diff options
Diffstat (limited to 'meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-1.patch')
-rw-r--r-- | meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-1.patch | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-1.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-1.patch new file mode 100644 index 0000000000..f9e3c49505 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-1.patch @@ -0,0 +1,31 @@ +From 45c726fd4daa63236a8f3653530f297dc87b160a Mon Sep 17 00:00:00 2001 +From: Eric Soroos <eric-github@soroos.net> +Date: Fri, 27 Oct 2023 11:21:18 +0200 +Subject: [PATCH] Don't allow __ or builtins in env dictionarys for + ImageMath.eval + +Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/45c726fd4daa63236a8f3653530f297dc87b160a] +CVE: CVE-2023-50447 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/PIL/ImageMath.py | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py +index 392151c10..4cea3855e 100644 +--- a/src/PIL/ImageMath.py ++++ b/src/PIL/ImageMath.py +@@ -261,6 +261,10 @@ def eval(expression, _dict={}, **kw): + args.update(_dict) + args.update(kw) + for k, v in list(args.items()): ++ if '__' in k or hasattr(__builtins__, k): ++ msg = f"'{k}' not allowed" ++ raise ValueError(msg) ++ + if hasattr(v, "im"): + args[k] = _Operand(v) + +-- +2.25.1 + |