!94 fix CVE-2022-22815,CVE-2022-22816,CVE-2022-22817

From: @yangcheng1203 Reviewed-by: @myeuler Signed-off-by: @myeuler
2022-02-11 09:13:31 +00:00 · 2022-02-11 09:13:31 +00:00 · 4b6e49caee
commit 4b6e49caee
parent e6e67e5c72 b3f497b9e1
6 changed files with 257 additions and 1 deletions
--- a/backport-0001-CVE-2022-22815-CVE-2022-22816.patch
+++ b/backport-0001-CVE-2022-22815-CVE-2022-22816.patch
@ -0,0 +1,41 @@
+From 1e092419b6806495c683043ab3feb6ce264f3b9c Mon Sep 17 00:00:00 2001
+From: Andrew Murray <radarhere@users.noreply.github.com>
+Date: Mon, 6 Dec 2021 22:24:19 +1100
+Subject: [PATCH] Initialize coordinates to zero
+
+Conflict:NA
+Reference:https://github.com/python-pillow/Pillow/pull/5920/commits/1e092419b6806495c683043ab3feb6ce264f3b9c
+
+---
+ Tests/test_imagepath.py | 1 +
+ src/path.c              | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/Tests/test_imagepath.py b/Tests/test_imagepath.py
+index 0835fdb..cd850bb 100644
+--- a/Tests/test_imagepath.py
+++ b/Tests/test_imagepath.py
+@@ -90,6 +90,7 @@ def test_path_odd_number_of_coordinates():
+     [
+         ([0, 1, 2, 3], (0.0, 1.0, 2.0, 3.0)),
+         ([3, 2, 1, 0], (1.0, 0.0, 3.0, 2.0)),
+        (1, (0.0, 0.0, 0.0, 0.0)),
+     ],
+ )
+ def test_getbbox(coords, expected):
+diff --git a/src/path.c b/src/path.c
+index 62e7e15..60def3f 100644
+--- a/src/path.c
+++ b/src/path.c
+@@ -58,7 +58,7 @@ alloc_array(Py_ssize_t count)
+     if ((unsigned long long)count > (SIZE_MAX / (2 * sizeof(double))) - 1 ) {
+         return ImagingError_MemoryError();
+     }
+-    xy = malloc(2 * count * sizeof(double) + 1);
+    xy = calloc(2 * count * sizeof(double) + 1, sizeof(double));
+     if (!xy) {
+         ImagingError_MemoryError();
+     }
+-- 
+2.27.0
+
--- a/backport-0001-CVE-2022-22817.patch
+++ b/backport-0001-CVE-2022-22817.patch
@ -0,0 +1,56 @@
+From 8531b01d6cdf0b70f256f93092caa2a5d91afc11 Mon Sep 17 00:00:00 2001
+From: Andrew Murray <radarhere@users.noreply.github.com>
+Date: Sun, 2 Jan 2022 17:23:49 +1100
+Subject: [PATCH] Restrict builtins for ImageMath.eval
+
+Conflict:NA
+Reference:https://github.com/python-pillow/Pillow/pull/5923/commits/8531b01d6cdf0b70f256f93092caa2a5d91afc11
+
+---
+ Tests/test_imagemath.py | 7 +++++++
+ src/PIL/ImageMath.py    | 7 ++++++-
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
+index 2398067..8e87339 100644
+--- a/Tests/test_imagemath.py
+++ b/Tests/test_imagemath.py
+@@ -1,3 +1,5 @@
+import pytest
+
+ from PIL import Image, ImageMath
+ 
+ 
+@@ -50,6 +52,11 @@ def test_ops():
+     assert pixel(ImageMath.eval("float(B)**33", images)) == "F 8589934592.0"
+ 
+ 
+def test_prevent_exec():
+    with pytest.raises(ValueError):
+        ImageMath.eval("exec('pass')")
+
+
+ def test_logical():
+     assert pixel(ImageMath.eval("not A", images)) == 0
+     assert pixel(ImageMath.eval("A and B", images)) == "L 2"
+diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
+index 7f9c88e..06bea80 100644
+--- a/src/PIL/ImageMath.py
+++ b/src/PIL/ImageMath.py
+@@ -246,7 +246,12 @@ def eval(expression, _dict={}, **kw):
+         if hasattr(v, "im"):
+             args[k] = _Operand(v)
+ 
+-    out = builtins.eval(expression, args)
+    code = compile(expression, "<string>", "eval")
+    for name in code.co_names:
+        if name not in args and name != "abs":
+            raise ValueError(f"'{name}' not allowed")
+
+    out = builtins.eval(expression, {"__builtins": {"abs": abs}}, args)
+     try:
+         return out.im
+     except AttributeError:
+-- 
+2.27.0
+
--- a/backport-0002-CVE-2022-22815-CVE-2022-22816.patch
+++ b/backport-0002-CVE-2022-22815-CVE-2022-22816.patch
@ -0,0 +1,73 @@
+From c48271ab354db49cdbd740bc45e13be4f0f7993c Mon Sep 17 00:00:00 2001
+From: Andrew Murray <radarhere@users.noreply.github.com>
+Date: Mon, 6 Dec 2021 22:25:14 +1100
+Subject: [PATCH] Handle case where path count is zero
+
+Conflict:NA
+Reference:https://github.com/python-pillow/Pillow/pull/5920/commits/c48271ab354db49cdbd740bc45e13be4f0f7993c
+
+---
+ Tests/test_imagepath.py |  1 +
+ src/path.c              | 33 +++++++++++++++++++--------------
+ 2 files changed, 20 insertions(+), 14 deletions(-)
+
+diff --git a/Tests/test_imagepath.py b/Tests/test_imagepath.py
+index cd850bb..b18271c 100644
+--- a/Tests/test_imagepath.py
+++ b/Tests/test_imagepath.py
+@@ -90,6 +90,7 @@ def test_path_odd_number_of_coordinates():
+     [
+         ([0, 1, 2, 3], (0.0, 1.0, 2.0, 3.0)),
+         ([3, 2, 1, 0], (1.0, 0.0, 3.0, 2.0)),
+        (0, (0.0, 0.0, 0.0, 0.0)),
+         (1, (0.0, 0.0, 0.0, 0.0)),
+     ],
+ )
+diff --git a/src/path.c b/src/path.c
+index 60def3f..a2637b6 100644
+--- a/src/path.c
+++ b/src/path.c
+@@ -338,21 +338,26 @@ path_getbbox(PyPathObject* self, PyObject* args)
+ 
+     xy = self->xy;
+ 
+-    x0 = x1 = xy[0];
+-    y0 = y1 = xy[1];
+    if (self->count == 0) {
+        x0 = x1 = 0;
+        y0 = y1 = 0;
+    } else {
+        x0 = x1 = xy[0];
+        y0 = y1 = xy[1];
+ 
+-    for (i = 1; i < self->count; i++) {
+-        if (xy[i+i] < x0) {
+-            x0 = xy[i+i];
+-        }
+-        if (xy[i+i] > x1) {
+-            x1 = xy[i+i];
+-        }
+-        if (xy[i+i+1] < y0) {
+-            y0 = xy[i+i+1];
+-        }
+-        if (xy[i+i+1] > y1) {
+-            y1 = xy[i+i+1];
+	 for (i = 1; i < self->count; i++) {
+            if (xy[i + i] < x0) {
+                x0 = xy[i + i];
+            }
+            if (xy[i + i] > x1) {
+                x1 = xy[i + i];
+            }
+            if (xy[i + i + 1] < y0) {
+                y0 = xy[i + i + 1];
+            }
+            if (xy[i + i + 1] > y1) {
+                y1 = xy[i + i + 1];
+            }
+         }
+     }
+ 
+-- 
+2.27.0
+
--- a/backport-0002-CVE-2022-22817.patch
+++ b/backport-0002-CVE-2022-22817.patch
@ -0,0 +1,47 @@
+From 6790f1869a357b7da1d7bae006d32e14821fea5d Mon Sep 17 00:00:00 2001
+From: Felipe Rosa de Almeida <feliperalmeida@users.noreply.github.com>
+Date: Sun, 16 Jan 2022 19:11:21 -0300
+Subject: [PATCH] Forbid lambda expressions in ImageMath.eval()
+
+Conflict:NA
+Reference:https://github.com/python-pillow/Pillow/pull/5963/commits/6790f1869a357b7da1d7bae006d32e14821fea5d
+
+---
+ Tests/test_imagemath.py | 5 +++--
+ src/PIL/ImageMath.py    | 3 +++
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
+index 8e87339..7bce9e9 100644
+--- a/Tests/test_imagemath.py
+++ b/Tests/test_imagemath.py
+@@ -52,9 +52,10 @@ def test_ops():
+     assert pixel(ImageMath.eval("float(B)**33", images)) == "F 8589934592.0"
+ 
+ 
+-def test_prevent_exec():
+@pytest.mark.parametrize("expression", ("exec('pass')", "(lambda: None)()"))
+def test_prevent_exec(expression):
+     with pytest.raises(ValueError):
+-        ImageMath.eval("exec('pass')")
+        ImageMath.eval(expression)
+ 
+ 
+ def test_logical():
+diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
+index 06bea80..64f9c5c 100644
+--- a/src/PIL/ImageMath.py
+++ b/src/PIL/ImageMath.py
+@@ -250,6 +250,9 @@ def eval(expression, _dict={}, **kw):
+     for name in code.co_names:
+         if name not in args and name != "abs":
+             raise ValueError(f"'{name}' not allowed")
+    for const in code.co_consts:
+        if getattr(const, "co_name", None) == "<lambda>":
+            raise ValueError("Lambda expressions are not allowed")
+ 
+     out = builtins.eval(expression, {"__builtins": {"abs": abs}}, args)
+     try:
+-- 
+2.27.0
+
--- a/backport-0003-CVE-2022-22815-CVE-2022-22816.patch
+++ b/backport-0003-CVE-2022-22815-CVE-2022-22816.patch
@ -0,0 +1,28 @@
+From fe32501922ef5e1be9a7d307132719bd5d52ca35 Mon Sep 17 00:00:00 2001
+From: Andrew Murray <radarhere@users.noreply.github.com>
+Date: Fri, 14 Jan 2022 10:16:35 +1100
+Subject: [PATCH] Corrected allocation
+
+Conflict:NA
+Reference:https://github.com/python-pillow/Pillow/pull/5958/commits/fe32501922ef5e1be9a7d307132719bd5d52ca35
+
+---
+ src/path.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/path.c b/src/path.c
+index a2637b6..d63ae40 100644
+--- a/src/path.c
+++ b/src/path.c
+@@ -58,7 +58,7 @@ alloc_array(Py_ssize_t count)
+     if ((unsigned long long)count > (SIZE_MAX / (2 * sizeof(double))) - 1 ) {
+         return ImagingError_MemoryError();
+     }
+-    xy = calloc(2 * count * sizeof(double) + 1, sizeof(double));
+    xy = calloc(2 * count + 1, sizeof(double));
+     if (!xy) {
+         ImagingError_MemoryError();
+     }
+-- 
+2.27.0
+
--- a/python-pillow.spec
+++ b/python-pillow.spec
@ -5,7 +5,7 @@
 
 Name:           python-pillow
 Version:        8.1.2
-Release:        3
+Release:        4
 Summary:        Python image processing library 
 License:        MIT
 URL:            http://python-pillow.github.io/
@ -29,6 +29,11 @@ Patch6011:      backport-0001-CVE-2021-34552.patch
 Patch6012:      backport-0002-CVE-2021-34552.patch
 Patch6013:      backport-Updated-default-value-for-SAMPLESPERPIXEL-tag.patch
 Patch6014:      backport-CVE-2021-23437.patch
+Patch6015:      backport-0001-CVE-2022-22815-CVE-2022-22816.patch
+Patch6016:      backport-0002-CVE-2022-22815-CVE-2022-22816.patch
+Patch6017:      backport-0003-CVE-2022-22815-CVE-2022-22816.patch
+Patch6018:      backport-0001-CVE-2022-22817.patch
+Patch6019:      backport-0002-CVE-2022-22817.patch

 Patch9000:      backport-disable-test-sanity.patch

@ -165,6 +170,12 @@ pytest --ignore=_build.python2 --ignore=_build.python3 --ignore=_build.pypy3 -v
 %{python3_sitearch}/PIL/__pycache__/ImageQt*

 %changelog
+* Wed Feb 9 2022 yangcheng <yangcheng1203@163.com> - 8.1.2-4
+- Type:CVE
+- CVE:CVE-2022-22815,CVE-2022-22816,CVE-2022-22817
+- SUG:NA
+- DESC:fix CVE-2022-22815,CVE-2022-22816,CVE-2022-22817
+
 * Mon Sep 27 2021 luoyang <luoyang42@huawei.com> - 8.1.2-3
 - fix CVE-2021-23437