diff options
| author |   Rahul Janani Pandi <RahulJanani.Pandi@windriver.com> | 2024-04-08 09:42:28 +0000 |
|---|---|---|
| committer |   Armin Kuster <akuster808@gmail.com> | 2024-04-25 09:17:26 -0400 |
| commit | ef893c5ee999dc47c1adc062fe92ef52f5ea614a (patch) | |
| tree | 272afeab5acc55a9d0bb9aac0ce86b938d1b95ef /meta-python/recipes-devtools/python/python3-pillow_9.4.0.bb | |
| parent | b0ff669dbabeb57fb63560924511cdaf264a33e4 (diff) | |
| download | meta-openembedded-contrib-ef893c5ee999dc47c1adc062fe92ef52f5ea614a.tar.gz | |
python3-pillow: Fix CVE-2023-50447
Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code
Execution via the environment parameter, a different vulnerability
than CVE-2022-22817 (which was about the expression parameter).
References:
https://security-tracker.debian.org/tracker/CVE-2023-50447
https://github.com/python-pillow/Pillow/blob/10.2.0/CHANGES.rst
Signed-off-by: Rahul Janani Pandi <RahulJanani.Pandi@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta-python/recipes-devtools/python/python3-pillow_9.4.0.bb')
| -rw-r--r-- | meta-python/recipes-devtools/python/python3-pillow_9.4.0.bb | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-pillow_9.4.0.bb b/meta-python/recipes-devtools/python/python3-pillow_9.4.0.bb index b9c09127c5..e1d0b30860 100644 --- a/meta-python/recipes-devtools/python/python3-pillow_9.4.0.bb +++ b/meta-python/recipes-devtools/python/python3-pillow_9.4.0.bb @@ -10,6 +10,10 @@ SRC_URI = "git://github.com/python-pillow/Pillow.git;branch=main;protocol=https file://0001-explicitly-set-compile-options.patch \ file://run-ptest \ file://CVE-2023-44271.patch \ + file://CVE-2023-50447-1.patch \ + file://CVE-2023-50447-2.patch \ + file://CVE-2023-50447-3.patch \ + file://CVE-2023-50447-4.patch \ " SRCREV ?= "82541b6dec8452cb612067fcebba1c5a1a2bfdc8" |