import CS python-pillow-5.1.1-20.el8

2024-03-27 20:19:08 +00:00 · 2024-03-27 20:19:08 +00:00 · 7363afd46a
commit 7363afd46a
parent 4f32e54de6
3 changed files with 154 additions and 1 deletions
--- a/SOURCES/CVE-2023-44271.patch
+++ b/SOURCES/CVE-2023-44271.patch
@ -0,0 +1,91 @@
 From fc055dbef875b477c27196e10c61f98aeb23d62c Mon Sep 17 00:00:00 2001
 From: Lumir Balhar <lbalhar@redhat.com>
 Date: Fri, 10 Nov 2023 15:39:41 +0100
 Subject: [PATCH] CVE-2023-44271
 ---
 docs/reference/ImageFont.rst |  9 +++++++++
 src/PIL/ImageFont.py         | 12 ++++++++++++
 2 files changed, 21 insertions(+)
 diff --git a/docs/reference/ImageFont.rst b/docs/reference/ImageFont.rst
 index 76fde44..21b9d9d 100644
 --- a/docs/reference/ImageFont.rst
 +++ b/docs/reference/ImageFont.rst
@@ -17,6 +17,15 @@ OpenType fonts (as well as other font formats supported by the FreeType
 library). For earlier versions, TrueType support is only available as part of
 the imToolkit package
 +.. warning::
 +    To protect against potential DOS attacks when using arbitrary strings as
 +    text input, Pillow will raise a ``ValueError`` if the number of characters
 +    is over a certain limit, :py:data:`MAX_STRING_LENGTH`.
 +
 +    This threshold can be changed by setting
 +    :py:data:`MAX_STRING_LENGTH`. It can be disabled by setting
 +    ``ImageFont.MAX_STRING_LENGTH = None``.
 +
 Example
 -------
 diff --git a/src/PIL/ImageFont.py b/src/PIL/ImageFont.py
 index f3b55e0..7e7b62f 100644
 --- a/src/PIL/ImageFont.py
 +++ b/src/PIL/ImageFont.py
@@ -39,6 +39,8 @@ class _imagingft_not_installed(object):
     def __getattr__(self, id):
         raise ImportError("The _imagingft C module is not installed")
 +MAX_STRING_LENGTH = 1_000_000
 +
 try:
     from . import _imagingft as core
@@ -46,6 +48,12 @@ except ImportError:
     core = _imagingft_not_installed()
 +def _string_length_check(text):
 +    if MAX_STRING_LENGTH is not None and len(text) > MAX_STRING_LENGTH:
 +        msg = "too many characters in string"
 +        raise ValueError(msg)
 +
 +
 # FIXME: add support for pilfont2 format (see FontFile.py)
 # --------------------------------------------------------------------
@@ -109,6 +117,7 @@ class ImageFont(object):
         self.font = Image.core.font(image.im, data)
     def getsize(self, text, *args, **kwargs):
 +        _string_length_check(text)
         return self.font.getsize(text)
     def getmask(self, text, mode="", *args, **kwargs):
@@ -154,6 +163,7 @@ class FreeTypeFont(object):
         return self.font.ascent, self.font.descent
     def getsize(self, text, direction=None, features=None):
 +        _string_length_check(text)
         size, offset = self.font.getsize(text, direction, features)
         return (size[0] + offset[0], size[1] + offset[1])
@@ -164,6 +174,7 @@ class FreeTypeFont(object):
         return self.getmask2(text, mode, direction=direction, features=features)[0]
     def getmask2(self, text, mode="", fill=Image.core.fill, direction=None, features=None, *args, **kwargs):
 +        _string_length_check(text)
         size, offset = self.font.getsize(text, direction, features)
         im = fill("L", size, 0)
         self.font.render(text, im.id, mode == "1", direction, features)
@@ -205,6 +216,7 @@ class TransposedFont(object):
         self.orientation = orientation  # any 'transpose' argument, or None
     def getsize(self, text, *args, **kwargs):
 +        _string_length_check(text)
         w, h = self.font.getsize(text)
         if self.orientation in (Image.ROTATE_90, Image.ROTATE_270):
             return h, w
 -- 
 2.41.0
--- a/SOURCES/CVE-2023-50447.patch
+++ b/SOURCES/CVE-2023-50447.patch
@ -0,0 +1,46 @@
 From 5c3db10f7a9cafd9b2d145a40864a445b2ee6edc Mon Sep 17 00:00:00 2001
 From: Eric Soroos <eric-github@soroos.net>
 Date: Thu, 25 Jan 2024 13:23:56 +0100
 Subject: [PATCH] Don't allow __ or builtins in env dictionarys for
 ImageMath.eval
 ---
 Tests/test_imagemath.py | 5 +++++
 src/PIL/ImageMath.py    | 5 +++++
 2 files changed, 10 insertions(+)
 diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
 index d3b7ba3..2467078 100644
 --- a/Tests/test_imagemath.py
 +++ b/Tests/test_imagemath.py
@@ -63,6 +63,11 @@ class TestImageMath(PillowTestCase):
         self.assertRaises(ValueError, ImageMath.eval("(lambda: exec('pass'))()"))
         self.assertRaises(ValueError, ImageMath.eval("(lambda: (lambda: exec('pass'))())()"))
 +    def test_prevent_double_underscores(self):
 +        self.assertRaises(ValueError, ImageMath.eval("1", {"__": None}))
 +    
 +    def test_prevent_builtins(self):
 +        self.assertRaises(ValueError, ImageMath.eval("(lambda: exec('exit()'))()", {"exec": None}))
     def test_logical(self):
         self.assertEqual(pixel(ImageMath.eval("not A", images)), 0)
 diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
 index 13839e4..94108cf 100644
 --- a/src/PIL/ImageMath.py
 +++ b/src/PIL/ImageMath.py
@@ -257,6 +257,11 @@ def eval(expression, _dict={}, **kw):
     # build execution namespace
     args = ops.copy()
 +    for k in list(_dict.keys()) + list(kw.keys()):
 +        if "__" in k or hasattr(builtins, k):
 +            msg = f"'{k}' not allowed"
 +            raise ValueError(msg)
 +
     args.update(_dict)
     args.update(kw)
     for k, v in list(args.items()):
 -- 
 2.43.0
--- a/SPECS/python-pillow.spec
+++ b/SPECS/python-pillow.spec
@ -8,7 +8,7 @@
 Name:           python-%{srcname}
 Version:        5.1.1
-Release:        18%{?dist}
+Release:        20%{?dist}
 Summary:        Python image processing library
 # License: see http://www.pythonware.com/products/pil/license.htm
@ -113,6 +113,14 @@ Patch19:        CVE-2022-22817.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2042511
 # https://bugzilla.redhat.com/show_bug.cgi?id=2042522
 Patch20:        CVE-2022-22815_CVE-2022-22816.patch
 # CVE-2023-44271 python-pillow: uncontrolled resource consumption when textlength
 # in an ImageDraw instance operates on a long text argument
 # Upstream fix: https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7
 Patch21:        CVE-2023-44271.patch
 # CVE-2023-50447 python-pillow: pillow:Arbitrary Code Execution via the environment parameter
 # Upstream fix: https://github.com/python-pillow/Pillow/commit/02c6183d41c68a8dd080f5739f566bd82485822d
 # Patch rebased and tests converted from pytest to unittests.
 Patch22:        CVE-2023-50447.patch
 BuildRequires:  freetype-devel
 BuildRequires:  gcc
@ -257,6 +265,14 @@ popd
 %changelog
 * Thu Jan 25 2024 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-20
 - Security fix for CVE-2023-50447
 Resolves: RHEL-22240
 * Fri Nov 10 2023 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-19
 - Security fix for CVE-2023-44271
 Resolves: RHEL-15460
 * Fri Feb 11 2022 Charalampos Stratakis <cstratak@redhat.com> - 5.1.1-18
 - Fixup for CVE-2022-22817
 - Security fixes for CVE-2022-22815, CVE-2022-22816