MIRRORS/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-01-27 12:01:38 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
73115df6a4
meta-openembedded/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-4.patch
Rahul Janani Pandi 717462f811 python3-pillow: Fix CVE-2023-50447 
Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code
Execution via the environment parameter, a different vulnerability
than CVE-2022-22817 (which was about the expression parameter).

References:
https://security-tracker.debian.org/tracker/CVE-2023-50447
https://github.com/python-pillow/Pillow/blob/10.2.0/CHANGES.rst

Signed-off-by: Rahul Janani Pandi <RahulJanani.Pandi@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2024-04-28 13:10:23 -04:00

67 lines
2.3 KiB
Diff
Raw Blame History

From 557ba59d13de919d04b3fd4cdef8634f7d4b3348
From: Andrew Murray <radarhere@users.noreply.github.com>
Date: Sat Dec 30 09:30:12 2023 +1100
Subject: [PATCH] python3-pillow: Include further builtins
CVE: CVE-2023-50447
Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/557ba59d13de919d04b3fd4cdef8634f7d4b3348]
Signed-off-by: Rahul Janani Pandi <RahulJanani.Pandi@windriver.com>
---
Tests/test_imagemath.py | 5 +++++
docs/releasenotes/9.4.0.rst | 8 ++++++++
src/PIL/ImageMath.py | 2 +-
3 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
index ded8c0011..124687478 100644
--- a/Tests/test_imagemath.py
+++ b/Tests/test_imagemath.py
@@ -67,6 +67,11 @@ def test_prevent_double_underscores():
with pytest.raises(ValueError):
ImageMath.eval("1", {"__": None})
+def test_prevent_builtins():
+ with pytest.raises(ValueError):
+ ImageMath.eval("(lambda: exec('exit()'))()", {"exec": None})
+
+
def test_logical():
assert pixel(ImageMath.eval("not A", images)) == 0
diff --git a/docs/releasenotes/9.4.0.rst b/docs/releasenotes/9.4.0.rst
index 0af5bc8ca..9ca7c9f6f 100644
--- a/docs/releasenotes/9.4.0.rst
+++ b/docs/releasenotes/9.4.0.rst
@@ -88,6 +88,14 @@ Pillow attempted to dereference a null pointer in ``ImageFont``, leading to a
crash. An error is now raised instead. This has been present since
Pillow 8.0.0.
+Restricted environment keys for ImageMath.eval
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+:cve:`2023-50447`: If an attacker has control over the keys passed to the
+``environment`` argument of :py:meth:`PIL.ImageMath.eval`, they may be able to execute
+arbitrary code. To prevent this, keys matching the names of builtins and keys
+containing double underscores will now raise a :py:exc:`ValueError`.
+
Other Changes
=============
diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
index c14598a4c..b2c50bc5b 100644
--- a/src/PIL/ImageMath.py
+++ b/src/PIL/ImageMath.py
@@ -238,7 +238,7 @@ def eval(expression, _dict={}, **kw):
# build execution namespace
args = ops.copy()
for k in list(_dict.keys()) + list(kw.keys()):
- if "__" in k or hasattr(__builtins__, k):
+ if "__" in k or hasattr(builtins, k):
msg = f"'{k}' not allowed"
raise ValueError(msg)
--
2.40.0
Reference in New Issue View Git Blame Copy Permalink