From fc1e26b17804045f6bba36781c2a761f31fb8b3b Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Feb 22 2022 14:21:13 +0000 Subject: import python-pillow-2.0.0-23.gitd1c6db8.el7_9 --- diff --git a/SOURCES/CVE-2022-22815_CVE-2022-22816.patch b/SOURCES/CVE-2022-22815_CVE-2022-22816.patch new file mode 100644 index 0000000..bbe0e43 --- /dev/null +++ b/SOURCES/CVE-2022-22815_CVE-2022-22816.patch @@ -0,0 +1,66 @@ +diff --git a/Tests/test_imagepath.py b/Tests/test_imagepath.py +index beadff1..a0dee28 100644 +--- a/Tests/test_imagepath.py ++++ b/Tests/test_imagepath.py +@@ -47,3 +47,8 @@ def test_path(): + assert_equal(list(p), [(0.0, 1.0)]) + p = ImagePath.Path(array.array("f", [0, 1]).tostring()) + assert_equal(list(p), [(0.0, 1.0)]) ++ ++def test_getbbox(): ++ for coords in (0,1): ++ p = ImagePath.Path(coords) ++ assert_equal(p.getbbox(), (0.0, 0.0, 0.0, 0.0)) +diff --git a/path.c b/path.c +index 871da93..059e738 100644 +--- a/path.c ++++ b/path.c +@@ -57,7 +57,7 @@ alloc_array(Py_ssize_t count) + PyErr_NoMemory(); + return NULL; + } +- xy = malloc(2 * count * sizeof(double) + 1); ++ xy = calloc(2 * count + 1, sizeof(double)); + if (!xy) + PyErr_NoMemory(); + return xy; +@@ -336,18 +336,27 @@ path_getbbox(PyPathObject* self, PyObject* args) + + xy = self->xy; + +- x0 = x1 = xy[0]; +- y0 = y1 = xy[1]; +- +- for (i = 1; i < self->count; i++) { +- if (xy[i+i] < x0) +- x0 = xy[i+i]; +- if (xy[i+i] > x1) +- x1 = xy[i+i]; +- if (xy[i+i+1] < y0) +- y0 = xy[i+i+1]; +- if (xy[i+i+1] > y1) +- y1 = xy[i+i+1]; ++ if (self->count == 0) { ++ x0 = x1 = 0; ++ y0 = y1 = 0; ++ } else { ++ x0 = x1 = xy[0]; ++ y0 = y1 = xy[1]; ++ ++ for (i = 1; i < self->count; i++) { ++ if (xy[i + i] < x0) { ++ x0 = xy[i + i]; ++ } ++ if (xy[i + i] > x1) { ++ x1 = xy[i + i]; ++ } ++ if (xy[i + i + 1] < y0) { ++ y0 = xy[i + i + 1]; ++ } ++ if (xy[i + i + 1] > y1) { ++ y1 = xy[i + i + 1]; ++ } ++ } + } + + return Py_BuildValue("dddd", x0, y0, x1, y1); diff --git a/SOURCES/CVE-2022-22817.patch b/SOURCES/CVE-2022-22817.patch new file mode 100644 index 0000000..ca8bc4e --- /dev/null +++ b/SOURCES/CVE-2022-22817.patch @@ -0,0 +1,41 @@ +diff --git a/PIL/ImageMath.py b/PIL/ImageMath.py +index 6548b03..5312207 100644 +--- a/PIL/ImageMath.py ++++ b/PIL/ImageMath.py +@@ -219,7 +219,18 @@ def eval(expression, _dict={}, **kw): + if hasattr(v, "im"): + args[k] = _Operand(v) + +- out = builtins.eval(expression, args) ++ compiled_code = compile(expression, "", "eval") ++ def scan(code): ++ for const in code.co_consts: ++ if type(const) == type(compiled_code): ++ scan(const) ++ ++ for name in code.co_names: ++ if name not in args and name != "abs": ++ raise ValueError("'{0}' not allowed".format(name)) ++ ++ scan(compiled_code) ++ out = builtins.eval(expression, {"__builtins": {"abs": abs}}, args) + try: + return out.im + except AttributeError: +diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py +index eaeb711..da9d1d7 100644 +--- a/Tests/test_imagemath.py ++++ b/Tests/test_imagemath.py +@@ -45,6 +45,12 @@ def test_ops(): + assert_equal(pixel(ImageMath.eval("float(B)**2", images)), "F 4.0") + assert_equal(pixel(ImageMath.eval("float(B)**33", images)), "F 8589934592.0") + ++def test_logical(): ++ assert_exception(ValueError, ImageMath.eval("exit()")) ++ assert_exception(ValueError, ImageMath.eval("(lambda:(exit()))()")) ++ assert_exception(ValueError, ImageMath.eval("(lambda:(exit())())()")) ++ ++ + def test_logical(): + assert_equal(pixel(ImageMath.eval("not A", images)), 0) + assert_equal(pixel(ImageMath.eval("A and B", images)), "L 2") diff --git a/SPECS/python-pillow.spec b/SPECS/python-pillow.spec index c107b13..0aeef05 100644 --- a/SPECS/python-pillow.spec +++ b/SPECS/python-pillow.spec @@ -1,4 +1,4 @@ -%global py2_incdir %{_includedir}/python%{python_version} +%global py2_incdir %{_includedir}/python%{python2_version} %global py3_incdir %{_includedir}/python%{python3_version} %global name3 python3-pillow @@ -23,7 +23,7 @@ Name: python-pillow Version: 2.0.0 -Release: 21%{?snap}%{?dist} +Release: 23%{?snap}%{?dist} Summary: Python image processing library # License: see http://www.pythonware.com/products/pil/license.htm @@ -53,6 +53,21 @@ Patch4: CVE-2020-5312_CVE-2019-16865.patch # Upstream fix: https://github.com/python-pillow/Pillow/commit/a09acd0decd8a87ccce939d5ff65dab59e7d365b?patch # Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1789532 Patch5: CVE-2020-5313.patch +# CVE-2022-22817: PIL.ImageMath.eval allows evaluation of arbitrary expressions +# Upstream fixes: +# https://github.com/python-pillow/Pillow/commit/8531b01d6cdf0b70f256f93092caa2a5d91afc11 +# https://github.com/python-pillow/Pillow/commit/f84ab3bb8a0a196a52e8a76bebed2853362629de +# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=2042527 +Patch19: CVE-2022-22817.patch +# CVE-2022-22815 python-pillow: improperly initializes ImagePath.Path in path_getbbox() in path.c +# CVE-2022-22816 python-pillow: buffer over-read during initialization of ImagePath.Path in path_getbbox() in path.c +# Upstream fix: https://github.com/python-pillow/Pillow/commit/5543e4e2d409cd9e409bc64cdc77be0af007a31f +# Memory issue fix: https://github.com/python-pillow/Pillow/pull/5958 +# Tracking bugs: +# https://bugzilla.redhat.com/show_bug.cgi?id=2042511 +# https://bugzilla.redhat.com/show_bug.cgi?id=2042522 +Patch20: CVE-2022-22815_CVE-2022-22816.patch + BuildRequires: python2-devel BuildRequires: python-setuptools @@ -86,7 +101,7 @@ Obsoletes: python-imaging <= 1.1.7-12 Provides: python3-imaging = %{version}-%{release} %endif -%filter_provides_in %{python_sitearch} +%filter_provides_in %{python2_sitearch} %filter_provides_in %{python3_sitearch} %filter_setup @@ -222,6 +237,8 @@ PIL image wrapper for Qt. %patch3 -p1 -b .memleaks %patch4 -p2 -b .cves %patch5 -p2 -b .cve_2020_5313 +%patch19 -p1 -b .CVE-2022-22817 +%patch20 -p1 -b .CVE-2022-22815_CVE-2022-22816 %if %{with_python3} # Create Python 3 source tree @@ -232,11 +249,11 @@ cp -a . %{py3dir} %build # Build Python 2 modules -find -name '*.py' | xargs sed -i '1s|^#!.*python|#!%{__python}|' -CFLAGS="$RPM_OPT_FLAGS" %{__python} setup.py build +find -name '*.py' | xargs sed -i '1s|^#!.*python|#!%{__python2}|' +CFLAGS="$RPM_OPT_FLAGS" %{__python2} setup.py build pushd Sane -CFLAGS="$RPM_OPT_FLAGS" %{__python} setup.py build +CFLAGS="$RPM_OPT_FLAGS" %{__python2} setup.py build popd pushd docs @@ -268,9 +285,9 @@ rm -rf $RPM_BUILD_ROOT # Install Python 2 modules install -d $RPM_BUILD_ROOT/%{py2_incdir}/Imaging install -m 644 libImaging/*.h $RPM_BUILD_ROOT/%{py2_incdir}/Imaging -%{__python} setup.py install --skip-build --root $RPM_BUILD_ROOT +%{__python2} setup.py install --skip-build --root $RPM_BUILD_ROOT pushd Sane -%{__python} setup.py install --skip-build --root $RPM_BUILD_ROOT +%{__python2} setup.py install --skip-build --root $RPM_BUILD_ROOT popd %if %{with_python3} @@ -291,16 +308,16 @@ rm -rf $RPM_BUILD_ROOT%{_bindir} %check # Check Python 2 modules -ln -s $PWD/Images $RPM_BUILD_ROOT%{python_sitearch}/Images -ln -s $PWD/Tests $RPM_BUILD_ROOT%{python_sitearch}/Tests -ln -s $PWD/selftest.py $RPM_BUILD_ROOT%{python_sitearch}/selftest.py -pushd $RPM_BUILD_ROOT%{python_sitearch} -%{__python} selftest.py -%{__python} Tests/run.py +ln -s $PWD/Images $RPM_BUILD_ROOT%{python2_sitearch}/Images +ln -s $PWD/Tests $RPM_BUILD_ROOT%{python2_sitearch}/Tests +ln -s $PWD/selftest.py $RPM_BUILD_ROOT%{python2_sitearch}/selftest.py +pushd $RPM_BUILD_ROOT%{python2_sitearch} +%{__python2} selftest.py +%{__python2} Tests/run.py popd -rm $RPM_BUILD_ROOT%{python_sitearch}/Images -rm $RPM_BUILD_ROOT%{python_sitearch}/Tests -rm $RPM_BUILD_ROOT%{python_sitearch}/selftest.py* +rm $RPM_BUILD_ROOT%{python2_sitearch}/Images +rm $RPM_BUILD_ROOT%{python2_sitearch}/Tests +rm $RPM_BUILD_ROOT%{python2_sitearch}/selftest.py* %if %{with_python3} # Check Python 3 modules @@ -321,13 +338,13 @@ popd %files %doc README.rst docs/HISTORY.txt COPYING -%{python_sitearch}/* +%{python2_sitearch}/* # These are in subpackages -%exclude %{python_sitearch}/*sane* -%exclude %{python_sitearch}/_imagingtk* -%exclude %{python_sitearch}/PIL/ImageTk* -%exclude %{python_sitearch}/PIL/SpiderImagePlugin* -%exclude %{python_sitearch}/PIL/ImageQt* +%exclude %{python2_sitearch}/*sane* +%exclude %{python2_sitearch}/_imagingtk* +%exclude %{python2_sitearch}/PIL/ImageTk* +%exclude %{python2_sitearch}/PIL/SpiderImagePlugin* +%exclude %{python2_sitearch}/PIL/ImageQt* %files devel %{py2_incdir}/Imaging/ @@ -337,15 +354,15 @@ popd %files sane %doc Sane/CHANGES Sane/demo*.py Sane/sanedoc.txt -%{python_sitearch}/*sane* +%{python2_sitearch}/*sane* %files tk -%{python_sitearch}/_imagingtk* -%{python_sitearch}/PIL/ImageTk* -%{python_sitearch}/PIL/SpiderImagePlugin* +%{python2_sitearch}/_imagingtk* +%{python2_sitearch}/PIL/ImageTk* +%{python2_sitearch}/PIL/SpiderImagePlugin* %files qt -%{python_sitearch}/PIL/ImageQt* +%{python2_sitearch}/PIL/ImageQt* %if %{with_python3} %files -n %{name3} @@ -379,6 +396,15 @@ popd %endif %changelog +* Fri Feb 11 2022 Charalampos Stratakis - 2.0.0-23gitd1c6db8 +- Fixup for CVE-2022-22817 +- Security fixes for CVE-2022-22815, CVE-2022-22816 +Resolves: rhbz#2042522 + +* Fri Feb 04 2022 Charalampos Stratakis - 2.0.0-22gitd1c6db8 +- Fix for CVE-2022-22817 +Resolves: rhbz#2042527 + * Wed Mar 04 2020 Lumír Balhar - 2.0.0-21gitd1c6db8 - Fix for CVE-2020-5313 Resolves: rhbz#1789532