import python-pillow-5.1.1-18.el8
This commit is contained in:
parent
3ccb8aabb8
commit
4f32e54de6
69
SOURCES/CVE-2022-22815_CVE-2022-22816.patch
Normal file
69
SOURCES/CVE-2022-22815_CVE-2022-22816.patch
Normal file
@ -0,0 +1,69 @@
|
|||||||
|
diff --git a/Tests/test_imagepath.py b/Tests/test_imagepath.py
|
||||||
|
index 98a6d34..733fd29 100644
|
||||||
|
--- a/Tests/test_imagepath.py
|
||||||
|
+++ b/Tests/test_imagepath.py
|
||||||
|
@@ -67,6 +67,11 @@ class TestImagePath(PillowTestCase):
|
||||||
|
p = ImagePath.Path(arr.tostring())
|
||||||
|
self.assertEqual(list(p), [(0.0, 1.0)])
|
||||||
|
|
||||||
|
+ def test_getbbox(self):
|
||||||
|
+ for coords in (0,1):
|
||||||
|
+ p = ImagePath.Path(coords)
|
||||||
|
+ self.assertEqual(p.getbbox(), (0.0, 0.0, 0.0, 0.0))
|
||||||
|
+
|
||||||
|
def test_overflow_segfault(self):
|
||||||
|
# Some Pythons fail getting the argument as an integer, and it falls
|
||||||
|
# through to the sequence. Seeing this on 32-bit Windows.
|
||||||
|
diff --git a/src/path.c b/src/path.c
|
||||||
|
index eb1e065..5215f87 100644
|
||||||
|
--- a/src/path.c
|
||||||
|
+++ b/src/path.c
|
||||||
|
@@ -62,7 +62,7 @@ alloc_array(Py_ssize_t count)
|
||||||
|
PyErr_NoMemory();
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
- xy = malloc(2 * count * sizeof(double) + 1);
|
||||||
|
+ xy = calloc(2 * count + 1, sizeof(double));
|
||||||
|
if (!xy)
|
||||||
|
PyErr_NoMemory();
|
||||||
|
return xy;
|
||||||
|
@@ -330,18 +330,27 @@ path_getbbox(PyPathObject* self, PyObject* args)
|
||||||
|
|
||||||
|
xy = self->xy;
|
||||||
|
|
||||||
|
- x0 = x1 = xy[0];
|
||||||
|
- y0 = y1 = xy[1];
|
||||||
|
-
|
||||||
|
- for (i = 1; i < self->count; i++) {
|
||||||
|
- if (xy[i+i] < x0)
|
||||||
|
- x0 = xy[i+i];
|
||||||
|
- if (xy[i+i] > x1)
|
||||||
|
- x1 = xy[i+i];
|
||||||
|
- if (xy[i+i+1] < y0)
|
||||||
|
- y0 = xy[i+i+1];
|
||||||
|
- if (xy[i+i+1] > y1)
|
||||||
|
- y1 = xy[i+i+1];
|
||||||
|
+ if (self->count == 0) {
|
||||||
|
+ x0 = x1 = 0;
|
||||||
|
+ y0 = y1 = 0;
|
||||||
|
+ } else {
|
||||||
|
+ x0 = x1 = xy[0];
|
||||||
|
+ y0 = y1 = xy[1];
|
||||||
|
+
|
||||||
|
+ for (i = 1; i < self->count; i++) {
|
||||||
|
+ if (xy[i + i] < x0) {
|
||||||
|
+ x0 = xy[i + i];
|
||||||
|
+ }
|
||||||
|
+ if (xy[i + i] > x1) {
|
||||||
|
+ x1 = xy[i + i];
|
||||||
|
+ }
|
||||||
|
+ if (xy[i + i + 1] < y0) {
|
||||||
|
+ y0 = xy[i + i + 1];
|
||||||
|
+ }
|
||||||
|
+ if (xy[i + i + 1] > y1) {
|
||||||
|
+ y1 = xy[i + i + 1];
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
return Py_BuildValue("dddd", x0, y0, x1, y1);
|
41
SOURCES/CVE-2022-22817.patch
Normal file
41
SOURCES/CVE-2022-22817.patch
Normal file
@ -0,0 +1,41 @@
|
|||||||
|
diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
|
||||||
|
index 2329b74..d3b7ba3 100644
|
||||||
|
--- a/Tests/test_imagemath.py
|
||||||
|
+++ b/Tests/test_imagemath.py
|
||||||
|
@@ -58,6 +58,12 @@ class TestImageMath(PillowTestCase):
|
||||||
|
self.assertEqual(pixel(
|
||||||
|
ImageMath.eval("float(B)**33", images)), "F 8589934592.0")
|
||||||
|
|
||||||
|
+ def test_prevent_exec(self):
|
||||||
|
+ self.assertRaises(ValueError, ImageMath.eval("exec('pass')"))
|
||||||
|
+ self.assertRaises(ValueError, ImageMath.eval("(lambda: exec('pass'))()"))
|
||||||
|
+ self.assertRaises(ValueError, ImageMath.eval("(lambda: (lambda: exec('pass'))())()"))
|
||||||
|
+
|
||||||
|
+
|
||||||
|
def test_logical(self):
|
||||||
|
self.assertEqual(pixel(ImageMath.eval("not A", images)), 0)
|
||||||
|
self.assertEqual(pixel(ImageMath.eval("A and B", images)), "L 2")
|
||||||
|
diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
|
||||||
|
index c5bea70..13839e4 100644
|
||||||
|
--- a/src/PIL/ImageMath.py
|
||||||
|
+++ b/src/PIL/ImageMath.py
|
||||||
|
@@ -263,7 +263,18 @@ def eval(expression, _dict={}, **kw):
|
||||||
|
if hasattr(v, "im"):
|
||||||
|
args[k] = _Operand(v)
|
||||||
|
|
||||||
|
- out = builtins.eval(expression, args)
|
||||||
|
+ compiled_code = compile(expression, "<string>", "eval")
|
||||||
|
+ def scan(code):
|
||||||
|
+ for const in code.co_consts:
|
||||||
|
+ if type(const) == type(compiled_code):
|
||||||
|
+ scan(const)
|
||||||
|
+
|
||||||
|
+ for name in code.co_names:
|
||||||
|
+ if name not in args and name != "abs":
|
||||||
|
+ raise ValueError(f"'{name}' not allowed")
|
||||||
|
+
|
||||||
|
+ scan(compiled_code)
|
||||||
|
+ out = builtins.eval(expression, {"__builtins": {"abs": abs}}, args)
|
||||||
|
try:
|
||||||
|
return out.im
|
||||||
|
except AttributeError:
|
@ -8,7 +8,7 @@
|
|||||||
|
|
||||||
Name: python-%{srcname}
|
Name: python-%{srcname}
|
||||||
Version: 5.1.1
|
Version: 5.1.1
|
||||||
Release: 16%{?dist}
|
Release: 18%{?dist}
|
||||||
Summary: Python image processing library
|
Summary: Python image processing library
|
||||||
|
|
||||||
# License: see http://www.pythonware.com/products/pil/license.htm
|
# License: see http://www.pythonware.com/products/pil/license.htm
|
||||||
@ -99,6 +99,20 @@ Patch17: CVE-2021-28678.patch
|
|||||||
# Upstream fix: https://github.com/python-pillow/Pillow/pull/5567
|
# Upstream fix: https://github.com/python-pillow/Pillow/pull/5567
|
||||||
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1982378
|
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1982378
|
||||||
Patch18: CVE-2021-34552.patch
|
Patch18: CVE-2021-34552.patch
|
||||||
|
# CVE-2022-22817: PIL.ImageMath.eval allows evaluation of arbitrary expressions
|
||||||
|
# Upstream fixes:
|
||||||
|
# https://github.com/python-pillow/Pillow/commit/8531b01d6cdf0b70f256f93092caa2a5d91afc11
|
||||||
|
# https://github.com/python-pillow/Pillow/commit/f84ab3bb8a0a196a52e8a76bebed2853362629de
|
||||||
|
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=2042527
|
||||||
|
Patch19: CVE-2022-22817.patch
|
||||||
|
# CVE-2022-22815 python-pillow: improperly initializes ImagePath.Path in path_getbbox() in path.c
|
||||||
|
# CVE-2022-22816 python-pillow: buffer over-read during initialization of ImagePath.Path in path_getbbox() in path.c
|
||||||
|
# Upstream fix: https://github.com/python-pillow/Pillow/commit/5543e4e2d409cd9e409bc64cdc77be0af007a31f
|
||||||
|
# Memory issue fix: https://github.com/python-pillow/Pillow/pull/5958
|
||||||
|
# Tracking bugs:
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2042511
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2042522
|
||||||
|
Patch20: CVE-2022-22815_CVE-2022-22816.patch
|
||||||
|
|
||||||
BuildRequires: freetype-devel
|
BuildRequires: freetype-devel
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
@ -243,6 +257,15 @@ popd
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Feb 11 2022 Charalampos Stratakis <cstratak@redhat.com> - 5.1.1-18
|
||||||
|
- Fixup for CVE-2022-22817
|
||||||
|
- Security fixes for CVE-2022-22815, CVE-2022-22816
|
||||||
|
Resolves: rhbz#2042511, rhbz#2042522
|
||||||
|
|
||||||
|
* Fri Feb 04 2022 Charalampos Stratakis <cstratak@redhat.com> - 5.1.1-17
|
||||||
|
- Fix for CVE-2022-22817
|
||||||
|
Resolves: rhbz#2042527
|
||||||
|
|
||||||
* Mon Aug 02 2021 Charalampos Stratakis <cstratak@redhat.com> - 5.1.1-16
|
* Mon Aug 02 2021 Charalampos Stratakis <cstratak@redhat.com> - 5.1.1-16
|
||||||
- Fix for CVE-2021-34552
|
- Fix for CVE-2021-34552
|
||||||
Resolves: rhbz#1982378
|
Resolves: rhbz#1982378
|
||||||
|
Loading…
Reference in New Issue
Block a user