From 702e7466a952c8bc0e79173e9fa6f9a63498dc14 Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Wed, 21 Feb 2024 12:38:34 +0300
Subject: [PATCH] - Security fix for CVE-2023-50447

---
 SOURCES/CVE-2023-50447.patch | 46 ++++++++++++++++++++++++++++++++++++
 SPECS/python-pillow.spec     |  9 ++++++-
 2 files changed, 54 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/CVE-2023-50447.patch

diff --git a/SOURCES/CVE-2023-50447.patch b/SOURCES/CVE-2023-50447.patch
new file mode 100644
index 0000000..9c5cae5
--- /dev/null
+++ b/SOURCES/CVE-2023-50447.patch
@@ -0,0 +1,46 @@
+From 5c3db10f7a9cafd9b2d145a40864a445b2ee6edc Mon Sep 17 00:00:00 2001
+From: Eric Soroos <eric-github@soroos.net>
+Date: Thu, 25 Jan 2024 13:23:56 +0100
+Subject: [PATCH] Don't allow __ or builtins in env dictionarys for
+ ImageMath.eval
+
+---
+ Tests/test_imagemath.py | 5 +++++
+ src/PIL/ImageMath.py    | 5 +++++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
+index d3b7ba3..2467078 100644
+--- a/Tests/test_imagemath.py
++++ b/Tests/test_imagemath.py
+@@ -63,6 +63,11 @@ class TestImageMath(PillowTestCase):
+         self.assertRaises(ValueError, ImageMath.eval("(lambda: exec('pass'))()"))
+         self.assertRaises(ValueError, ImageMath.eval("(lambda: (lambda: exec('pass'))())()"))
+ 
++    def test_prevent_double_underscores(self):
++        self.assertRaises(ValueError, ImageMath.eval("1", {"__": None}))
++    
++    def test_prevent_builtins(self):
++        self.assertRaises(ValueError, ImageMath.eval("(lambda: exec('exit()'))()", {"exec": None}))
+ 
+     def test_logical(self):
+         self.assertEqual(pixel(ImageMath.eval("not A", images)), 0)
+diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
+index 13839e4..94108cf 100644
+--- a/src/PIL/ImageMath.py
++++ b/src/PIL/ImageMath.py
+@@ -257,6 +257,11 @@ def eval(expression, _dict={}, **kw):
+ 
+     # build execution namespace
+     args = ops.copy()
++    for k in list(_dict.keys()) + list(kw.keys()):
++        if "__" in k or hasattr(builtins, k):
++            msg = f"'{k}' not allowed"
++            raise ValueError(msg)
++
+     args.update(_dict)
+     args.update(kw)
+     for k, v in list(args.items()):
+-- 
+2.43.0
+
diff --git a/SPECS/python-pillow.spec b/SPECS/python-pillow.spec
index f32fde2..3eab4c9 100644
--- a/SPECS/python-pillow.spec
+++ b/SPECS/python-pillow.spec
@@ -8,7 +8,7 @@
 
 Name:           python-%{srcname}
 Version:        5.1.1
-Release:        18%{?dist}
+Release:        18%{?dist}.1.alma.1
 Summary:        Python image processing library
 
 # License: see http://www.pythonware.com/products/pil/license.htm
@@ -114,6 +114,10 @@ Patch19:        CVE-2022-22817.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2042522
 Patch20:        CVE-2022-22815_CVE-2022-22816.patch
 
+# Patches were taken from:
+# https://gitlab.com/redhat/centos-stream/rpms/python-pillow/-/commit/fe69c9d81a71cd326d14cdda766257aa63a5f8eb
+Patch21:        CVE-2023-50447.patch
+
 BuildRequires:  freetype-devel
 BuildRequires:  gcc
 BuildRequires:  ghostscript
@@ -257,6 +261,9 @@ popd
 
 
 %changelog
+* Wed Feb 21 2024 Eduard Abdullin <eabdullin@almalinux.org> - 5.1.1-18.1.alma.1
+- Security fix for CVE-2023-50447	
+  
 * Fri Feb 11 2022 Charalampos Stratakis <cstratak@redhat.com> - 5.1.1-18
 - Fixup for CVE-2022-22817
 - Security fixes for CVE-2022-22815, CVE-2022-22816