diff --git a/CVE-2023-50447.patch b/CVE-2023-50447.patch deleted file mode 100644 index 4cae675de7bef9d0e229fc1a1f7ed494ba754e29..0000000000000000000000000000000000000000 --- a/CVE-2023-50447.patch +++ /dev/null @@ -1,119 +0,0 @@ -Origin: https://github.com/python-pillow/Pillow/pull/7655 - -From 45c726fd4daa63236a8f3653530f297dc87b160a Mon Sep 17 00:00:00 2001 -From: Eric Soroos -Date: Fri, 27 Oct 2023 11:21:18 +0200 -Subject: [PATCH 1/3] Don't allow __ or builtins in env dictionarys for - ImageMath.eval - ---- - src/PIL/ImageMath.py | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py -index 7ca512e7568..cf108e2586f 100644 ---- a/src/PIL/ImageMath.py -+++ b/src/PIL/ImageMath.py -@@ -237,6 +237,10 @@ def eval(expression, _dict={}, **kw): - args.update(_dict) - args.update(kw) -- for k, v in list(args.items()): -+ for k, v in args.items(): -+ if '__' in k or hasattr(__builtins__, k): -+ msg = f"'{k}' not allowed" -+ raise ValueError(msg) -+ - if hasattr(v, "im"): - args[k] = _Operand(v) - - -From 0ca3c33c59927e1c7e0c14dbc1eea1dfb2431a80 Mon Sep 17 00:00:00 2001 -From: Andrew Murray -Date: Sat, 28 Oct 2023 15:58:52 +1100 -Subject: [PATCH 2/3] Allow ops - ---- - Tests/test_imagemath.py | 5 +++++ - src/PIL/ImageMath.py | 9 +++++---- - 2 files changed, 10 insertions(+), 4 deletions(-) - -diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py -index 22de86c7cab..9a0326ece3b 100644 ---- a/Tests/test_imagemath.py -+++ b/Tests/test_imagemath.py -@@ -64,6 +64,11 @@ def test_prevent_exec(expression): - ImageMath.eval(expression) - - -+def test_prevent_double_underscores(): -+ with pytest.raises(ValueError): -+ ImageMath.eval("1", {"__": None}) -+ -+ - def test_logical(): - assert pixel(ImageMath.eval("not A", images)) == 0 - assert pixel(ImageMath.eval("A and B", images)) == "L 2" -diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py -index cf108e2586f..fd7d78d4583 100644 ---- a/src/PIL/ImageMath.py -+++ b/src/PIL/ImageMath.py -@@ -234,13 +234,14 @@ def eval(expression, _dict={}, **kw): - - # build execution namespace - args = ops.copy() -- args.update(_dict) -- args.update(kw) -- for k, v in args.items(): -- if '__' in k or hasattr(__builtins__, k): -+ for k in list(_dict.keys()) + list(kw.keys()): -+ if "__" in k or hasattr(__builtins__, k): - msg = f"'{k}' not allowed" - raise ValueError(msg) - -+ args.update(_dict) -+ args.update(kw) -+ for k, v in args.items(): - if hasattr(v, "im"): - args[k] = _Operand(v) - - -From 557ba59d13de919d04b3fd4cdef8634f7d4b3348 Mon Sep 17 00:00:00 2001 -From: Andrew Murray -Date: Sat, 30 Dec 2023 09:30:12 +1100 -Subject: [PATCH 3/3] Include further builtins - ---- - Tests/test_imagemath.py | 5 +++++ - docs/releasenotes/10.2.0.rst | 9 ++++++--- - src/PIL/ImageMath.py | 2 +- - 3 files changed, 12 insertions(+), 4 deletions(-) - -diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py -index 9a0326ece3b..9281de6f66a 100644 ---- a/Tests/test_imagemath.py -+++ b/Tests/test_imagemath.py -@@ -69,6 +69,11 @@ def test_prevent_double_underscores(): - ImageMath.eval("1", {"__": None}) - - -+def test_prevent_builtins(): -+ with pytest.raises(ValueError): -+ ImageMath.eval("(lambda: exec('exit()'))()", {"exec": None}) -+ -+ - def test_logical(): - assert pixel(ImageMath.eval("not A", images)) == 0 - assert pixel(ImageMath.eval("A and B", images)) == "L 2" -diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py -index fd7d78d4583..b77f4bce567 100644 ---- a/src/PIL/ImageMath.py -+++ b/src/PIL/ImageMath.py -@@ -235,7 +235,7 @@ def eval(expression, _dict={}, **kw): - # build execution namespace - args = ops.copy() - for k in list(_dict.keys()) + list(kw.keys()): -- if "__" in k or hasattr(__builtins__, k): -+ if "__" in k or hasattr(builtins, k): - msg = f"'{k}' not allowed" - raise ValueError(msg) - diff --git a/Pillow-10.0.0.tar.gz b/pillow-10.2.0.tar.gz similarity index 78% rename from Pillow-10.0.0.tar.gz rename to pillow-10.2.0.tar.gz index 21fba65929e8f7f2cef3b2789fd2c2ccd79a2830..02b1f8302ae1c0c8717a23f9e7427b3223c52505 100644 Binary files a/Pillow-10.0.0.tar.gz and b/pillow-10.2.0.tar.gz differ diff --git a/python-pillow.spec b/python-pillow.spec index 3ecc63dc01122c324568e6eaa0a7656b9ae12d0f..d22a7a54366bbfeb7864aea8fd4b71161b7d1ee0 100644 --- a/python-pillow.spec +++ b/python-pillow.spec @@ -3,13 +3,12 @@ %global with_docs 0 Name: python-pillow -Version: 10.0.0 -Release: 2 +Version: 10.2.0 +Release: 1 Summary: Python image processing library License: MIT URL: http://python-pillow.github.io/ -Source0: https://files.pythonhosted.org/packages/0f/8b/2ebaf9adcf4260c00f842154865f8730cf745906aa5dd499141fb6063e26/Pillow-10.0.0.tar.gz -Patch0: CVE-2023-50447.patch +Source0: https://files.pythonhosted.org/packages/source/p/pillow/pillow-%{version}.tar.gz BuildRequires: freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel libtiff-devel BuildRequires: libwebp-devel openjpeg2-devel tk-devel zlib-devel python3-cffi python3-devel python3-numpy python3-olefile @@ -87,8 +86,9 @@ Provides: python3-imaging-qt = %{version}-%{release} %description -n python3-pillow-qt Qt pillow image wrapper. + %prep -%autosetup -p1 -n Pillow-%{version} +%autosetup -p1 -n pillow-%{version} %build @@ -118,7 +118,7 @@ pytest --ignore=_build.python2 --ignore=_build.python3 --ignore=_build.pypy3 -v %doc README.md CHANGES.rst %license docs/COPYING %{python3_sitearch}/PIL/ -%{python3_sitearch}/Pillow-%{version}-py%{python3_version}.egg-info +%{python3_sitearch}/pillow-%{version}-py%{python3_version}.egg-info %exclude %{python3_sitearch}/PIL/_imagingtk* %exclude %{python3_sitearch}/PIL/ImageTk* %exclude %{python3_sitearch}/PIL/SpiderImagePlugin* @@ -147,6 +147,9 @@ pytest --ignore=_build.python2 --ignore=_build.python3 --ignore=_build.pypy3 -v %{python3_sitearch}/PIL/__pycache__/ImageQt* %changelog +* Wed Feb 07 2024 xu_ping <707078654@qq.com> - 10.2.0-1 +- Upgrade version to 10.2.0 + * Wed Jan 24 2024 wangkai <13474090681@163.com> - 10.0.0-2 - Fix CVE-2023-50447