- Security fix for CVE-2023-50447
This commit is contained in:
		
							parent
							
								
									348a191152
								
							
						
					
					
						commit
						702e7466a9
					
				
							
								
								
									
										46
									
								
								SOURCES/CVE-2023-50447.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										46
									
								
								SOURCES/CVE-2023-50447.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,46 @@ | |||||||
|  | From 5c3db10f7a9cafd9b2d145a40864a445b2ee6edc Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Eric Soroos <eric-github@soroos.net> | ||||||
|  | Date: Thu, 25 Jan 2024 13:23:56 +0100 | ||||||
|  | Subject: [PATCH] Don't allow __ or builtins in env dictionarys for | ||||||
|  |  ImageMath.eval | ||||||
|  | 
 | ||||||
|  | ---
 | ||||||
|  |  Tests/test_imagemath.py | 5 +++++ | ||||||
|  |  src/PIL/ImageMath.py    | 5 +++++ | ||||||
|  |  2 files changed, 10 insertions(+) | ||||||
|  | 
 | ||||||
|  | diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
 | ||||||
|  | index d3b7ba3..2467078 100644
 | ||||||
|  | --- a/Tests/test_imagemath.py
 | ||||||
|  | +++ b/Tests/test_imagemath.py
 | ||||||
|  | @@ -63,6 +63,11 @@ class TestImageMath(PillowTestCase):
 | ||||||
|  |          self.assertRaises(ValueError, ImageMath.eval("(lambda: exec('pass'))()")) | ||||||
|  |          self.assertRaises(ValueError, ImageMath.eval("(lambda: (lambda: exec('pass'))())()")) | ||||||
|  |   | ||||||
|  | +    def test_prevent_double_underscores(self):
 | ||||||
|  | +        self.assertRaises(ValueError, ImageMath.eval("1", {"__": None}))
 | ||||||
|  | +    
 | ||||||
|  | +    def test_prevent_builtins(self):
 | ||||||
|  | +        self.assertRaises(ValueError, ImageMath.eval("(lambda: exec('exit()'))()", {"exec": None}))
 | ||||||
|  |   | ||||||
|  |      def test_logical(self): | ||||||
|  |          self.assertEqual(pixel(ImageMath.eval("not A", images)), 0) | ||||||
|  | diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
 | ||||||
|  | index 13839e4..94108cf 100644
 | ||||||
|  | --- a/src/PIL/ImageMath.py
 | ||||||
|  | +++ b/src/PIL/ImageMath.py
 | ||||||
|  | @@ -257,6 +257,11 @@ def eval(expression, _dict={}, **kw):
 | ||||||
|  |   | ||||||
|  |      # build execution namespace | ||||||
|  |      args = ops.copy() | ||||||
|  | +    for k in list(_dict.keys()) + list(kw.keys()):
 | ||||||
|  | +        if "__" in k or hasattr(builtins, k):
 | ||||||
|  | +            msg = f"'{k}' not allowed"
 | ||||||
|  | +            raise ValueError(msg)
 | ||||||
|  | +
 | ||||||
|  |      args.update(_dict) | ||||||
|  |      args.update(kw) | ||||||
|  |      for k, v in list(args.items()): | ||||||
|  | -- 
 | ||||||
|  | 2.43.0 | ||||||
|  | 
 | ||||||
| @ -8,7 +8,7 @@ | |||||||
| 
 | 
 | ||||||
| Name:           python-%{srcname} | Name:           python-%{srcname} | ||||||
| Version:        5.1.1 | Version:        5.1.1 | ||||||
| Release:        18%{?dist} | Release:        18%{?dist}.1.alma.1 | ||||||
| Summary:        Python image processing library | Summary:        Python image processing library | ||||||
| 
 | 
 | ||||||
| # License: see http://www.pythonware.com/products/pil/license.htm | # License: see http://www.pythonware.com/products/pil/license.htm | ||||||
| @ -114,6 +114,10 @@ Patch19:        CVE-2022-22817.patch | |||||||
| # https://bugzilla.redhat.com/show_bug.cgi?id=2042522 | # https://bugzilla.redhat.com/show_bug.cgi?id=2042522 | ||||||
| Patch20:        CVE-2022-22815_CVE-2022-22816.patch | Patch20:        CVE-2022-22815_CVE-2022-22816.patch | ||||||
| 
 | 
 | ||||||
|  | # Patches were taken from: | ||||||
|  | # https://gitlab.com/redhat/centos-stream/rpms/python-pillow/-/commit/fe69c9d81a71cd326d14cdda766257aa63a5f8eb | ||||||
|  | Patch21:        CVE-2023-50447.patch | ||||||
|  | 
 | ||||||
| BuildRequires:  freetype-devel | BuildRequires:  freetype-devel | ||||||
| BuildRequires:  gcc | BuildRequires:  gcc | ||||||
| BuildRequires:  ghostscript | BuildRequires:  ghostscript | ||||||
| @ -257,6 +261,9 @@ popd | |||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| %changelog | %changelog | ||||||
|  | * Wed Feb 21 2024 Eduard Abdullin <eabdullin@almalinux.org> - 5.1.1-18.1.alma.1 | ||||||
|  | - Security fix for CVE-2023-50447	 | ||||||
|  |    | ||||||
| * Fri Feb 11 2022 Charalampos Stratakis <cstratak@redhat.com> - 5.1.1-18 | * Fri Feb 11 2022 Charalampos Stratakis <cstratak@redhat.com> - 5.1.1-18 | ||||||
| - Fixup for CVE-2022-22817 | - Fixup for CVE-2022-22817 | ||||||
| - Security fixes for CVE-2022-22815, CVE-2022-22816 | - Security fixes for CVE-2022-22815, CVE-2022-22816 | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user