diff --git a/backport-0001-CVE-2022-24303.patch b/backport-0001-CVE-2022-24303.patch new file mode 100644 index 0000000000000000000000000000000000000000..34f56c91bf6dd679af59dcf6e58a540069ee8fc0 --- /dev/null +++ b/backport-0001-CVE-2022-24303.patch @@ -0,0 +1,53 @@ +From 5cca90a37ce005498c80f4717ba67c5d8f45c540 Mon Sep 17 00:00:00 2001 +From: mihail +Date: Mon, 20 Dec 2021 12:08:31 +0300 +Subject: [PATCH] Add: XDGViewer which uses xdg-open + +Synopsis + +xdg-open { file | URL } + +xdg-open { --help | --manual | --version } + +Use 'man xdg-open' or 'xdg-open --manual' for additional info. + +Conflict:NA +Reference:https://github.com/python-pillow/Pillow/commit/5cca90a37ce005498c80f4717ba67c5d8f45c540 + +--- + src/PIL/ImageShow.py | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/src/PIL/ImageShow.py b/src/PIL/ImageShow.py +index 1ada825..137135e 100644 +--- a/src/PIL/ImageShow.py ++++ b/src/PIL/ImageShow.py +@@ -186,6 +186,16 @@ class UnixViewer(Viewer): + os.remove(path) + return 1 + ++class XDGViewer(UnixViewer): ++ """ ++ The freedesktop.org ``xdg-open`` command. ++ """ ++ ++ def get_command_ex(self, file, **options): ++ command = executable = "xdg-open" ++ return command, executable ++ ++ + + class DisplayViewer(UnixViewer): + """The ImageMagick ``display`` command.""" +@@ -219,6 +229,8 @@ class XVViewer(UnixViewer): + + + if sys.platform not in ("win32", "darwin"): # unixoids ++ if shutil.which("xdg-open"): ++ register(XDGViewer) + if shutil.which("display"): + register(DisplayViewer) + if shutil.which("eog"): +-- +2.27.0 + diff --git a/backport-0002-CVE-2022-24303.patch b/backport-0002-CVE-2022-24303.patch new file mode 100644 index 0000000000000000000000000000000000000000..e2ed605ba9c299a53d0bfec3331420b3eb10ac7a --- /dev/null +++ b/backport-0002-CVE-2022-24303.patch @@ -0,0 +1,142 @@ +From 86944abbabad62e53e644bd7375b9a56d66c1675 Mon Sep 17 00:00:00 2001 +From: Andrew Murray +Date: Sat, 15 Jan 2022 16:08:37 +1100 +Subject: [PATCH] Deprecated show_file "file" argument in favour of "path" + +Conflict:NA +Reference:https://github.com/python-pillow/Pillow/commit/86944abbabad62e53e644bd7375b9a56d66c1675 + +--- + Tests/test_imageshow.py | 15 +++++++++++ + src/PIL/ImageShow.py | 59 +++++++++++++++++++++++++++++++---------- + 2 files changed, 60 insertions(+), 14 deletions(-) + +diff --git a/Tests/test_imageshow.py b/Tests/test_imageshow.py +index 78e80f5..f79a531 100644 +--- a/Tests/test_imageshow.py ++++ b/Tests/test_imageshow.py +@@ -63,3 +63,18 @@ def test_viewer(): + def test_viewers(): + for viewer in ImageShow._viewers: + viewer.get_command("test.jpg") ++ ++ ++@pytest.mark.skipif( ++ not on_ci() or is_win32(), ++ reason="Only run on CIs; hangs on Windows CIs", ++) ++def test_file_deprecated(): ++ for viewer in ImageShow._viewers: ++ with pytest.warns(DeprecationWarning): ++ try: ++ viewer.show_file(file="test.jpg") ++ except NotImplementedError: ++ pass ++ with pytest.raises(TypeError): ++ viewer.show_file() +diff --git a/src/PIL/ImageShow.py b/src/PIL/ImageShow.py +index 137135e..b3b9a5b 100644 +--- a/src/PIL/ImageShow.py ++++ b/src/PIL/ImageShow.py +@@ -16,6 +16,7 @@ import shutil + import subprocess + import sys + import tempfile ++import warnings + from shlex import quote + + from PIL import Image +@@ -106,9 +107,19 @@ class Viewer: + """Display the given image.""" + return self.show_file(self.save_image(image), **options) + +- def show_file(self, file, **options): +- """Display the given file.""" +- os.system(self.get_command(file, **options)) ++ def show_file(self, path=None, **options): ++ """Display given file.""" ++ if path is None: ++ if "file" in options: ++ warnings.warn( ++ "The 'file' argument is deprecated and will be removed in Pillow " ++ "10 (2023-07-01). Use 'path' instead.", ++ DeprecationWarning, ++ ) ++ path = options.pop("file") ++ else: ++ raise TypeError("Missing required argument: 'path'") ++ os.system(self.get_command(path, **options)) + return 1 + + +@@ -146,18 +157,28 @@ class MacViewer(Viewer): + command = f"({command} {quote(file)}; sleep 20; rm -f {quote(file)})&" + return command + +- def show_file(self, file, **options): ++ def show_file(self, path=None, **options): + """Display given file""" +- fd, path = tempfile.mkstemp() ++ if path is None: ++ if "file" in options: ++ warnings.warn( ++ "The 'file' argument is deprecated and will be removed in Pillow " ++ "10 (2023-07-01). Use 'path' instead.", ++ DeprecationWarning, ++ ) ++ path = options.pop("file") ++ else: ++ raise TypeError("Missing required argument: 'path'") ++ fd, temp_path = tempfile.mkstemp() + with os.fdopen(fd, "w") as f: +- f.write(file) +- with open(path) as f: ++ f.write(path) ++ with open(temp_path) as f: + subprocess.Popen( + ["im=$(cat); open -a Preview.app $im; sleep 20; rm -f $im"], + shell=True, + stdin=f, + ) +- os.remove(path) ++ os.remove(temp_path) + return 1 + + +@@ -173,17 +194,27 @@ class UnixViewer(Viewer): + command = self.get_command_ex(file, **options)[0] + return f"({command} {quote(file)}; rm -f {quote(file)})&" + +- def show_file(self, file, **options): ++ def show_file(self, path=None, **options): + """Display given file""" +- fd, path = tempfile.mkstemp() ++ if path is None: ++ if "file" in options: ++ warnings.warn( ++ "The 'file' argument is deprecated and will be removed in Pillow " ++ "10 (2023-07-01). Use 'path' instead.", ++ DeprecationWarning, ++ ) ++ path = options.pop("file") ++ else: ++ raise TypeError("Missing required argument: 'path'") ++ fd, temp_path = tempfile.mkstemp() + with os.fdopen(fd, "w") as f: +- f.write(file) +- with open(path) as f: +- command = self.get_command_ex(file, **options)[0] ++ f.write(path) ++ with open(temp_path) as f: ++ command = self.get_command_ex(path, **options)[0] + subprocess.Popen( + ["im=$(cat);" + command + " $im; rm -f $im"], shell=True, stdin=f + ) +- os.remove(path) ++ os.remove(temp_path) + return 1 + + class XDGViewer(UnixViewer): +-- +2.27.0 + diff --git a/backport-0003-CVE-2022-24303.patch b/backport-0003-CVE-2022-24303.patch new file mode 100644 index 0000000000000000000000000000000000000000..15238f12cbb37d2ceeffc0740e1de81f0178effa --- /dev/null +++ b/backport-0003-CVE-2022-24303.patch @@ -0,0 +1,215 @@ +From 8da80130dbc747f3954b4904247d26289fe722f9 Mon Sep 17 00:00:00 2001 +From: Andrew Murray +Date: Mon, 17 Jan 2022 08:59:17 +1100 +Subject: [PATCH] In show_file, use os.remove to remove temporary images + +Conflict:NA +Reference:https://github.com/python-pillow/Pillow/pull/6010/commits/8da80130dbc747f3954b4904247d26289fe722f9 + +--- + Tests/test_imageshow.py | 6 +- + src/PIL/ImageShow.py | 124 ++++++++++++++++++++++++++++++---------- + 2 files changed, 98 insertions(+), 32 deletions(-) + +diff --git a/Tests/test_imageshow.py b/Tests/test_imageshow.py +index f79a531..5983ebf 100644 +--- a/Tests/test_imageshow.py ++++ b/Tests/test_imageshow.py +@@ -69,11 +69,13 @@ def test_viewers(): + not on_ci() or is_win32(), + reason="Only run on CIs; hangs on Windows CIs", + ) +-def test_file_deprecated(): ++def test_file_deprecated(tmp_path): ++ f = str(tmp_path / "temp.jpg") + for viewer in ImageShow._viewers: ++ hopper().save(f) + with pytest.warns(DeprecationWarning): + try: +- viewer.show_file(file="test.jpg") ++ viewer.show_file(file=f) + except NotImplementedError: + pass + with pytest.raises(TypeError): +diff --git a/src/PIL/ImageShow.py b/src/PIL/ImageShow.py +index b3b9a5b..e4eb2f8 100644 +--- a/src/PIL/ImageShow.py ++++ b/src/PIL/ImageShow.py +@@ -15,7 +15,6 @@ import os + import shutil + import subprocess + import sys +-import tempfile + import warnings + from shlex import quote + +@@ -169,16 +168,15 @@ class MacViewer(Viewer): + path = options.pop("file") + else: + raise TypeError("Missing required argument: 'path'") +- fd, temp_path = tempfile.mkstemp() +- with os.fdopen(fd, "w") as f: +- f.write(path) +- with open(temp_path) as f: +- subprocess.Popen( +- ["im=$(cat); open -a Preview.app $im; sleep 20; rm -f $im"], +- shell=True, +- stdin=f, +- ) +- os.remove(temp_path) ++ subprocess.call(["open", "-a", "Preview.app", path]) ++ subprocess.Popen( ++ [ ++ sys.executable, ++ "-c", ++ "import os, sys, time;time.sleep(20);os.remove(sys.argv[1])", ++ path, ++ ] ++ ) + return 1 + + +@@ -194,6 +192,16 @@ class UnixViewer(Viewer): + command = self.get_command_ex(file, **options)[0] + return f"({command} {quote(file)}; rm -f {quote(file)})&" + ++ ++class XDGViewer(UnixViewer): ++ """ ++ The freedesktop.org ``xdg-open`` command. ++ """ ++ ++ def get_command_ex(self, file, **options): ++ command = executable = "xdg-open" ++ return command, executable ++ + def show_file(self, path=None, **options): + """Display given file""" + if path is None: +@@ -206,27 +214,10 @@ class UnixViewer(Viewer): + path = options.pop("file") + else: + raise TypeError("Missing required argument: 'path'") +- fd, temp_path = tempfile.mkstemp() +- with os.fdopen(fd, "w") as f: +- f.write(path) +- with open(temp_path) as f: +- command = self.get_command_ex(path, **options)[0] +- subprocess.Popen( +- ["im=$(cat);" + command + " $im; rm -f $im"], shell=True, stdin=f +- ) +- os.remove(temp_path) ++ subprocess.Popen(["xdg-open", path]) ++ os.remove(path) + return 1 + +-class XDGViewer(UnixViewer): +- """ +- The freedesktop.org ``xdg-open`` command. +- """ +- +- def get_command_ex(self, file, **options): +- command = executable = "xdg-open" +- return command, executable +- +- + + class DisplayViewer(UnixViewer): + """The ImageMagick ``display`` command.""" +@@ -235,6 +226,32 @@ class DisplayViewer(UnixViewer): + command = executable = "display" + return command, executable + ++ def show_file(self, path=None, **options): ++ """ ++ Display given file. ++ ++ Before Pillow 9.1.0, the first argument was ``file``. This is now deprecated, ++ and ``path`` should be used instead. ++ """ ++ if path is None: ++ if "file" in options: ++ warnings.warn( ++ "The 'file' argument is deprecated and will be removed in Pillow " ++ "10 (2023-07-01). Use 'path' instead.", ++ DeprecationWarning, ++ ) ++ path = options.pop("file") ++ else: ++ raise TypeError("Missing required argument: 'path'") ++ args = ["display"] ++ if "title" in options: ++ args += ["-name", options["title"]] ++ args.append(path) ++ ++ subprocess.Popen(args) ++ os.remove(path) ++ return 1 ++ + + class EogViewer(UnixViewer): + """The GNOME Image Viewer ``eog`` command.""" +@@ -243,6 +260,27 @@ class EogViewer(UnixViewer): + command = executable = "eog" + return command, executable + ++ def show_file(self, path=None, **options): ++ """ ++ Display given file. ++ ++ Before Pillow 9.1.0, the first argument was ``file``. This is now deprecated, ++ and ``path`` should be used instead. ++ """ ++ if path is None: ++ if "file" in options: ++ warnings.warn( ++ "The 'file' argument is deprecated and will be removed in Pillow " ++ "10 (2023-07-01). Use 'path' instead.", ++ DeprecationWarning, ++ ) ++ path = options.pop("file") ++ else: ++ raise TypeError("Missing required argument: 'path'") ++ subprocess.Popen(["eog", "-n", path]) ++ os.remove(path) ++ return 1 ++ + + class XVViewer(UnixViewer): + """ +@@ -258,6 +296,32 @@ class XVViewer(UnixViewer): + command += f" -name {quote(title)}" + return command, executable + ++ def show_file(self, path=None, **options): ++ """ ++ Display given file. ++ ++ Before Pillow 9.1.0, the first argument was ``file``. This is now deprecated, ++ and ``path`` should be used instead. ++ """ ++ if path is None: ++ if "file" in options: ++ warnings.warn( ++ "The 'file' argument is deprecated and will be removed in Pillow " ++ "10 (2023-07-01). Use 'path' instead.", ++ DeprecationWarning, ++ ) ++ path = options.pop("file") ++ else: ++ raise TypeError("Missing required argument: 'path'") ++ args = ["xv"] ++ if "title" in options: ++ args += ["-name", options["title"]] ++ args.append(path) ++ ++ subprocess.Popen(args) ++ os.remove(path) ++ return 1 ++ + + if sys.platform not in ("win32", "darwin"): # unixoids + if shutil.which("xdg-open"): +-- +2.27.0 + diff --git a/backport-0004-CVE-2022-24303.patch b/backport-0004-CVE-2022-24303.patch new file mode 100644 index 0000000000000000000000000000000000000000..cd8df40c11bb75a675a39bb83bc64d8e14ca14ed --- /dev/null +++ b/backport-0004-CVE-2022-24303.patch @@ -0,0 +1,30 @@ +From 143032103c9f2d55a0a7960bd3e630cb72549e8a Mon Sep 17 00:00:00 2001 +From: Andrew Murray <3112309+radarhere@users.noreply.github.com> +Date: Tue, 18 Jan 2022 11:24:01 +1100 +Subject: [PATCH] Updated formatting + +Co-authored-by: Hugo van Kemenade + +Conflict:NA +Reference:https://github.com/python-pillow/Pillow/pull/6010/commits/143032103c9f2d55a0a7960bd3e630cb72549e8a + +--- + src/PIL/ImageShow.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/PIL/ImageShow.py b/src/PIL/ImageShow.py +index e4eb2f8..429f9bd 100644 +--- a/src/PIL/ImageShow.py ++++ b/src/PIL/ImageShow.py +@@ -173,7 +173,7 @@ class MacViewer(Viewer): + [ + sys.executable, + "-c", +- "import os, sys, time;time.sleep(20);os.remove(sys.argv[1])", ++ "import os, sys, time; time.sleep(20); os.remove(sys.argv[1])", + path, + ] + ) +-- +2.27.0 + diff --git a/backport-0005-CVE-2022-24303.patch b/backport-0005-CVE-2022-24303.patch new file mode 100644 index 0000000000000000000000000000000000000000..da3e560e43211d1a1ef4d53fe505ed580d98575c --- /dev/null +++ b/backport-0005-CVE-2022-24303.patch @@ -0,0 +1,61 @@ +From 10c4f75aaa383bd9671e923e3b91d391ea12d781 Mon Sep 17 00:00:00 2001 +From: Andrew Murray +Date: Thu, 3 Feb 2022 08:58:12 +1100 +Subject: [PATCH] Added delay after opening image with xdg-open + +Conflict:NA +Reference:https://github.com/python-pillow/Pillow/pull/6010/commits/10c4f75aaa383bd9671e923e3b91d391ea12d781 + +--- + src/PIL/ImageShow.py | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/src/PIL/ImageShow.py b/src/PIL/ImageShow.py +index 429f9bd..312faad 100644 +--- a/src/PIL/ImageShow.py ++++ b/src/PIL/ImageShow.py +@@ -121,6 +121,16 @@ class Viewer: + os.system(self.get_command(path, **options)) + return 1 + ++ def _remove_path_after_delay(self, path): ++ subprocess.Popen( ++ [ ++ sys.executable, ++ "-c", ++ "import os, sys, time; time.sleep(20); os.remove(sys.argv[1])", ++ path, ++ ] ++ ) ++ + + # -------------------------------------------------------------------- + +@@ -169,14 +179,7 @@ class MacViewer(Viewer): + else: + raise TypeError("Missing required argument: 'path'") + subprocess.call(["open", "-a", "Preview.app", path]) +- subprocess.Popen( +- [ +- sys.executable, +- "-c", +- "import os, sys, time; time.sleep(20); os.remove(sys.argv[1])", +- path, +- ] +- ) ++ self._remove_path_after_delay(path) + return 1 + + +@@ -215,7 +218,7 @@ class XDGViewer(UnixViewer): + else: + raise TypeError("Missing required argument: 'path'") + subprocess.Popen(["xdg-open", path]) +- os.remove(path) ++ self._remove_path_after_delay(path) + return 1 + + +-- +2.27.0 + diff --git a/python-pillow.spec b/python-pillow.spec index 2b38478674c3356bcad1ea25fef0a0c610f30b42..215a5c3f3c67592542dc7471997bc1e414754634 100644 --- a/python-pillow.spec +++ b/python-pillow.spec @@ -5,7 +5,7 @@ Name: python-pillow Version: 8.1.2 -Release: 4 +Release: 5 Summary: Python image processing library License: MIT URL: http://python-pillow.github.io/ @@ -34,6 +34,11 @@ Patch6016: backport-0002-CVE-2022-22815-CVE-2022-22816.patch Patch6017: backport-0003-CVE-2022-22815-CVE-2022-22816.patch Patch6018: backport-0001-CVE-2022-22817.patch Patch6019: backport-0002-CVE-2022-22817.patch +Patch6020: backport-0001-CVE-2022-24303.patch +Patch6021: backport-0002-CVE-2022-24303.patch +Patch6022: backport-0003-CVE-2022-24303.patch +Patch6023: backport-0004-CVE-2022-24303.patch +Patch6024: backport-0005-CVE-2022-24303.patch Patch9000: backport-disable-test-sanity.patch @@ -170,6 +175,9 @@ pytest --ignore=_build.python2 --ignore=_build.python3 --ignore=_build.pypy3 -v %{python3_sitearch}/PIL/__pycache__/ImageQt* %changelog +* Thu Feb 17 2022 dongyuzhen - 8.1.2-5 +- fix CVE-2022-24303 + * Wed Feb 9 2022 yangcheng - 8.1.2-4 - Type:CVE - CVE:CVE-2022-22815,CVE-2022-22816,CVE-2022-22817