|
||||
# https://github.com/python-pillow/Pillow/commit/8531b01d6cdf0b70f256f93092caa2a5d91afc11
|
||||
# https://github.com/python-pillow/Pillow/commit/f84ab3bb8a0a196a52e8a76bebed2853362629de
|
||||
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=2042527
|
||||
Patch19: CVE-2022-22817.patch
|
||||
# CVE-2022-22815 python-pillow: improperly initializes ImagePath.Path in path_getbbox() in path.c
|
||||
# CVE-2022-22816 python-pillow: buffer over-read during initialization of ImagePath.Path in path_getbbox() in path.c
|
||||
# Upstream fix: https://github.com/python-pillow/Pillow/commit/5543e4e2d409cd9e409bc64cdc77be0af007a31f
|
||||
# Memory issue fix: https://github.com/python-pillow/Pillow/pull/5958
|
||||
# Tracking bugs:
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2042511
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2042522
|
||||
Patch20: CVE-2022-22815_CVE-2022-22816.patch
|
||||
|
||||
BuildRequires: freetype-devel
|
||||
BuildRequires: gcc
|
||||
@ -243,6 +257,15 @@ popd
|
||||
|
||||
|
||||
%changelog
|
||||
* Fri Feb 11 2022 Charalampos Stratakis <cstratak@redhat.com> - 5.1.1-18
|
||||
- Fixup for CVE-2022-22817
|
||||
- Security fixes for CVE-2022-22815, CVE-2022-22816
|
||||
Resolves: rhbz#2042522
|
||||
|
||||
* Fri Feb 04 2022 Charalampos Stratakis <cstratak@redhat.com> - 5.1.1-17
|
||||
- Fix for CVE-2022-22817
|
||||
Resolves: rhbz#2042527
|
||||
|
||||
* Mon Aug 02 2021 Charalampos Stratakis <cstratak@redhat.com> - 5.1.1-16
|
||||
- Fix for CVE-2021-34552
|
||||
Resolves: rhbz#1982378
|
||||
|
Loading…
Reference in New Issue
Block a user