From 7363afd46a6f7cd7c6fe32ca17fee2b9e3216512 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 27 Mar 2024 20:19:08 +0000 Subject: [PATCH] import CS python-pillow-5.1.1-20.el8 --- SOURCES/CVE-2023-44271.patch | 91 ++++++++++++++++++++++++++++++++++++ SOURCES/CVE-2023-50447.patch | 46 ++++++++++++++++++ SPECS/python-pillow.spec | 18 ++++++- 3 files changed, 154 insertions(+), 1 deletion(-) create mode 100644 SOURCES/CVE-2023-44271.patch create mode 100644 SOURCES/CVE-2023-50447.patch diff --git a/SOURCES/CVE-2023-44271.patch b/SOURCES/CVE-2023-44271.patch new file mode 100644 index 0000000..140bf5b --- /dev/null +++ b/SOURCES/CVE-2023-44271.patch @@ -0,0 +1,91 @@ +From fc055dbef875b477c27196e10c61f98aeb23d62c Mon Sep 17 00:00:00 2001 +From: Lumir Balhar +Date: Fri, 10 Nov 2023 15:39:41 +0100 +Subject: [PATCH] CVE-2023-44271 + +--- + docs/reference/ImageFont.rst | 9 +++++++++ + src/PIL/ImageFont.py | 12 ++++++++++++ + 2 files changed, 21 insertions(+) + +diff --git a/docs/reference/ImageFont.rst b/docs/reference/ImageFont.rst +index 76fde44..21b9d9d 100644 +--- a/docs/reference/ImageFont.rst ++++ b/docs/reference/ImageFont.rst +@@ -17,6 +17,15 @@ OpenType fonts (as well as other font formats supported by the FreeType + library). For earlier versions, TrueType support is only available as part of + the imToolkit package + ++.. warning:: ++ To protect against potential DOS attacks when using arbitrary strings as ++ text input, Pillow will raise a ``ValueError`` if the number of characters ++ is over a certain limit, :py:data:`MAX_STRING_LENGTH`. ++ ++ This threshold can be changed by setting ++ :py:data:`MAX_STRING_LENGTH`. It can be disabled by setting ++ ``ImageFont.MAX_STRING_LENGTH = None``. ++ + Example + ------- + +diff --git a/src/PIL/ImageFont.py b/src/PIL/ImageFont.py +index f3b55e0..7e7b62f 100644 +--- a/src/PIL/ImageFont.py ++++ b/src/PIL/ImageFont.py +@@ -39,6 +39,8 @@ class _imagingft_not_installed(object): + def __getattr__(self, id): + raise ImportError("The _imagingft C module is not installed") + ++MAX_STRING_LENGTH = 1_000_000 ++ + + try: + from . import _imagingft as core +@@ -46,6 +48,12 @@ except ImportError: + core = _imagingft_not_installed() + + ++def _string_length_check(text): ++ if MAX_STRING_LENGTH is not None and len(text) > MAX_STRING_LENGTH: ++ msg = "too many characters in string" ++ raise ValueError(msg) ++ ++ + # FIXME: add support for pilfont2 format (see FontFile.py) + + # -------------------------------------------------------------------- +@@ -109,6 +117,7 @@ class ImageFont(object): + self.font = Image.core.font(image.im, data) + + def getsize(self, text, *args, **kwargs): ++ _string_length_check(text) + return self.font.getsize(text) + + def getmask(self, text, mode="", *args, **kwargs): +@@ -154,6 +163,7 @@ class FreeTypeFont(object): + return self.font.ascent, self.font.descent + + def getsize(self, text, direction=None, features=None): ++ _string_length_check(text) + size, offset = self.font.getsize(text, direction, features) + return (size[0] + offset[0], size[1] + offset[1]) + +@@ -164,6 +174,7 @@ class FreeTypeFont(object): + return self.getmask2(text, mode, direction=direction, features=features)[0] + + def getmask2(self, text, mode="", fill=Image.core.fill, direction=None, features=None, *args, **kwargs): ++ _string_length_check(text) + size, offset = self.font.getsize(text, direction, features) + im = fill("L", size, 0) + self.font.render(text, im.id, mode == "1", direction, features) +@@ -205,6 +216,7 @@ class TransposedFont(object): + self.orientation = orientation # any 'transpose' argument, or None + + def getsize(self, text, *args, **kwargs): ++ _string_length_check(text) + w, h = self.font.getsize(text) + if self.orientation in (Image.ROTATE_90, Image.ROTATE_270): + return h, w +-- +2.41.0 + diff --git a/SOURCES/CVE-2023-50447.patch b/SOURCES/CVE-2023-50447.patch new file mode 100644 index 0000000..9c5cae5 --- /dev/null +++ b/SOURCES/CVE-2023-50447.patch @@ -0,0 +1,46 @@ +From 5c3db10f7a9cafd9b2d145a40864a445b2ee6edc Mon Sep 17 00:00:00 2001 +From: Eric Soroos +Date: Thu, 25 Jan 2024 13:23:56 +0100 +Subject: [PATCH] Don't allow __ or builtins in env dictionarys for + ImageMath.eval + +--- + Tests/test_imagemath.py | 5 +++++ + src/PIL/ImageMath.py | 5 +++++ + 2 files changed, 10 insertions(+) + +diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py +index d3b7ba3..2467078 100644 +--- a/Tests/test_imagemath.py ++++ b/Tests/test_imagemath.py +@@ -63,6 +63,11 @@ class TestImageMath(PillowTestCase): + self.assertRaises(ValueError, ImageMath.eval("(lambda: exec('pass'))()")) + self.assertRaises(ValueError, ImageMath.eval("(lambda: (lambda: exec('pass'))())()")) + ++ def test_prevent_double_underscores(self): ++ self.assertRaises(ValueError, ImageMath.eval("1", {"__": None})) ++ ++ def test_prevent_builtins(self): ++ self.assertRaises(ValueError, ImageMath.eval("(lambda: exec('exit()'))()", {"exec": None})) + + def test_logical(self): + self.assertEqual(pixel(ImageMath.eval("not A", images)), 0) +diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py +index 13839e4..94108cf 100644 +--- a/src/PIL/ImageMath.py ++++ b/src/PIL/ImageMath.py +@@ -257,6 +257,11 @@ def eval(expression, _dict={}, **kw): + + # build execution namespace + args = ops.copy() ++ for k in list(_dict.keys()) + list(kw.keys()): ++ if "__" in k or hasattr(builtins, k): ++ msg = f"'{k}' not allowed" ++ raise ValueError(msg) ++ + args.update(_dict) + args.update(kw) + for k, v in list(args.items()): +-- +2.43.0 + diff --git a/SPECS/python-pillow.spec b/SPECS/python-pillow.spec index 0aef0d1..d9e5c21 100644 --- a/SPECS/python-pillow.spec +++ b/SPECS/python-pillow.spec @@ -8,7 +8,7 @@ Name: python-%{srcname} Version: 5.1.1 -Release: 18%{?dist} +Release: 20%{?dist} Summary: Python image processing library # License: see http://www.pythonware.com/products/pil/license.htm @@ -113,6 +113,14 @@ Patch19: CVE-2022-22817.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2042511 # https://bugzilla.redhat.com/show_bug.cgi?id=2042522 Patch20: CVE-2022-22815_CVE-2022-22816.patch +# CVE-2023-44271 python-pillow: uncontrolled resource consumption when textlength +# in an ImageDraw instance operates on a long text argument +# Upstream fix: https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7 +Patch21: CVE-2023-44271.patch +# CVE-2023-50447 python-pillow: pillow:Arbitrary Code Execution via the environment parameter +# Upstream fix: https://github.com/python-pillow/Pillow/commit/02c6183d41c68a8dd080f5739f566bd82485822d +# Patch rebased and tests converted from pytest to unittests. +Patch22: CVE-2023-50447.patch BuildRequires: freetype-devel BuildRequires: gcc @@ -257,6 +265,14 @@ popd %changelog +* Thu Jan 25 2024 Lumír Balhar - 5.1.1-20 +- Security fix for CVE-2023-50447 +Resolves: RHEL-22240 + +* Fri Nov 10 2023 Lumír Balhar - 5.1.1-19 +- Security fix for CVE-2023-44271 +Resolves: RHEL-15460 + * Fri Feb 11 2022 Charalampos Stratakis - 5.1.1-18 - Fixup for CVE-2022-22817 - Security fixes for CVE-2022-22815, CVE-2022-22816