From 0198370fe1a6ae8d45f293b7f167aebee82c457c Mon Sep 17 00:00:00 2001
From: yangxianzhao <yangxianzhao@uniontech.com>
Date: Mon, 26 Feb 2024 16:23:47 +0800
Subject: [PATCH] Update to python-pillow-2.0.0-24.gitd1c6db8.el7_9

---
 CVE-2023-44271.patch | 76 ++++++++++++++++++++++++++++++++++++++++++++
 CVE-2023-50447.patch | 47 +++++++++++++++++++++++++++
 python-pillow.spec   | 20 +++++++++++-
 3 files changed, 142 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2023-44271.patch
 create mode 100644 CVE-2023-50447.patch

diff --git a/CVE-2023-44271.patch b/CVE-2023-44271.patch
new file mode 100644
index 0000000..264e436
--- /dev/null
+++ b/CVE-2023-44271.patch
@@ -0,0 +1,76 @@
+From ca6bb16f2d10dfc918ddc857118ed3ba7e5db90d Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Mon, 13 Nov 2023 12:30:56 +0100
+Subject: [PATCH] CVE-2023-44271
+
+---
+ PIL/ImageFont.py | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/PIL/ImageFont.py b/PIL/ImageFont.py
+index 8ec60fe..4503df4 100644
+--- a/PIL/ImageFont.py
++++ b/PIL/ImageFont.py
+@@ -35,11 +35,20 @@ class _imagingft_not_installed:
+     def __getattr__(self, id):
+         raise ImportError("The _imagingft C module is not installed")
+ 
++MAX_STRING_LENGTH = 1000000
++
+ try:
+     import _imagingft as core
+ except ImportError:
+     core = _imagingft_not_installed()
+ 
++
++def _string_length_check(text):
++    if MAX_STRING_LENGTH is not None and len(text) > MAX_STRING_LENGTH:
++        msg = "too many characters in string"
++        raise ValueError(msg)
++
++
+ # FIXME: add support for pilfont2 format (see FontFile.py)
+ 
+ # --------------------------------------------------------------------
+@@ -118,9 +127,12 @@ class ImageFont:
+ 
+         self.font = Image.core.font(image.im, data)
+ 
+-        # delegate critical operations to internal type
+-        self.getsize = self.font.getsize
+-        self.getmask = self.font.getmask
++    def getsize(self, text):
++        _string_length_check(text)
++        return self.font.getsize(text)
++    
++    def getmask(self, text, mode=""):
++        return self.font.getmask(text, mode)
+ 
+ ##
+ # Wrapper for FreeType fonts.  Application code should use the
+@@ -140,12 +152,14 @@ class FreeTypeFont:
+         return self.font.ascent, self.font.descent
+ 
+     def getsize(self, text):
++        _string_length_check(text)
+         return self.font.getsize(text)[0]
+ 
+     def getmask(self, text, mode=""):
+         return self.getmask2(text, mode)[0]
+ 
+     def getmask2(self, text, mode="", fill=Image.core.fill):
++        _string_length_check(text)
+         size, offset = self.font.getsize(text)
+         im = fill("L", size, 0)
+         self.font.render(text, im.id, mode=="1")
+@@ -168,6 +182,7 @@ class TransposedFont:
+         self.orientation = orientation # any 'transpose' argument, or None
+ 
+     def getsize(self, text):
++        _string_length_check(text)
+         w, h = self.font.getsize(text)
+         if self.orientation in (Image.ROTATE_90, Image.ROTATE_270):
+             return h, w
+-- 
+2.41.0
+
diff --git a/CVE-2023-50447.patch b/CVE-2023-50447.patch
new file mode 100644
index 0000000..81660fc
--- /dev/null
+++ b/CVE-2023-50447.patch
@@ -0,0 +1,47 @@
+From cf8d70b86f0d5ee9e72a1e69ad76cf5831f977fa Mon Sep 17 00:00:00 2001
+From: Eric Soroos <eric-github@soroos.net>
+Date: Thu, 8 Feb 2024 21:32:44 +0100
+Subject: [PATCH] Don't allow __ or builtins in env dictionarys for
+ ImageMath.eval
+
+---
+ PIL/ImageMath.py        | 5 +++++
+ Tests/test_imagemath.py | 6 ++++++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/PIL/ImageMath.py b/PIL/ImageMath.py
+index 5312207..13550a9 100644
+--- a/PIL/ImageMath.py
++++ b/PIL/ImageMath.py
+@@ -213,6 +213,11 @@ def eval(expression, _dict={}, **kw):
+ 
+     # build execution namespace
+     args = ops.copy()
++    for k in list(_dict.keys()) + list(kw.keys()):
++        if "__" in k or hasattr(builtins, k):
++            msg = "'{0}' not allowed".format(k)
++            raise ValueError(msg)
++
+     args.update(_dict)
+     args.update(kw)
+     for k, v in list(args.items()):
+diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
+index da9d1d7..aaf32cf 100644
+--- a/Tests/test_imagemath.py
++++ b/Tests/test_imagemath.py
+@@ -45,6 +45,12 @@ def test_ops():
+     assert_equal(pixel(ImageMath.eval("float(B)**2", images)), "F 4.0")
+     assert_equal(pixel(ImageMath.eval("float(B)**33", images)), "F 8589934592.0")
+ 
++def test_prevent_double_underscores():
++    assert_exception(ValueError, lambda: ImageMath.eval("1", {"__": None}))
++
++def test_prevent_builtins():
++    assert_exception(ValueError, lambda: ImageMath.eval("(lambda: isinstance('a', str))()", {"isinstance": None}))
++
+ def test_logical():
+     assert_exception(ValueError, ImageMath.eval("exit()"))
+     assert_exception(ValueError, ImageMath.eval("(lambda:(exit()))()"))
+-- 
+2.43.0
+
diff --git a/python-pillow.spec b/python-pillow.spec
index 0aeef05..88ac2e0 100644
--- a/python-pillow.spec
+++ b/python-pillow.spec
@@ -23,7 +23,7 @@
 
 Name:           python-pillow
 Version:        2.0.0
-Release:        23%{?snap}%{?dist}
+Release:        25%{?snap}%{?dist}
 Summary:        Python image processing library
 
 # License: see http://www.pythonware.com/products/pil/license.htm
@@ -67,6 +67,14 @@ Patch19:        CVE-2022-22817.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2042511
 # https://bugzilla.redhat.com/show_bug.cgi?id=2042522
 Patch20:        CVE-2022-22815_CVE-2022-22816.patch
+# CVE-2023-44271 python-pillow: uncontrolled resource consumption when textlength
+# in an ImageDraw instance operates on a long text argument
+# Upstream fix: https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7
+Patch21:        CVE-2023-44271.patch
+# CVE-2023-50447 python-pillow: pillow:Arbitrary Code Execution via the environment parameter
+# Upstream fix: https://github.com/python-pillow/Pillow/commit/02c6183d41c68a8dd080f5739f566bd82485822d
+# Patch rebased and tests converted from pytest to unittests.
+Patch22:        CVE-2023-50447.patch
 
 
 BuildRequires:  python2-devel
@@ -239,6 +247,8 @@ PIL image wrapper for Qt.
 %patch5 -p2 -b .cve_2020_5313
 %patch19 -p1 -b .CVE-2022-22817
 %patch20 -p1 -b .CVE-2022-22815_CVE-2022-22816
+%patch21 -p1 -b .CVE-2023-44271
+%patch22 -p1 -b .CVE-2023-50447
 
 %if %{with_python3}
 # Create Python 3 source tree
@@ -396,6 +406,14 @@ popd
 %endif
 
 %changelog
+* Thu Feb 08 2024 Lumír Balhar <lbalhar@redhat.com> - 2.0.0-25gitd1c6db8
+- Security fix for CVE-2023-50447
+Resolves: RHEL-22239
+
+* Mon Nov 13 2023 Lumír Balhar <lbalhar@redhat.com> - 2.0.0-24gitd1c6db8
+- Security fix for CVE-2023-44271
+Resolves: RHEL-15459
+
 * Fri Feb 11 2022 Charalampos Stratakis <cstratak@redhat.com> - 2.0.0-23gitd1c6db8
 - Fixup for CVE-2022-22817
 - Security fixes for CVE-2022-22815, CVE-2022-22816
-- 
Gitee