From bc0a7a1ccfcee042b4c829a476927dafa157a119 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Feb 19 2024 01:00:04 +0000
Subject: import python-pillow-2.0.0-25.gitd1c6db8.el7_9


---

diff --git a/SOURCES/CVE-2023-50447.patch b/SOURCES/CVE-2023-50447.patch
new file mode 100644
index 0000000..81660fc
--- /dev/null
+++ b/SOURCES/CVE-2023-50447.patch
@@ -0,0 +1,47 @@
+From cf8d70b86f0d5ee9e72a1e69ad76cf5831f977fa Mon Sep 17 00:00:00 2001
+From: Eric Soroos <eric-github@soroos.net>
+Date: Thu, 8 Feb 2024 21:32:44 +0100
+Subject: [PATCH] Don't allow __ or builtins in env dictionarys for
+ ImageMath.eval
+
+---
+ PIL/ImageMath.py        | 5 +++++
+ Tests/test_imagemath.py | 6 ++++++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/PIL/ImageMath.py b/PIL/ImageMath.py
+index 5312207..13550a9 100644
+--- a/PIL/ImageMath.py
++++ b/PIL/ImageMath.py
+@@ -213,6 +213,11 @@ def eval(expression, _dict={}, **kw):
+ 
+     # build execution namespace
+     args = ops.copy()
++    for k in list(_dict.keys()) + list(kw.keys()):
++        if "__" in k or hasattr(builtins, k):
++            msg = "'{0}' not allowed".format(k)
++            raise ValueError(msg)
++
+     args.update(_dict)
+     args.update(kw)
+     for k, v in list(args.items()):
+diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
+index da9d1d7..aaf32cf 100644
+--- a/Tests/test_imagemath.py
++++ b/Tests/test_imagemath.py
+@@ -45,6 +45,12 @@ def test_ops():
+     assert_equal(pixel(ImageMath.eval("float(B)**2", images)), "F 4.0")
+     assert_equal(pixel(ImageMath.eval("float(B)**33", images)), "F 8589934592.0")
+ 
++def test_prevent_double_underscores():
++    assert_exception(ValueError, lambda: ImageMath.eval("1", {"__": None}))
++
++def test_prevent_builtins():
++    assert_exception(ValueError, lambda: ImageMath.eval("(lambda: isinstance('a', str))()", {"isinstance": None}))
++
+ def test_logical():
+     assert_exception(ValueError, ImageMath.eval("exit()"))
+     assert_exception(ValueError, ImageMath.eval("(lambda:(exit()))()"))
+-- 
+2.43.0
+
diff --git a/SPECS/python-pillow.spec b/SPECS/python-pillow.spec
index ab25e95..88ac2e0 100644
--- a/SPECS/python-pillow.spec
+++ b/SPECS/python-pillow.spec
@@ -23,7 +23,7 @@
 
 Name:           python-pillow
 Version:        2.0.0
-Release:        24%{?snap}%{?dist}
+Release:        25%{?snap}%{?dist}
 Summary:        Python image processing library
 
 # License: see http://www.pythonware.com/products/pil/license.htm
@@ -71,6 +71,10 @@ Patch20:        CVE-2022-22815_CVE-2022-22816.patch
 # in an ImageDraw instance operates on a long text argument
 # Upstream fix: https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7
 Patch21:        CVE-2023-44271.patch
+# CVE-2023-50447 python-pillow: pillow:Arbitrary Code Execution via the environment parameter
+# Upstream fix: https://github.com/python-pillow/Pillow/commit/02c6183d41c68a8dd080f5739f566bd82485822d
+# Patch rebased and tests converted from pytest to unittests.
+Patch22:        CVE-2023-50447.patch
 
 
 BuildRequires:  python2-devel
@@ -244,6 +248,7 @@ PIL image wrapper for Qt.
 %patch19 -p1 -b .CVE-2022-22817
 %patch20 -p1 -b .CVE-2022-22815_CVE-2022-22816
 %patch21 -p1 -b .CVE-2023-44271
+%patch22 -p1 -b .CVE-2023-50447
 
 %if %{with_python3}
 # Create Python 3 source tree
@@ -401,6 +406,10 @@ popd
 %endif
 
 %changelog
+* Thu Feb 08 2024 Lumír Balhar <lbalhar@redhat.com> - 2.0.0-25gitd1c6db8
+- Security fix for CVE-2023-50447
+Resolves: RHEL-22239
+
 * Mon Nov 13 2023 Lumír Balhar <lbalhar@redhat.com> - 2.0.0-24gitd1c6db8
 - Security fix for CVE-2023-44271
 Resolves: RHEL-15459