Security fix for CVE-2023-50447

Resolves: RHEL-22240
2024-01-25 13:25:10 +01:00 · 2024-01-25 13:25:10 +01:00 · fe69c9d81a
parent 979e153666
commit fe69c9d81a
2 changed files with 55 additions and 1 deletions
--- a/CVE-2023-50447.patch
+++ b/CVE-2023-50447.patch
@ -0,0 +1,46 @@
+From 5c3db10f7a9cafd9b2d145a40864a445b2ee6edc Mon Sep 17 00:00:00 2001
+From: Eric Soroos <eric-github@soroos.net>
+Date: Thu, 25 Jan 2024 13:23:56 +0100
+Subject: [PATCH] Don't allow __ or builtins in env dictionarys for
+ ImageMath.eval
+
+---
+ Tests/test_imagemath.py | 5 +++++
+ src/PIL/ImageMath.py    | 5 +++++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
+index d3b7ba3..2467078 100644
+--- a/Tests/test_imagemath.py
+++ b/Tests/test_imagemath.py
+@@ -63,6 +63,11 @@ class TestImageMath(PillowTestCase):
+         self.assertRaises(ValueError, ImageMath.eval("(lambda: exec('pass'))()"))
+         self.assertRaises(ValueError, ImageMath.eval("(lambda: (lambda: exec('pass'))())()"))
+ 
+    def test_prevent_double_underscores(self):
+        self.assertRaises(ValueError, ImageMath.eval("1", {"__": None}))
+    
+    def test_prevent_builtins(self):
+        self.assertRaises(ValueError, ImageMath.eval("(lambda: exec('exit()'))()", {"exec": None}))
+ 
+     def test_logical(self):
+         self.assertEqual(pixel(ImageMath.eval("not A", images)), 0)
+diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
+index 13839e4..94108cf 100644
+--- a/src/PIL/ImageMath.py
+++ b/src/PIL/ImageMath.py
+@@ -257,6 +257,11 @@ def eval(expression, _dict={}, **kw):
+ 
+     # build execution namespace
+     args = ops.copy()
+    for k in list(_dict.keys()) + list(kw.keys()):
+        if "__" in k or hasattr(builtins, k):
+            msg = f"'{k}' not allowed"
+            raise ValueError(msg)
+
+     args.update(_dict)
+     args.update(kw)
+     for k, v in list(args.items()):
+-- 
+2.43.0
+
--- a/python-pillow.spec
+++ b/python-pillow.spec
@ -8,7 +8,7 @@

 Name:           python-%{srcname}
 Version:        5.1.1
-Release:        19%{?dist}
+Release:        20%{?dist}
 Summary:        Python image processing library

 # License: see http://www.pythonware.com/products/pil/license.htm
@ -117,6 +117,10 @@ Patch20:        CVE-2022-22815_CVE-2022-22816.patch
 # in an ImageDraw instance operates on a long text argument
 # Upstream fix: https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7
 Patch21:        CVE-2023-44271.patch
+# CVE-2023-50447 python-pillow: pillow:Arbitrary Code Execution via the environment parameter
+# Upstream fix: https://github.com/python-pillow/Pillow/commit/02c6183d41c68a8dd080f5739f566bd82485822d
+# Patch rebased and tests converted from pytest to unittests.
+Patch22:        CVE-2023-50447.patch

 BuildRequires:  freetype-devel
 BuildRequires:  gcc
@ -261,6 +265,10 @@ popd


 %changelog
+* Thu Jan 25 2024 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-20
+- Security fix for CVE-2023-50447
+Resolves: RHEL-22240
+
 * Fri Nov 10 2023 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-19
 - Security fix for CVE-2023-44271
 Resolves: RHEL-15460