diff --git a/SOURCES/CVE-2023-44271.patch b/SOURCES/CVE-2023-44271.patch new file mode 100644 index 0000000..264e436 --- /dev/null +++ b/SOURCES/CVE-2023-44271.patch @@ -0,0 +1,76 @@ +From ca6bb16f2d10dfc918ddc857118ed3ba7e5db90d Mon Sep 17 00:00:00 2001 +From: Lumir Balhar +Date: Mon, 13 Nov 2023 12:30:56 +0100 +Subject: [PATCH] CVE-2023-44271 + +--- + PIL/ImageFont.py | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +diff --git a/PIL/ImageFont.py b/PIL/ImageFont.py +index 8ec60fe..4503df4 100644 +--- a/PIL/ImageFont.py ++++ b/PIL/ImageFont.py +@@ -35,11 +35,20 @@ class _imagingft_not_installed: + def __getattr__(self, id): + raise ImportError("The _imagingft C module is not installed") + ++MAX_STRING_LENGTH = 1000000 ++ + try: + import _imagingft as core + except ImportError: + core = _imagingft_not_installed() + ++ ++def _string_length_check(text): ++ if MAX_STRING_LENGTH is not None and len(text) > MAX_STRING_LENGTH: ++ msg = "too many characters in string" ++ raise ValueError(msg) ++ ++ + # FIXME: add support for pilfont2 format (see FontFile.py) + + # -------------------------------------------------------------------- +@@ -118,9 +127,12 @@ class ImageFont: + + self.font = Image.core.font(image.im, data) + +- # delegate critical operations to internal type +- self.getsize = self.font.getsize +- self.getmask = self.font.getmask ++ def getsize(self, text): ++ _string_length_check(text) ++ return self.font.getsize(text) ++ ++ def getmask(self, text, mode=""): ++ return self.font.getmask(text, mode) + + ## + # Wrapper for FreeType fonts. Application code should use the +@@ -140,12 +152,14 @@ class FreeTypeFont: + return self.font.ascent, self.font.descent + + def getsize(self, text): ++ _string_length_check(text) + return self.font.getsize(text)[0] + + def getmask(self, text, mode=""): + return self.getmask2(text, mode)[0] + + def getmask2(self, text, mode="", fill=Image.core.fill): ++ _string_length_check(text) + size, offset = self.font.getsize(text) + im = fill("L", size, 0) + self.font.render(text, im.id, mode=="1") +@@ -168,6 +182,7 @@ class TransposedFont: + self.orientation = orientation # any 'transpose' argument, or None + + def getsize(self, text): ++ _string_length_check(text) + w, h = self.font.getsize(text) + if self.orientation in (Image.ROTATE_90, Image.ROTATE_270): + return h, w +-- +2.41.0 + diff --git a/SPECS/python-pillow.spec b/SPECS/python-pillow.spec index 0aeef05..ab25e95 100644 --- a/SPECS/python-pillow.spec +++ b/SPECS/python-pillow.spec @@ -23,7 +23,7 @@ Name: python-pillow Version: 2.0.0 -Release: 23%{?snap}%{?dist} +Release: 24%{?snap}%{?dist} Summary: Python image processing library # License: see http://www.pythonware.com/products/pil/license.htm @@ -67,6 +67,10 @@ Patch19: CVE-2022-22817.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2042511 # https://bugzilla.redhat.com/show_bug.cgi?id=2042522 Patch20: CVE-2022-22815_CVE-2022-22816.patch +# CVE-2023-44271 python-pillow: uncontrolled resource consumption when textlength +# in an ImageDraw instance operates on a long text argument +# Upstream fix: https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7 +Patch21: CVE-2023-44271.patch BuildRequires: python2-devel @@ -239,6 +243,7 @@ PIL image wrapper for Qt. %patch5 -p2 -b .cve_2020_5313 %patch19 -p1 -b .CVE-2022-22817 %patch20 -p1 -b .CVE-2022-22815_CVE-2022-22816 +%patch21 -p1 -b .CVE-2023-44271 %if %{with_python3} # Create Python 3 source tree @@ -396,6 +401,10 @@ popd %endif %changelog +* Mon Nov 13 2023 Lumír Balhar - 2.0.0-24gitd1c6db8 +- Security fix for CVE-2023-44271 +Resolves: RHEL-15459 + * Fri Feb 11 2022 Charalampos Stratakis - 2.0.0-23gitd1c6db8 - Fixup for CVE-2022-22817 - Security fixes for CVE-2022-22815, CVE-2022-22816