import python-pillow-5.1.1-18.el8

2022-03-29 09:23:53 -04:00 · 2022-03-29 09:23:53 -04:00 · 4f32e54de6
commit 4f32e54de6
parent 3ccb8aabb8
3 changed files with 134 additions and 1 deletions
--- a/SOURCES/CVE-2022-22815_CVE-2022-22816.patch
+++ b/SOURCES/CVE-2022-22815_CVE-2022-22816.patch
@ -0,0 +1,69 @@
+diff --git a/Tests/test_imagepath.py b/Tests/test_imagepath.py
+index 98a6d34..733fd29 100644
+--- a/Tests/test_imagepath.py
+++ b/Tests/test_imagepath.py
+@@ -67,6 +67,11 @@ class TestImagePath(PillowTestCase):
+             p = ImagePath.Path(arr.tostring())
+         self.assertEqual(list(p), [(0.0, 1.0)])
+ 
+    def test_getbbox(self):
+        for coords in (0,1):
+            p = ImagePath.Path(coords)
+            self.assertEqual(p.getbbox(), (0.0, 0.0, 0.0, 0.0))
+
+     def test_overflow_segfault(self):
+         # Some Pythons fail getting the argument as an integer, and it falls
+         # through to the sequence. Seeing this on 32-bit Windows.
+diff --git a/src/path.c b/src/path.c
+index eb1e065..5215f87 100644
+--- a/src/path.c
+++ b/src/path.c
+@@ -62,7 +62,7 @@ alloc_array(Py_ssize_t count)
+         PyErr_NoMemory();
+         return NULL;
+     }
+-    xy = malloc(2 * count * sizeof(double) + 1);
+    xy = calloc(2 * count + 1, sizeof(double));
+     if (!xy)
+         PyErr_NoMemory();
+     return xy;
+@@ -330,18 +330,27 @@ path_getbbox(PyPathObject* self, PyObject* args)
+ 
+     xy = self->xy;
+ 
+-    x0 = x1 = xy[0];
+-    y0 = y1 = xy[1];
+-
+-    for (i = 1; i < self->count; i++) {
+-        if (xy[i+i] < x0)
+-            x0 = xy[i+i];
+-        if (xy[i+i] > x1)
+-            x1 = xy[i+i];
+-        if (xy[i+i+1] < y0)
+-            y0 = xy[i+i+1];
+-        if (xy[i+i+1] > y1)
+-            y1 = xy[i+i+1];
+    if (self->count == 0) {
+        x0 = x1 = 0;
+        y0 = y1 = 0;
+    } else {
+        x0 = x1 = xy[0];
+        y0 = y1 = xy[1];
+
+        for (i = 1; i < self->count; i++) {
+            if (xy[i + i] < x0) {
+                x0 = xy[i + i];
+            }
+            if (xy[i + i] > x1) {
+                x1 = xy[i + i];
+            }
+            if (xy[i + i + 1] < y0) {
+                y0 = xy[i + i + 1];
+            }
+            if (xy[i + i + 1] > y1) {
+                y1 = xy[i + i + 1];
+            }
+        }
+     }
+ 
+     return Py_BuildValue("dddd", x0, y0, x1, y1);
--- a/SOURCES/CVE-2022-22817.patch
+++ b/SOURCES/CVE-2022-22817.patch
@ -0,0 +1,41 @@
+diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
+index 2329b74..d3b7ba3 100644
+--- a/Tests/test_imagemath.py
+++ b/Tests/test_imagemath.py
+@@ -58,6 +58,12 @@ class TestImageMath(PillowTestCase):
+         self.assertEqual(pixel(
+             ImageMath.eval("float(B)**33", images)), "F 8589934592.0")
+ 
+    def test_prevent_exec(self):
+        self.assertRaises(ValueError, ImageMath.eval("exec('pass')"))
+        self.assertRaises(ValueError, ImageMath.eval("(lambda: exec('pass'))()"))
+        self.assertRaises(ValueError, ImageMath.eval("(lambda: (lambda: exec('pass'))())()"))
+
+
+     def test_logical(self):
+         self.assertEqual(pixel(ImageMath.eval("not A", images)), 0)
+         self.assertEqual(pixel(ImageMath.eval("A and B", images)), "L 2")
+diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
+index c5bea70..13839e4 100644
+--- a/src/PIL/ImageMath.py
+++ b/src/PIL/ImageMath.py
+@@ -263,7 +263,18 @@ def eval(expression, _dict={}, **kw):
+         if hasattr(v, "im"):
+             args[k] = _Operand(v)
+ 
+-    out = builtins.eval(expression, args)
+    compiled_code = compile(expression, "<string>", "eval")
+    def scan(code):
+        for const in code.co_consts:
+            if type(const) == type(compiled_code):
+                scan(const)
+
+        for name in code.co_names:
+            if name not in args and name != "abs":
+                raise ValueError(f"'{name}' not allowed")
+
+    scan(compiled_code)
+    out = builtins.eval(expression, {"__builtins": {"abs": abs}}, args)
+     try:
+         return out.im
+     except AttributeError:
--- a/SPECS/python-pillow.spec
+++ b/SPECS/python-pillow.spec
@ -8,7 +8,7 @@

 Name:           python-%{srcname}
 Version:        5.1.1
-Release:        16%{?dist}
+Release:        18%{?dist}
 Summary:        Python image processing library

 # License: see http://www.pythonware.com/products/pil/license.htm
@ -99,6 +99,20 @@ Patch17:        CVE-2021-28678.patch
 # Upstream fix: https://github.com/python-pillow/Pillow/pull/5567
 # Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1982378
 Patch18:        CVE-2021-34552.patch
+# CVE-2022-22817: PIL.ImageMath.eval allows evaluation of arbitrary expressions
+# Upstream fixes:
+# https://github.com/python-pillow/Pillow/commit/8531b01d6cdf0b70f256f93092caa2a5d91afc11
+# https://github.com/python-pillow/Pillow/commit/f84ab3bb8a0a196a52e8a76bebed2853362629de
+# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=2042527
+Patch19:        CVE-2022-22817.patch
+# CVE-2022-22815 python-pillow: improperly initializes ImagePath.Path in path_getbbox() in path.c
+# CVE-2022-22816 python-pillow: buffer over-read during initialization of ImagePath.Path in path_getbbox() in path.c
+# Upstream fix: https://github.com/python-pillow/Pillow/commit/5543e4e2d409cd9e409bc64cdc77be0af007a31f
+# Memory issue fix: https://github.com/python-pillow/Pillow/pull/5958
+# Tracking bugs:
+# https://bugzilla.redhat.com/show_bug.cgi?id=2042511
+# https://bugzilla.redhat.com/show_bug.cgi?id=2042522
+Patch20:        CVE-2022-22815_CVE-2022-22816.patch

 BuildRequires:  freetype-devel
 BuildRequires:  gcc
@ -243,6 +257,15 @@ popd


 %changelog
+* Fri Feb 11 2022 Charalampos Stratakis <cstratak@redhat.com> - 5.1.1-18
+- Fixup for CVE-2022-22817
+- Security fixes for CVE-2022-22815, CVE-2022-22816
+Resolves: rhbz#2042511, rhbz#2042522
+
+* Fri Feb 04 2022 Charalampos Stratakis <cstratak@redhat.com> - 5.1.1-17
+- Fix for CVE-2022-22817
+Resolves: rhbz#2042527
+
 * Mon Aug 02 2021 Charalampos Stratakis <cstratak@redhat.com> - 5.1.1-16
 - Fix for CVE-2021-34552
 Resolves: rhbz#1982378