1 files changed, 44 insertions, 0 deletions

diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-3.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-3.patch
new file mode 100644
index 0000000000..b93425ee58
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-3.patch
@@ -0,0 +1,44 @@
+From 557ba59d13de919d04b3fd4cdef8634f7d4b3348 Mon Sep 17 00:00:00 2001
+From: Andrew Murray <radarhere@users.noreply.github.com>
+Date: Sat, 30 Dec 2023 09:30:12 +1100
+Subject: [PATCH] Include further builtins
+
+Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/557ba59d13de919d04b3fd4cdef8634f7d4b3348]
+CVE: CVE-2023-50447
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ Tests/test_imagemath.py | 4 ++++
+ src/PIL/ImageMath.py    | 2 +-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
+index 14a58a532..5bba832e2 100644
+--- a/Tests/test_imagemath.py
++++ b/Tests/test_imagemath.py
+@@ -60,6 +60,10 @@ class TestImageMath(PillowTestCase):
+         with pytest.raises(ValueError):
+             ImageMath.eval("1", {"__": None})
+ 
++    def test_prevent_builtins():
++        with pytest.raises(ValueError):
++            ImageMath.eval("(lambda: exec('exit()'))()", {"exec": None})
++
+     def test_logical(self):
+         self.assertEqual(pixel(ImageMath.eval("not A", images)), 0)
+         self.assertEqual(pixel(ImageMath.eval("A and B", images)), "L 2")
+diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
+index 776604e3f..c6bc22180 100644
+--- a/src/PIL/ImageMath.py
++++ b/src/PIL/ImageMath.py
+@@ -259,7 +259,7 @@ def eval(expression, _dict={}, **kw):
+     # build execution namespace
+     args = ops.copy()
+     for k in list(_dict.keys()) + list(kw.keys()):
+-        if "__" in k or hasattr(__builtins__, k):
++        if "__" in k or hasattr(builtins, k):
+             msg = f"'{k}' not allowed"
+             raise ValueError(msg)
+ 
+-- 
+2.25.1
+