From fef77ff39373afa60f459f19c5de4800bc97d141 Mon Sep 17 00:00:00 2001 From: dongyuzhen Date: Tue, 8 Feb 2022 16:39:38 +0800 Subject: [PATCH] fix CVE-2022-22815,CVE-2022-22816,CVE-2022-22817 (cherry picked from commit 708579082bd3d266d1f70b6e8919d5815e5370c0) --- ...t-0001-CVE-2022-22815-CVE-2022-22816.patch | 41 +++++++++++ backport-0001-CVE-2022-22817.patch | 56 ++++++++++++++ ...t-0002-CVE-2022-22815-CVE-2022-22816.patch | 73 +++++++++++++++++++ backport-0002-CVE-2022-22817.patch | 47 ++++++++++++ ...t-0003-CVE-2022-22815-CVE-2022-22816.patch | 28 +++++++ python-pillow.spec | 10 ++- 6 files changed, 254 insertions(+), 1 deletion(-) create mode 100644 backport-0001-CVE-2022-22815-CVE-2022-22816.patch create mode 100644 backport-0001-CVE-2022-22817.patch create mode 100644 backport-0002-CVE-2022-22815-CVE-2022-22816.patch create mode 100644 backport-0002-CVE-2022-22817.patch create mode 100644 backport-0003-CVE-2022-22815-CVE-2022-22816.patch diff --git a/backport-0001-CVE-2022-22815-CVE-2022-22816.patch b/backport-0001-CVE-2022-22815-CVE-2022-22816.patch new file mode 100644 index 0000000..ff905a2 --- /dev/null +++ b/backport-0001-CVE-2022-22815-CVE-2022-22816.patch @@ -0,0 +1,41 @@ +From 1e092419b6806495c683043ab3feb6ce264f3b9c Mon Sep 17 00:00:00 2001 +From: Andrew Murray +Date: Mon, 6 Dec 2021 22:24:19 +1100 +Subject: [PATCH] Initialize coordinates to zero + +Conflict:NA +Reference:https://github.com/python-pillow/Pillow/pull/5920/commits/1e092419b6806495c683043ab3feb6ce264f3b9c + +--- + Tests/test_imagepath.py | 1 + + src/path.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/Tests/test_imagepath.py b/Tests/test_imagepath.py +index 0835fdb..cd850bb 100644 +--- a/Tests/test_imagepath.py ++++ b/Tests/test_imagepath.py +@@ -90,6 +90,7 @@ def test_path_odd_number_of_coordinates(): + [ + ([0, 1, 2, 3], (0.0, 1.0, 2.0, 3.0)), + ([3, 2, 1, 0], (1.0, 0.0, 3.0, 2.0)), ++ (1, (0.0, 0.0, 0.0, 0.0)), + ], + ) + def test_getbbox(coords, expected): +diff --git a/src/path.c b/src/path.c +index 62e7e15..60def3f 100644 +--- a/src/path.c ++++ b/src/path.c +@@ -58,7 +58,7 @@ alloc_array(Py_ssize_t count) + if ((unsigned long long)count > (SIZE_MAX / (2 * sizeof(double))) - 1 ) { + return ImagingError_MemoryError(); + } +- xy = malloc(2 * count * sizeof(double) + 1); ++ xy = calloc(2 * count * sizeof(double) + 1, sizeof(double)); + if (!xy) { + ImagingError_MemoryError(); + } +-- +2.27.0 + diff --git a/backport-0001-CVE-2022-22817.patch b/backport-0001-CVE-2022-22817.patch new file mode 100644 index 0000000..3a99d5c --- /dev/null +++ b/backport-0001-CVE-2022-22817.patch @@ -0,0 +1,56 @@ +From 8531b01d6cdf0b70f256f93092caa2a5d91afc11 Mon Sep 17 00:00:00 2001 +From: Andrew Murray +Date: Sun, 2 Jan 2022 17:23:49 +1100 +Subject: [PATCH] Restrict builtins for ImageMath.eval + +Conflict:NA +Reference:https://github.com/python-pillow/Pillow/pull/5923/commits/8531b01d6cdf0b70f256f93092caa2a5d91afc11 + +--- + Tests/test_imagemath.py | 7 +++++++ + src/PIL/ImageMath.py | 7 ++++++- + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py +index 2398067..8e87339 100644 +--- a/Tests/test_imagemath.py ++++ b/Tests/test_imagemath.py +@@ -1,3 +1,5 @@ ++import pytest ++ + from PIL import Image, ImageMath + + +@@ -50,6 +52,11 @@ def test_ops(): + assert pixel(ImageMath.eval("float(B)**33", images)) == "F 8589934592.0" + + ++def test_prevent_exec(): ++ with pytest.raises(ValueError): ++ ImageMath.eval("exec('pass')") ++ ++ + def test_logical(): + assert pixel(ImageMath.eval("not A", images)) == 0 + assert pixel(ImageMath.eval("A and B", images)) == "L 2" +diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py +index 7f9c88e..06bea80 100644 +--- a/src/PIL/ImageMath.py ++++ b/src/PIL/ImageMath.py +@@ -246,7 +246,12 @@ def eval(expression, _dict={}, **kw): + if hasattr(v, "im"): + args[k] = _Operand(v) + +- out = builtins.eval(expression, args) ++ code = compile(expression, "", "eval") ++ for name in code.co_names: ++ if name not in args and name != "abs": ++ raise ValueError(f"'{name}' not allowed") ++ ++ out = builtins.eval(expression, {"__builtins": {"abs": abs}}, args) + try: + return out.im + except AttributeError: +-- +2.27.0 + diff --git a/backport-0002-CVE-2022-22815-CVE-2022-22816.patch b/backport-0002-CVE-2022-22815-CVE-2022-22816.patch new file mode 100644 index 0000000..286b533 --- /dev/null +++ b/backport-0002-CVE-2022-22815-CVE-2022-22816.patch @@ -0,0 +1,73 @@ +From c48271ab354db49cdbd740bc45e13be4f0f7993c Mon Sep 17 00:00:00 2001 +From: Andrew Murray +Date: Mon, 6 Dec 2021 22:25:14 +1100 +Subject: [PATCH] Handle case where path count is zero + +Conflict:NA +Reference:https://github.com/python-pillow/Pillow/pull/5920/commits/c48271ab354db49cdbd740bc45e13be4f0f7993c + +--- + Tests/test_imagepath.py | 1 + + src/path.c | 33 +++++++++++++++++++-------------- + 2 files changed, 20 insertions(+), 14 deletions(-) + +diff --git a/Tests/test_imagepath.py b/Tests/test_imagepath.py +index cd850bb..b18271c 100644 +--- a/Tests/test_imagepath.py ++++ b/Tests/test_imagepath.py +@@ -90,6 +90,7 @@ def test_path_odd_number_of_coordinates(): + [ + ([0, 1, 2, 3], (0.0, 1.0, 2.0, 3.0)), + ([3, 2, 1, 0], (1.0, 0.0, 3.0, 2.0)), ++ (0, (0.0, 0.0, 0.0, 0.0)), + (1, (0.0, 0.0, 0.0, 0.0)), + ], + ) +diff --git a/src/path.c b/src/path.c +index 60def3f..a2637b6 100644 +--- a/src/path.c ++++ b/src/path.c +@@ -338,21 +338,26 @@ path_getbbox(PyPathObject* self, PyObject* args) + + xy = self->xy; + +- x0 = x1 = xy[0]; +- y0 = y1 = xy[1]; ++ if (self->count == 0) { ++ x0 = x1 = 0; ++ y0 = y1 = 0; ++ } else { ++ x0 = x1 = xy[0]; ++ y0 = y1 = xy[1]; + +- for (i = 1; i < self->count; i++) { +- if (xy[i+i] < x0) { +- x0 = xy[i+i]; +- } +- if (xy[i+i] > x1) { +- x1 = xy[i+i]; +- } +- if (xy[i+i+1] < y0) { +- y0 = xy[i+i+1]; +- } +- if (xy[i+i+1] > y1) { +- y1 = xy[i+i+1]; ++ for (i = 1; i < self->count; i++) { ++ if (xy[i + i] < x0) { ++ x0 = xy[i + i]; ++ } ++ if (xy[i + i] > x1) { ++ x1 = xy[i + i]; ++ } ++ if (xy[i + i + 1] < y0) { ++ y0 = xy[i + i + 1]; ++ } ++ if (xy[i + i + 1] > y1) { ++ y1 = xy[i + i + 1]; ++ } + } + } + +-- +2.27.0 + diff --git a/backport-0002-CVE-2022-22817.patch b/backport-0002-CVE-2022-22817.patch new file mode 100644 index 0000000..94cb64b --- /dev/null +++ b/backport-0002-CVE-2022-22817.patch @@ -0,0 +1,47 @@ +From 6790f1869a357b7da1d7bae006d32e14821fea5d Mon Sep 17 00:00:00 2001 +From: Felipe Rosa de Almeida +Date: Sun, 16 Jan 2022 19:11:21 -0300 +Subject: [PATCH] Forbid lambda expressions in ImageMath.eval() + +Conflict:NA +Reference:https://github.com/python-pillow/Pillow/pull/5963/commits/6790f1869a357b7da1d7bae006d32e14821fea5d + +--- + Tests/test_imagemath.py | 5 +++-- + src/PIL/ImageMath.py | 3 +++ + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py +index 8e87339..7bce9e9 100644 +--- a/Tests/test_imagemath.py ++++ b/Tests/test_imagemath.py +@@ -52,9 +52,10 @@ def test_ops(): + assert pixel(ImageMath.eval("float(B)**33", images)) == "F 8589934592.0" + + +-def test_prevent_exec(): ++@pytest.mark.parametrize("expression", ("exec('pass')", "(lambda: None)()")) ++def test_prevent_exec(expression): + with pytest.raises(ValueError): +- ImageMath.eval("exec('pass')") ++ ImageMath.eval(expression) + + + def test_logical(): +diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py +index 06bea80..64f9c5c 100644 +--- a/src/PIL/ImageMath.py ++++ b/src/PIL/ImageMath.py +@@ -250,6 +250,9 @@ def eval(expression, _dict={}, **kw): + for name in code.co_names: + if name not in args and name != "abs": + raise ValueError(f"'{name}' not allowed") ++ for const in code.co_consts: ++ if getattr(const, "co_name", None) == "": ++ raise ValueError("Lambda expressions are not allowed") + + out = builtins.eval(expression, {"__builtins": {"abs": abs}}, args) + try: +-- +2.27.0 + diff --git a/backport-0003-CVE-2022-22815-CVE-2022-22816.patch b/backport-0003-CVE-2022-22815-CVE-2022-22816.patch new file mode 100644 index 0000000..22165a3 --- /dev/null +++ b/backport-0003-CVE-2022-22815-CVE-2022-22816.patch @@ -0,0 +1,28 @@ +From fe32501922ef5e1be9a7d307132719bd5d52ca35 Mon Sep 17 00:00:00 2001 +From: Andrew Murray +Date: Fri, 14 Jan 2022 10:16:35 +1100 +Subject: [PATCH] Corrected allocation + +Conflict:NA +Reference:https://github.com/python-pillow/Pillow/pull/5958/commits/fe32501922ef5e1be9a7d307132719bd5d52ca35 + +--- + src/path.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/path.c b/src/path.c +index a2637b6..d63ae40 100644 +--- a/src/path.c ++++ b/src/path.c +@@ -58,7 +58,7 @@ alloc_array(Py_ssize_t count) + if ((unsigned long long)count > (SIZE_MAX / (2 * sizeof(double))) - 1 ) { + return ImagingError_MemoryError(); + } +- xy = calloc(2 * count * sizeof(double) + 1, sizeof(double)); ++ xy = calloc(2 * count + 1, sizeof(double)); + if (!xy) { + ImagingError_MemoryError(); + } +-- +2.27.0 + diff --git a/python-pillow.spec b/python-pillow.spec index 59a2427..c44cf79 100644 --- a/python-pillow.spec +++ b/python-pillow.spec @@ -5,7 +5,7 @@ Name: python-pillow Version: 8.1.1 -Release: 7 +Release: 8 Summary: Python image processing library License: MIT URL: http://python-pillow.github.io/ @@ -29,6 +29,11 @@ Patch6012: backport-0001-CVE-2021-34552.patch Patch6013: backport-0002-CVE-2021-34552.patch Patch6014: backport-Updated-default-value-for-SAMPLESPERPIXEL-tag.patch Patch6015: backport-CVE-2021-23437.patch +Patch6016: backport-0001-CVE-2022-22815-CVE-2022-22816.patch +Patch6017: backport-0002-CVE-2022-22815-CVE-2022-22816.patch +Patch6018: backport-0003-CVE-2022-22815-CVE-2022-22816.patch +Patch6019: backport-0001-CVE-2022-22817.patch +Patch6020: backport-0002-CVE-2022-22817.patch BuildRequires: freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel libraqm-devel libtiff-devel BuildRequires: libwebp-devel openjpeg2-devel tk-devel zlib-devel python3-cffi python3-devel python3-numpy python3-olefile @@ -160,6 +165,9 @@ popd %{python3_sitearch}/PIL/__pycache__/ImageQt* %changelog +* Tue Feb 08 2022 dongyuzhen - 8.1.1-8 +- fix CVE-2022-22815,CVE-2022-22816,CVE-2022-22817 + * Mon Sep 27 2021 luoyang - 8.1.1-7 - fix CVE-2021-23437 -- Gitee