From 7444ceacc9376cee383a2d66aa4dda26f10cc7e4 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Feb 22 2022 17:26:49 +0000 Subject: import python-pillow-5.1.1-18.el8_5 --- diff --git a/SOURCES/CVE-2022-22815_CVE-2022-22816.patch b/SOURCES/CVE-2022-22815_CVE-2022-22816.patch new file mode 100644 index 0000000..338b113 --- /dev/null +++ b/SOURCES/CVE-2022-22815_CVE-2022-22816.patch @@ -0,0 +1,69 @@ +diff --git a/Tests/test_imagepath.py b/Tests/test_imagepath.py +index 98a6d34..733fd29 100644 +--- a/Tests/test_imagepath.py ++++ b/Tests/test_imagepath.py +@@ -67,6 +67,11 @@ class TestImagePath(PillowTestCase): + p = ImagePath.Path(arr.tostring()) + self.assertEqual(list(p), [(0.0, 1.0)]) + ++ def test_getbbox(self): ++ for coords in (0,1): ++ p = ImagePath.Path(coords) ++ self.assertEqual(p.getbbox(), (0.0, 0.0, 0.0, 0.0)) ++ + def test_overflow_segfault(self): + # Some Pythons fail getting the argument as an integer, and it falls + # through to the sequence. Seeing this on 32-bit Windows. +diff --git a/src/path.c b/src/path.c +index eb1e065..5215f87 100644 +--- a/src/path.c ++++ b/src/path.c +@@ -62,7 +62,7 @@ alloc_array(Py_ssize_t count) + PyErr_NoMemory(); + return NULL; + } +- xy = malloc(2 * count * sizeof(double) + 1); ++ xy = calloc(2 * count + 1, sizeof(double)); + if (!xy) + PyErr_NoMemory(); + return xy; +@@ -330,18 +330,27 @@ path_getbbox(PyPathObject* self, PyObject* args) + + xy = self->xy; + +- x0 = x1 = xy[0]; +- y0 = y1 = xy[1]; +- +- for (i = 1; i < self->count; i++) { +- if (xy[i+i] < x0) +- x0 = xy[i+i]; +- if (xy[i+i] > x1) +- x1 = xy[i+i]; +- if (xy[i+i+1] < y0) +- y0 = xy[i+i+1]; +- if (xy[i+i+1] > y1) +- y1 = xy[i+i+1]; ++ if (self->count == 0) { ++ x0 = x1 = 0; ++ y0 = y1 = 0; ++ } else { ++ x0 = x1 = xy[0]; ++ y0 = y1 = xy[1]; ++ ++ for (i = 1; i < self->count; i++) { ++ if (xy[i + i] < x0) { ++ x0 = xy[i + i]; ++ } ++ if (xy[i + i] > x1) { ++ x1 = xy[i + i]; ++ } ++ if (xy[i + i + 1] < y0) { ++ y0 = xy[i + i + 1]; ++ } ++ if (xy[i + i + 1] > y1) { ++ y1 = xy[i + i + 1]; ++ } ++ } + } + + return Py_BuildValue("dddd", x0, y0, x1, y1); diff --git a/SOURCES/CVE-2022-22817.patch b/SOURCES/CVE-2022-22817.patch new file mode 100644 index 0000000..1320b2b --- /dev/null +++ b/SOURCES/CVE-2022-22817.patch @@ -0,0 +1,41 @@ +diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py +index 2329b74..d3b7ba3 100644 +--- a/Tests/test_imagemath.py ++++ b/Tests/test_imagemath.py +@@ -58,6 +58,12 @@ class TestImageMath(PillowTestCase): + self.assertEqual(pixel( + ImageMath.eval("float(B)**33", images)), "F 8589934592.0") + ++ def test_prevent_exec(self): ++ self.assertRaises(ValueError, ImageMath.eval("exec('pass')")) ++ self.assertRaises(ValueError, ImageMath.eval("(lambda: exec('pass'))()")) ++ self.assertRaises(ValueError, ImageMath.eval("(lambda: (lambda: exec('pass'))())()")) ++ ++ + def test_logical(self): + self.assertEqual(pixel(ImageMath.eval("not A", images)), 0) + self.assertEqual(pixel(ImageMath.eval("A and B", images)), "L 2") +diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py +index c5bea70..13839e4 100644 +--- a/src/PIL/ImageMath.py ++++ b/src/PIL/ImageMath.py +@@ -263,7 +263,18 @@ def eval(expression, _dict={}, **kw): + if hasattr(v, "im"): + args[k] = _Operand(v) + +- out = builtins.eval(expression, args) ++ compiled_code = compile(expression, "", "eval") ++ def scan(code): ++ for const in code.co_consts: ++ if type(const) == type(compiled_code): ++ scan(const) ++ ++ for name in code.co_names: ++ if name not in args and name != "abs": ++ raise ValueError(f"'{name}' not allowed") ++ ++ scan(compiled_code) ++ out = builtins.eval(expression, {"__builtins": {"abs": abs}}, args) + try: + return out.im + except AttributeError: diff --git a/SPECS/python-pillow.spec b/SPECS/python-pillow.spec index fb5a4f5..f32fde2 100644 --- a/SPECS/python-pillow.spec +++ b/SPECS/python-pillow.spec @@ -8,7 +8,7 @@ Name: python-%{srcname} Version: 5.1.1 -Release: 16%{?dist} +Release: 18%{?dist} Summary: Python image processing library # License: see http://www.pythonware.com/products/pil/license.htm @@ -99,6 +99,20 @@ Patch17: CVE-2021-28678.patch # Upstream fix: https://github.com/python-pillow/Pillow/pull/5567 # Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1982378 Patch18: CVE-2021-34552.patch +# CVE-2022-22817: PIL.ImageMath.eval allows evaluation of arbitrary expressions +# Upstream fixes: +# https://github.com/python-pillow/Pillow/commit/8531b01d6cdf0b70f256f93092caa2a5d91afc11 +# https://github.com/python-pillow/Pillow/commit/f84ab3bb8a0a196a52e8a76bebed2853362629de +# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=2042527 +Patch19: CVE-2022-22817.patch +# CVE-2022-22815 python-pillow: improperly initializes ImagePath.Path in path_getbbox() in path.c +# CVE-2022-22816 python-pillow: buffer over-read during initialization of ImagePath.Path in path_getbbox() in path.c +# Upstream fix: https://github.com/python-pillow/Pillow/commit/5543e4e2d409cd9e409bc64cdc77be0af007a31f +# Memory issue fix: https://github.com/python-pillow/Pillow/pull/5958 +# Tracking bugs: +# https://bugzilla.redhat.com/show_bug.cgi?id=2042511 +# https://bugzilla.redhat.com/show_bug.cgi?id=2042522 +Patch20: CVE-2022-22815_CVE-2022-22816.patch BuildRequires: freetype-devel BuildRequires: gcc @@ -243,6 +257,15 @@ popd %changelog +* Fri Feb 11 2022 Charalampos Stratakis - 5.1.1-18 +- Fixup for CVE-2022-22817 +- Security fixes for CVE-2022-22815, CVE-2022-22816 +Resolves: rhbz#2042522 + +* Fri Feb 04 2022 Charalampos Stratakis - 5.1.1-17 +- Fix for CVE-2022-22817 +Resolves: rhbz#2042527 + * Mon Aug 02 2021 Charalampos Stratakis - 5.1.1-16 - Fix for CVE-2021-34552 Resolves: rhbz#1982378