diff options
Diffstat (limited to 'meta-python/recipes-devtools/python/python3-pillow')
6 files changed, 341 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-44271.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-44271.patch new file mode 100644 index 0000000000..ad51f17288 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-44271.patch @@ -0,0 +1,156 @@ +From 1fe1bb49c452b0318cad12ea9d97c3bef188e9a7 Mon Sep 17 00:00:00 2001 +From: Andrew Murray <radarhere@users.noreply.github.com> +Date: Fri, 30 Jun 2023 23:32:26 +1000 +Subject: [PATCH] Added ImageFont.MAX_STRING_LENGTH + +Upstream-status: Backport [https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7] +CVE: CVE-2023-44271 +Comment: Refresh hunk for test_imagefont.py, ImageFont.py and +Remove hunk 10.0.0.rst because in our version it is 9.4.0 + +Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com> +Signed-off-by: Dnyandev Padalkar <padalkards17082001@gmail.com> +--- + Tests/test_imagefont.py | 19 +++++++++++++++++++ + docs/reference/ImageFont.rst | 18 ++++++++++++++++++ + src/PIL/ImageFont.py | 15 +++++++++++++++ + 3 files changed, 52 insertions(+) + +diff --git a/Tests/test_imagefont.py b/Tests/test_imagefont.py +index 7fa8ff8cbfd..c50447a153d 100644 +--- a/Tests/test_imagefont.py ++++ b/Tests/test_imagefont.py +@@ -1107,6 +1107,25 @@ + assert_image_equal_tofile(im, "Tests/images/text_mono.gif") + + ++def test_too_many_characters(font): ++ with pytest.raises(ValueError): ++ font.getlength("A" * 1000001) ++ with pytest.raises(ValueError): ++ font.getbbox("A" * 1000001) ++ with pytest.raises(ValueError): ++ font.getmask2("A" * 1000001) ++ ++ transposed_font = ImageFont.TransposedFont(font) ++ with pytest.raises(ValueError): ++ transposed_font.getlength("A" * 1000001) ++ ++ default_font = ImageFont.load_default() ++ with pytest.raises(ValueError): ++ default_font.getlength("A" * 1000001) ++ with pytest.raises(ValueError): ++ default_font.getbbox("A" * 1000001) ++ ++ + @pytest.mark.parametrize( + "test_file", + [ +diff --git a/docs/reference/ImageFont.rst b/docs/reference/ImageFont.rst +index 946bd3c4bed..2abfa0cc997 100644 +--- a/docs/reference/ImageFont.rst ++++ b/docs/reference/ImageFont.rst +@@ -18,6 +18,15 @@ OpenType fonts (as well as other font formats supported by the FreeType + library). For earlier versions, TrueType support is only available as part of + the imToolkit package. + ++.. warning:: ++ To protect against potential DOS attacks when using arbitrary strings as ++ text input, Pillow will raise a ``ValueError`` if the number of characters ++ is over a certain limit, :py:data:`MAX_STRING_LENGTH`. ++ ++ This threshold can be changed by setting ++ :py:data:`MAX_STRING_LENGTH`. It can be disabled by setting ++ ``ImageFont.MAX_STRING_LENGTH = None``. ++ + Example + ------- + +@@ -73,3 +82,12 @@ Constants + + Requires Raqm, you can check support using + :py:func:`PIL.features.check_feature` with ``feature="raqm"``. ++ ++Constants ++--------- ++ ++.. data:: MAX_STRING_LENGTH ++ ++ Set to 1,000,000, to protect against potential DOS attacks. Pillow will ++ raise a ``ValueError`` if the number of characters is over this limit. The ++ check can be disabled by setting ``ImageFont.MAX_STRING_LENGTH = None``. +diff --git a/src/PIL/ImageFont.py b/src/PIL/ImageFont.py +index 3ddc1aaad64..1030985ebc4 100644 +--- a/src/PIL/ImageFont.py ++++ b/src/PIL/ImageFont.py +@@ -43,6 +43,9 @@ + RAQM = 1 + + ++MAX_STRING_LENGTH = 1000000 ++ ++ + def __getattr__(name): + for enum, prefix in {Layout: "LAYOUT_"}.items(): + if name.startswith(prefix): +@@ -67,6 +67,12 @@ + core = _ImagingFtNotInstalled() + + ++def _string_length_check(text): ++ if MAX_STRING_LENGTH is not None and len(text) > MAX_STRING_LENGTH: ++ msg = "too many characters in string" ++ raise ValueError(msg) ++ ++ + _UNSPECIFIED = object() + + +@@ -192,6 +192,7 @@ + + :return: ``(left, top, right, bottom)`` bounding box + """ ++ _string_length_check(text) + width, height = self.font.getsize(text) + return 0, 0, width, height + +@@ -202,6 +202,7 @@ + + .. versionadded:: 9.2.0 + """ ++ _string_length_check(text) + width, height = self.font.getsize(text) + return width + +@@ -359,6 +359,7 @@ + + :return: Width for horizontal, height for vertical text. + """ ++ _string_length_check(text) + return self.font.getlength(text, mode, direction, features, language) / 64 + + def getbbox( +@@ -418,6 +418,7 @@ + + :return: ``(left, top, right, bottom)`` bounding box + """ ++ _string_length_check(text) + size, offset = self.font.getsize( + text, mode, direction, features, language, anchor + ) +@@ -762,6 +762,7 @@ + :py:mod:`PIL.Image.core` interface module, and the text offset, the + gap between the starting coordinate and the first marking + """ ++ _string_length_check(text) + if fill is _UNSPECIFIED: + fill = Image.core.fill + else: +@@ -924,6 +924,7 @@ + if self.orientation in (Image.Transpose.ROTATE_90, Image.Transpose.ROTATE_270): + msg = "text length is undefined for text rotated by 90 or 270 degrees" + raise ValueError(msg) ++ _string_length_check(text) + return self.font.getlength(text, *args, **kwargs) + + diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-1.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-1.patch new file mode 100644 index 0000000000..7de12be5d5 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-1.patch @@ -0,0 +1,29 @@ +From 3652f431c2d8b9c10bf20b70f284d300d12e814a +From: Andrew Murray <radarhere@users.noreply.github.com> +Date: Sat Oct 28 14:22:39 2023 +1100 +Subject: [PATCH] python3-pillow: Simplified code + +CVE: CVE-2023-50447 + +Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/3652f431c2d8b9c10bf20b70f284d300d12e814a] + +Signed-off-by: Rahul Janani Pandi <RahulJanani.Pandi@windriver.com> +--- + src/PIL/ImageMath.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py +index ac7d36b69..71872a3fb 100644 +--- a/src/PIL/ImageMath.py ++++ b/src/PIL/ImageMath.py +@@ -239,7 +239,7 @@ def eval(expression, _dict={}, **kw): + args = ops.copy() + args.update(_dict) + args.update(kw) +- for k, v in list(args.items()): ++ for k, v in args.items(): + if hasattr(v, "im"): + args[k] = _Operand(v) + +-- +2.40.0 diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-2.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-2.patch new file mode 100644 index 0000000000..13fbaf6d78 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-2.patch @@ -0,0 +1,31 @@ +From 45c726fd4daa63236a8f3653530f297dc87b160a +From: Eric Soroos <eric-github@soroos.net> +Date: Fri Oct 27 11:21:18 2023 +0200 +Subject: [PATCH] python3-pillow: Don't allow __ or builtins in env dictionarys + +CVE: CVE-2023-50447 + +Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/45c726fd4daa63236a8f3653530f297dc87b160a] + +Signed-off-by: Rahul Janani Pandi <RahulJanani.Pandi@windriver.com> +--- + src/PIL/ImageMath.py | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py +index 71872a3fb..923a8eeae 100644 +--- a/src/PIL/ImageMath.py ++++ b/src/PIL/ImageMath.py +@@ -240,6 +240,10 @@ def eval(expression, _dict={}, **kw): + args.update(_dict) + args.update(kw) + for k, v in args.items(): ++ if '__' in k or hasattr(__builtins__, k): ++ msg = f"'{k}' not allowed" ++ raise ValueError(msg) ++ + if hasattr(v, "im"): + args[k] = _Operand(v) + +-- +2.40.0 diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-3.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-3.patch new file mode 100644 index 0000000000..bbfc32a6c7 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-3.patch @@ -0,0 +1,56 @@ +From 0ca3c33c59927e1c7e0c14dbc1eea1dfb2431a80 +From: Andrew Murray <radarhere@users.noreply.github.com> +Date: Sat, 28 Oct 2023 15:58:52 +1100 +Subject: [PATCH] python3-pillow: Allow ops + +CVE: CVE-2023-50447 + +Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/0ca3c33c59927e1c7e0c14dbc1eea1dfb2431a80] + +Signed-off-by: Rahul Janani Pandi <RahulJanani.Pandi@windriver.com> +--- + Tests/test_imagemath.py | 5 +++++ + src/PIL/ImageMath.py | 9 +++++---- + 2 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py +index fe7ac9a7a..ded8c0011 100644 +--- a/Tests/test_imagemath.py ++++ b/Tests/test_imagemath.py +@@ -63,6 +63,11 @@ def test_prevent_exec(expression): + ImageMath.eval(expression) + + ++def test_prevent_double_underscores(): ++ with pytest.raises(ValueError): ++ ImageMath.eval("1", {"__": None}) ++ ++ + def test_logical(): + assert pixel(ImageMath.eval("not A", images)) == 0 + assert pixel(ImageMath.eval("A and B", images)) == "L 2" +diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py +index 923a8eeae..c14598a4c 100644 +--- a/src/PIL/ImageMath.py ++++ b/src/PIL/ImageMath.py +@@ -237,13 +237,14 @@ def eval(expression, _dict={}, **kw): + + # build execution namespace + args = ops.copy() +- args.update(_dict) +- args.update(kw) +- for k, v in args.items(): +- if '__' in k or hasattr(__builtins__, k): ++ for k in list(_dict.keys()) + list(kw.keys()): ++ if "__" in k or hasattr(__builtins__, k): + msg = f"'{k}' not allowed" + raise ValueError(msg) + ++ args.update(_dict) ++ args.update(kw) ++ for k, v in args.items(): + if hasattr(v, "im"): + args[k] = _Operand(v) + +-- +2.40.0 diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-4.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-4.patch new file mode 100644 index 0000000000..da3e2c1974 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-4.patch @@ -0,0 +1,66 @@ +From 557ba59d13de919d04b3fd4cdef8634f7d4b3348 +From: Andrew Murray <radarhere@users.noreply.github.com> +Date: Sat Dec 30 09:30:12 2023 +1100 +Subject: [PATCH] python3-pillow: Include further builtins + +CVE: CVE-2023-50447 + +Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/557ba59d13de919d04b3fd4cdef8634f7d4b3348] + +Signed-off-by: Rahul Janani Pandi <RahulJanani.Pandi@windriver.com> +--- + Tests/test_imagemath.py | 5 +++++ + docs/releasenotes/9.4.0.rst | 8 ++++++++ + src/PIL/ImageMath.py | 2 +- + 3 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py +index ded8c0011..124687478 100644 +--- a/Tests/test_imagemath.py ++++ b/Tests/test_imagemath.py +@@ -67,6 +67,11 @@ def test_prevent_double_underscores(): + with pytest.raises(ValueError): + ImageMath.eval("1", {"__": None}) + ++def test_prevent_builtins(): ++ with pytest.raises(ValueError): ++ ImageMath.eval("(lambda: exec('exit()'))()", {"exec": None}) ++ ++ + + def test_logical(): + assert pixel(ImageMath.eval("not A", images)) == 0 +diff --git a/docs/releasenotes/9.4.0.rst b/docs/releasenotes/9.4.0.rst +index 0af5bc8ca..9ca7c9f6f 100644 +--- a/docs/releasenotes/9.4.0.rst ++++ b/docs/releasenotes/9.4.0.rst +@@ -88,6 +88,14 @@ Pillow attempted to dereference a null pointer in ``ImageFont``, leading to a + crash. An error is now raised instead. This has been present since + Pillow 8.0.0. + ++Restricted environment keys for ImageMath.eval ++^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ++ ++:cve:`2023-50447`: If an attacker has control over the keys passed to the ++``environment`` argument of :py:meth:`PIL.ImageMath.eval`, they may be able to execute ++arbitrary code. To prevent this, keys matching the names of builtins and keys ++containing double underscores will now raise a :py:exc:`ValueError`. ++ + Other Changes + ============= + +diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py +index c14598a4c..b2c50bc5b 100644 +--- a/src/PIL/ImageMath.py ++++ b/src/PIL/ImageMath.py +@@ -238,7 +238,7 @@ def eval(expression, _dict={}, **kw): + # build execution namespace + args = ops.copy() + for k in list(_dict.keys()) + list(kw.keys()): +- if "__" in k or hasattr(__builtins__, k): ++ if "__" in k or hasattr(builtins, k): + msg = f"'{k}' not allowed" + raise ValueError(msg) + +-- +2.40.0 diff --git a/meta-python/recipes-devtools/python/python3-pillow/run-ptest b/meta-python/recipes-devtools/python/python3-pillow/run-ptest new file mode 100644 index 0000000000..3385d68939 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/run-ptest @@ -0,0 +1,3 @@ +#!/bin/sh + +pytest -o log_cli=true -o log_cli_level=INFO | sed -e 's/\[...%\]//g'| sed -e 's/PASSED/PASS/g'| sed -e 's/FAILED/FAIL/g'|sed -e 's/SKIPED/SKIP/g'| awk '{if ($NF=="PASS" || $NF=="FAIL" || $NF=="SKIP" || $NF=="XFAIL" || $NF=="XPASS"){printf "%s: %s\n", $NF, $0}else{print}}'| awk '{if ($NF=="PASS" || $NF=="FAIL" || $NF=="SKIP" || $NF=="XFAIL" || $NF=="XPASS") {$NF="";print $0}else{print}}' |