python3-pillow: fix CVE-2022-22815, 22816, 22817

Backport three patches from 9.0.0 upstream to fix CVES. Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2026-04-02 02:49:12 +00:00 · 2022-01-28 13:51:00 -05:00 · 2022-01-28 13:51:00 -05:00 · 23598caeaf
commit 23598caeaf
parent b5a9b02a9e
4 changed files with 185 additions and 0 deletions
--- a/meta-python/recipes-devtools/python/python3-pillow/0001-Handle-case-where-path-count-is-zero.patch
+++ b/meta-python/recipes-devtools/python/python3-pillow/0001-Handle-case-where-path-count-is-zero.patch
@ -0,0 +1,77 @@
+From c48271ab354db49cdbd740bc45e13be4f0f7993c Mon Sep 17 00:00:00 2001
+From: Andrew Murray <radarhere@users.noreply.github.com>
+Date: Mon, 6 Dec 2021 22:25:14 +1100
+Subject: [PATCH] Handle case where path count is zero
+
+CVE: CVE-2022-22816
+
+Upstream-Status: Backport
+(https://github.com/python-pillow/Pillow/pull/5920/commits/c48271ab354db49cdbd740bc45e13be4f0f7993c)
+
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+
+---
+ Tests/test_imagepath.py |  1 +
+ src/path.c              | 33 +++++++++++++++++++--------------
+ 2 files changed, 20 insertions(+), 14 deletions(-)
+
+diff --git a/Tests/test_imagepath.py b/Tests/test_imagepath.py
+index cd850bb1..b18271cc 100644
+--- a/Tests/test_imagepath.py
+++ b/Tests/test_imagepath.py
+@@ -90,6 +90,7 @@ def test_path_odd_number_of_coordinates():
+     [
+         ([0, 1, 2, 3], (0.0, 1.0, 2.0, 3.0)),
+         ([3, 2, 1, 0], (1.0, 0.0, 3.0, 2.0)),
+        (0, (0.0, 0.0, 0.0, 0.0)),
+         (1, (0.0, 0.0, 0.0, 0.0)),
+     ],
+ )
+diff --git a/src/path.c b/src/path.c
+index 64c767cb..dea274ee 100644
+--- a/src/path.c
+++ b/src/path.c
+@@ -327,21 +327,26 @@ path_getbbox(PyPathObject *self, PyObject *args) {
+ 
+     xy = self->xy;
+ 
+-    x0 = x1 = xy[0];
+-    y0 = y1 = xy[1];
+    if (self->count == 0) {
+        x0 = x1 = 0;
+        y0 = y1 = 0;
+    } else {
+        x0 = x1 = xy[0];
+        y0 = y1 = xy[1];
+ 
+-    for (i = 1; i < self->count; i++) {
+-        if (xy[i + i] < x0) {
+-            x0 = xy[i + i];
+-        }
+-        if (xy[i + i] > x1) {
+-            x1 = xy[i + i];
+-        }
+-        if (xy[i + i + 1] < y0) {
+-            y0 = xy[i + i + 1];
+-        }
+-        if (xy[i + i + 1] > y1) {
+-            y1 = xy[i + i + 1];
+        for (i = 1; i < self->count; i++) {
+            if (xy[i + i] < x0) {
+                x0 = xy[i + i];
+            }
+            if (xy[i + i] > x1) {
+                x1 = xy[i + i];
+            }
+            if (xy[i + i + 1] < y0) {
+                y0 = xy[i + i + 1];
+            }
+            if (xy[i + i + 1] > y1) {
+                y1 = xy[i + i + 1];
+            }
+         }
+     }
+ 
+-- 
+2.33.0
+
--- a/meta-python/recipes-devtools/python/python3-pillow/0001-Initialize-coordinates-to-zero.patch
+++ b/meta-python/recipes-devtools/python/python3-pillow/0001-Initialize-coordinates-to-zero.patch
@ -0,0 +1,45 @@
+From 1e092419b6806495c683043ab3feb6ce264f3b9c Mon Sep 17 00:00:00 2001
+From: Andrew Murray <radarhere@users.noreply.github.com>
+Date: Mon, 6 Dec 2021 22:24:19 +1100
+Subject: [PATCH] Initialize coordinates to zero
+
+CVE: CVE-2022-22815
+
+Upstream-Status: Backport
+(https://github.com/python-pillow/Pillow/pull/5920/commits/1e092419b6806495c683043ab3feb6ce264f3b9c)
+
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+
+---
+ Tests/test_imagepath.py | 1 +
+ src/path.c              | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/Tests/test_imagepath.py b/Tests/test_imagepath.py
+index 0835fdb4..cd850bb1 100644
+--- a/Tests/test_imagepath.py
+++ b/Tests/test_imagepath.py
+@@ -90,6 +90,7 @@ def test_path_odd_number_of_coordinates():
+     [
+         ([0, 1, 2, 3], (0.0, 1.0, 2.0, 3.0)),
+         ([3, 2, 1, 0], (1.0, 0.0, 3.0, 2.0)),
+        (1, (0.0, 0.0, 0.0, 0.0)),
+     ],
+ )
+ def test_getbbox(coords, expected):
+diff --git a/src/path.c b/src/path.c
+index 4764c58a..64c767cb 100644
+--- a/src/path.c
+++ b/src/path.c
+@@ -57,7 +57,7 @@ alloc_array(Py_ssize_t count) {
+     if ((unsigned long long)count > (SIZE_MAX / (2 * sizeof(double))) - 1) {
+         return ImagingError_MemoryError();
+     }
+-    xy = malloc(2 * count * sizeof(double) + 1);
+    xy = calloc(2 * count * sizeof(double) + 1, sizeof(double));
+     if (!xy) {
+         ImagingError_MemoryError();
+     }
+-- 
+2.33.0
+
--- a/meta-python/recipes-devtools/python/python3-pillow/0001-Restrict-builtins-for-ImageMath.eval.patch
+++ b/meta-python/recipes-devtools/python/python3-pillow/0001-Restrict-builtins-for-ImageMath.eval.patch
@ -0,0 +1,60 @@
+From 8531b01d6cdf0b70f256f93092caa2a5d91afc11 Mon Sep 17 00:00:00 2001
+From: Andrew Murray <radarhere@users.noreply.github.com>
+Date: Sun, 2 Jan 2022 17:23:49 +1100
+Subject: [PATCH] Restrict builtins for ImageMath.eval
+
+CVE: CVE-2022-22817
+
+Upstream-Status: Backport
+(https://github.com/python-pillow/Pillow/pull/5923/commits/8531b01d6cdf0b70f256f93092caa2a5d91afc11)
+
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+
+---
+ Tests/test_imagemath.py     | 7 +++++++
+ src/PIL/ImageMath.py        | 7 ++++++-
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
+index e7afd1ab..25811aa8 100644
+--- a/Tests/test_imagemath.py
+++ b/Tests/test_imagemath.py
+@@ -1,3 +1,5 @@
+import pytest
+
+ from PIL import Image, ImageMath
+ 
+ 
+@@ -50,6 +52,11 @@ def test_ops():
+     assert pixel(ImageMath.eval("float(B)**33", images)) == "F 8589934592.0"
+ 
+ 
+def test_prevent_exec():
+    with pytest.raises(ValueError):
+        ImageMath.eval("exec('pass')")
+
+
+ def test_logical():
+     assert pixel(ImageMath.eval("not A", images)) == 0
+     assert pixel(ImageMath.eval("A and B", images)) == "L 2"
+diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
+index 7f9c88e1..06bea800 100644
+--- a/src/PIL/ImageMath.py
+++ b/src/PIL/ImageMath.py
+@@ -246,7 +246,12 @@ def eval(expression, _dict={}, **kw):
+         if hasattr(v, "im"):
+             args[k] = _Operand(v)
+ 
+-    out = builtins.eval(expression, args)
+    code = compile(expression, "<string>", "eval")
+    for name in code.co_names:
+        if name not in args and name != "abs":
+            raise ValueError(f"'{name}' not allowed")
+
+    out = builtins.eval(expression, {"__builtins": {"abs": abs}}, args)
+     try:
+         return out.im
+     except AttributeError:
+-- 
+2.33.0
+
--- a/meta-python/recipes-devtools/python/python3-pillow_8.2.0.bb
+++ b/meta-python/recipes-devtools/python/python3-pillow_8.2.0.bb
@ -11,6 +11,9 @@ SRC_URI = "git://github.com/python-pillow/Pillow.git;branch=8.2.x;protocol=https
           file://0001-Limit-sprintf-modes-to-10-characters.patch \
           file://0001-Use-snprintf-instead-of-sprintf.patch \
           file://0001-Raise-ValueError-if-color-specifier-is-too-long.patch \
+           file://0001-Initialize-coordinates-to-zero.patch \
+           file://0001-Handle-case-where-path-count-is-zero.patch \
+           file://0001-Restrict-builtins-for-ImageMath.eval.patch \
 "
 SRCREV ?= "e0e353c0ef7516979a9aedce3792596649ce4433"