From 406a405af2ae67015db74aa01e203135f7410cef Mon Sep 17 00:00:00 2001 From: Trevor Gamblin Date: Wed, 6 Oct 2021 13:39:06 -0400 Subject: python3-pillow: Fix CVE-2021-23437 Backport an upstream fix since an uprev would include potentially-breaking functionality changes. Signed-off-by: Trevor Gamblin Signed-off-by: Armin Kuster --- ...ValueError-if-color-specifier-is-too-long.patch | 49 ++++++++++++++++++++++ .../python/python3-pillow_8.2.0.bb | 1 + 2 files changed, 50 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-pillow/0001-Raise-ValueError-if-color-specifier-is-too-long.patch (limited to 'meta-python/recipes-devtools') diff --git a/meta-python/recipes-devtools/python/python3-pillow/0001-Raise-ValueError-if-color-specifier-is-too-long.patch b/meta-python/recipes-devtools/python/python3-pillow/0001-Raise-ValueError-if-color-specifier-is-too-long.patch new file mode 100644 index 0000000000..91e16f5415 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/0001-Raise-ValueError-if-color-specifier-is-too-long.patch @@ -0,0 +1,49 @@ +From 9e08eb8f78fdfd2f476e1b20b7cf38683754866b Mon Sep 17 00:00:00 2001 +From: Hugo van Kemenade +Date: Mon, 23 Aug 2021 19:10:49 +0300 +Subject: [PATCH] Raise ValueError if color specifier is too long + +CVE: CVE-2021-23437 + +Upstream-Status: Backport +(https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b) + +Signed-off-by: Trevor Gamblin +--- + Tests/test_imagecolor.py | 9 +++++++++ + src/PIL/ImageColor.py | 2 ++ + 2 files changed, 11 insertions(+) + +diff --git a/Tests/test_imagecolor.py b/Tests/test_imagecolor.py +index b5d69379..dbe8b9e9 100644 +--- a/Tests/test_imagecolor.py ++++ b/Tests/test_imagecolor.py +@@ -191,3 +191,12 @@ def test_rounding_errors(): + assert (255, 255) == ImageColor.getcolor("white", "LA") + assert (163, 33) == ImageColor.getcolor("rgba(0, 255, 115, 33)", "LA") + Image.new("LA", (1, 1), "white") ++ ++ ++def test_color_too_long(): ++ # Arrange ++ color_too_long = "hsl(" + "1" * 100 + ")" ++ ++ # Act / Assert ++ with pytest.raises(ValueError): ++ ImageColor.getrgb(color_too_long) +diff --git a/src/PIL/ImageColor.py b/src/PIL/ImageColor.py +index 51df4404..25f92f2c 100644 +--- a/src/PIL/ImageColor.py ++++ b/src/PIL/ImageColor.py +@@ -32,6 +32,8 @@ def getrgb(color): + :param color: A color string + :return: ``(red, green, blue[, alpha])`` + """ ++ if len(color) > 100: ++ raise ValueError("color specifier is too long") + color = color.lower() + + rgb = colormap.get(color, None) +-- +2.33.0 + diff --git a/meta-python/recipes-devtools/python/python3-pillow_8.2.0.bb b/meta-python/recipes-devtools/python/python3-pillow_8.2.0.bb index 40745bb763..8b3a2996f4 100644 --- a/meta-python/recipes-devtools/python/python3-pillow_8.2.0.bb +++ b/meta-python/recipes-devtools/python/python3-pillow_8.2.0.bb @@ -10,6 +10,7 @@ SRC_URI = "git://github.com/python-pillow/Pillow.git;branch=8.2.x \ file://0001-explicitly-set-compile-options.patch \ file://0001-Limit-sprintf-modes-to-10-characters.patch \ file://0001-Use-snprintf-instead-of-sprintf.patch \ + file://0001-Raise-ValueError-if-color-specifier-is-too-long.patch \ " SRCREV ?= "e0e353c0ef7516979a9aedce3792596649ce4433" -- cgit 1.2.3-korg