Security fix for CVE-2023-50447

Resolves: RHEL-22240
This commit is contained in:
Lumir Balhar 2024-01-25 13:25:10 +01:00
parent 979e153666
commit fe69c9d81a
2 changed files with 55 additions and 1 deletions

46
CVE-2023-50447.patch Normal file
View File

@ -0,0 +1,46 @@
From 5c3db10f7a9cafd9b2d145a40864a445b2ee6edc Mon Sep 17 00:00:00 2001
From: Eric Soroos <eric-github@soroos.net>
Date: Thu, 25 Jan 2024 13:23:56 +0100
Subject: [PATCH] Don't allow __ or builtins in env dictionarys for
ImageMath.eval
---
Tests/test_imagemath.py | 5 +++++
src/PIL/ImageMath.py | 5 +++++
2 files changed, 10 insertions(+)
diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
index d3b7ba3..2467078 100644
--- a/Tests/test_imagemath.py
+++ b/Tests/test_imagemath.py
@@ -63,6 +63,11 @@ class TestImageMath(PillowTestCase):
self.assertRaises(ValueError, ImageMath.eval("(lambda: exec('pass'))()"))
self.assertRaises(ValueError, ImageMath.eval("(lambda: (lambda: exec('pass'))())()"))
+ def test_prevent_double_underscores(self):
+ self.assertRaises(ValueError, ImageMath.eval("1", {"__": None}))
+
+ def test_prevent_builtins(self):
+ self.assertRaises(ValueError, ImageMath.eval("(lambda: exec('exit()'))()", {"exec": None}))
def test_logical(self):
self.assertEqual(pixel(ImageMath.eval("not A", images)), 0)
diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
index 13839e4..94108cf 100644
--- a/src/PIL/ImageMath.py
+++ b/src/PIL/ImageMath.py
@@ -257,6 +257,11 @@ def eval(expression, _dict={}, **kw):
# build execution namespace
args = ops.copy()
+ for k in list(_dict.keys()) + list(kw.keys()):
+ if "__" in k or hasattr(builtins, k):
+ msg = f"'{k}' not allowed"
+ raise ValueError(msg)
+
args.update(_dict)
args.update(kw)
for k, v in list(args.items()):
--
2.43.0

View File

@ -8,7 +8,7 @@
Name: python-%{srcname} Name: python-%{srcname}
Version: 5.1.1 Version: 5.1.1
Release: 19%{?dist} Release: 20%{?dist}
Summary: Python image processing library Summary: Python image processing library
# License: see http://www.pythonware.com/products/pil/license.htm # License: see http://www.pythonware.com/products/pil/license.htm
@ -117,6 +117,10 @@ Patch20: CVE-2022-22815_CVE-2022-22816.patch
# in an ImageDraw instance operates on a long text argument # in an ImageDraw instance operates on a long text argument
# Upstream fix: https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7 # Upstream fix: https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7
Patch21: CVE-2023-44271.patch Patch21: CVE-2023-44271.patch
# CVE-2023-50447 python-pillow: pillow:Arbitrary Code Execution via the environment parameter
# Upstream fix: https://github.com/python-pillow/Pillow/commit/02c6183d41c68a8dd080f5739f566bd82485822d
# Patch rebased and tests converted from pytest to unittests.
Patch22: CVE-2023-50447.patch
BuildRequires: freetype-devel BuildRequires: freetype-devel
BuildRequires: gcc BuildRequires: gcc
@ -261,6 +265,10 @@ popd
%changelog %changelog
* Thu Jan 25 2024 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-20
- Security fix for CVE-2023-50447
Resolves: RHEL-22240
* Fri Nov 10 2023 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-19 * Fri Nov 10 2023 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-19
- Security fix for CVE-2023-44271 - Security fix for CVE-2023-44271
Resolves: RHEL-15460 Resolves: RHEL-15460