packages/python-pillow
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!94 fix CVE-2022-22815,CVE-2022-22816,CVE-2022-22817

Browse Source 
From: @yangcheng1203 
Reviewed-by: @myeuler 
Signed-off-by: @myeuler
This commit is contained in:
openeuler-ci-bot 2022-02-11 09:13:31 +00:00 committed by Gitee
commit 4b6e49caee
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
6 changed files with 257 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
backport-0001-CVE-2022-22815-CVE-2022-22816.patch Normal file
View File

@ -0,0 +1,41 @@
From 1e092419b6806495c683043ab3feb6ce264f3b9c Mon Sep 17 00:00:00 2001
From: Andrew Murray <radarhere@users.noreply.github.com>
Date: Mon, 6 Dec 2021 22:24:19 +1100
Subject: [PATCH] Initialize coordinates to zero
Conflict:NA
Reference:https://github.com/python-pillow/Pillow/pull/5920/commits/1e092419b6806495c683043ab3feb6ce264f3b9c
---
Tests/test_imagepath.py | 1 +
src/path.c | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/Tests/test_imagepath.py b/Tests/test_imagepath.py
index 0835fdb..cd850bb 100644
--- a/Tests/test_imagepath.py
+++ b/Tests/test_imagepath.py
@@ -90,6 +90,7 @@ def test_path_odd_number_of_coordinates():
[
([0, 1, 2, 3], (0.0, 1.0, 2.0, 3.0)),
([3, 2, 1, 0], (1.0, 0.0, 3.0, 2.0)),
+ (1, (0.0, 0.0, 0.0, 0.0)),
],
)
def test_getbbox(coords, expected):
diff --git a/src/path.c b/src/path.c
index 62e7e15..60def3f 100644
--- a/src/path.c
+++ b/src/path.c
@@ -58,7 +58,7 @@ alloc_array(Py_ssize_t count)
if ((unsigned long long)count > (SIZE_MAX / (2 * sizeof(double))) - 1 ) {
return ImagingError_MemoryError();
}
- xy = malloc(2 * count * sizeof(double) + 1);
+ xy = calloc(2 * count * sizeof(double) + 1, sizeof(double));
if (!xy) {
ImagingError_MemoryError();
}
--
2.27.0

56
backport-0001-CVE-2022-22817.patch Normal file
View File

@ -0,0 +1,56 @@
From 8531b01d6cdf0b70f256f93092caa2a5d91afc11 Mon Sep 17 00:00:00 2001
From: Andrew Murray <radarhere@users.noreply.github.com>
Date: Sun, 2 Jan 2022 17:23:49 +1100
Subject: [PATCH] Restrict builtins for ImageMath.eval
Conflict:NA
Reference:https://github.com/python-pillow/Pillow/pull/5923/commits/8531b01d6cdf0b70f256f93092caa2a5d91afc11
---
Tests/test_imagemath.py | 7 +++++++
src/PIL/ImageMath.py | 7 ++++++-
2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
index 2398067..8e87339 100644
--- a/Tests/test_imagemath.py
+++ b/Tests/test_imagemath.py
@@ -1,3 +1,5 @@
+import pytest
+
from PIL import Image, ImageMath
@@ -50,6 +52,11 @@ def test_ops():
assert pixel(ImageMath.eval("float(B)**33", images)) == "F 8589934592.0"
+def test_prevent_exec():
+ with pytest.raises(ValueError):
+ ImageMath.eval("exec('pass')")
+
+
def test_logical():
assert pixel(ImageMath.eval("not A", images)) == 0
assert pixel(ImageMath.eval("A and B", images)) == "L 2"
diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
index 7f9c88e..06bea80 100644
--- a/src/PIL/ImageMath.py
+++ b/src/PIL/ImageMath.py
@@ -246,7 +246,12 @@ def eval(expression, _dict={}, **kw):
if hasattr(v, "im"):
args[k] = _Operand(v)
- out = builtins.eval(expression, args)
+ code = compile(expression, "<string>", "eval")
+ for name in code.co_names:
+ if name not in args and name != "abs":
+ raise ValueError(f"'{name}' not allowed")
+
+ out = builtins.eval(expression, {"__builtins": {"abs": abs}}, args)
try:
return out.im
except AttributeError:
--
2.27.0

73
backport-0002-CVE-2022-22815-CVE-2022-22816.patch Normal file
View File

@ -0,0 +1,73 @@
From c48271ab354db49cdbd740bc45e13be4f0f7993c Mon Sep 17 00:00:00 2001
From: Andrew Murray <radarhere@users.noreply.github.com>
Date: Mon, 6 Dec 2021 22:25:14 +1100
Subject: [PATCH] Handle case where path count is zero
Conflict:NA
Reference:https://github.com/python-pillow/Pillow/pull/5920/commits/c48271ab354db49cdbd740bc45e13be4f0f7993c
---
Tests/test_imagepath.py | 1 +
src/path.c | 33 +++++++++++++++++++--------------
2 files changed, 20 insertions(+), 14 deletions(-)
diff --git a/Tests/test_imagepath.py b/Tests/test_imagepath.py
index cd850bb..b18271c 100644
--- a/Tests/test_imagepath.py
+++ b/Tests/test_imagepath.py
@@ -90,6 +90,7 @@ def test_path_odd_number_of_coordinates():
[
([0, 1, 2, 3], (0.0, 1.0, 2.0, 3.0)),
([3, 2, 1, 0], (1.0, 0.0, 3.0, 2.0)),
+ (0, (0.0, 0.0, 0.0, 0.0)),
(1, (0.0, 0.0, 0.0, 0.0)),
],
)
diff --git a/src/path.c b/src/path.c
index 60def3f..a2637b6 100644
--- a/src/path.c
+++ b/src/path.c
@@ -338,21 +338,26 @@ path_getbbox(PyPathObject* self, PyObject* args)
xy = self->xy;
- x0 = x1 = xy[0];
- y0 = y1 = xy[1];
+ if (self->count == 0) {
+ x0 = x1 = 0;
+ y0 = y1 = 0;
+ } else {
+ x0 = x1 = xy[0];
+ y0 = y1 = xy[1];
- for (i = 1; i < self->count; i++) {
- if (xy[i+i] < x0) {
- x0 = xy[i+i];
- }
- if (xy[i+i] > x1) {
- x1 = xy[i+i];
- }
- if (xy[i+i+1] < y0) {
- y0 = xy[i+i+1];
- }
- if (xy[i+i+1] > y1) {
- y1 = xy[i+i+1];
+ for (i = 1; i < self->count; i++) {
+ if (xy[i + i] < x0) {
+ x0 = xy[i + i];
+ }
+ if (xy[i + i] > x1) {
+ x1 = xy[i + i];
+ }
+ if (xy[i + i + 1] < y0) {
+ y0 = xy[i + i + 1];
+ }
+ if (xy[i + i + 1] > y1) {
+ y1 = xy[i + i + 1];
+ }
}
}
--
2.27.0

47
backport-0002-CVE-2022-22817.patch Normal file
View File

@ -0,0 +1,47 @@
From 6790f1869a357b7da1d7bae006d32e14821fea5d Mon Sep 17 00:00:00 2001
From: Felipe Rosa de Almeida <feliperalmeida@users.noreply.github.com>
Date: Sun, 16 Jan 2022 19:11:21 -0300
Subject: [PATCH] Forbid lambda expressions in ImageMath.eval()
Conflict:NA
Reference:https://github.com/python-pillow/Pillow/pull/5963/commits/6790f1869a357b7da1d7bae006d32e14821fea5d
---
Tests/test_imagemath.py | 5 +++--
src/PIL/ImageMath.py | 3 +++
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
index 8e87339..7bce9e9 100644
--- a/Tests/test_imagemath.py
+++ b/Tests/test_imagemath.py
@@ -52,9 +52,10 @@ def test_ops():
assert pixel(ImageMath.eval("float(B)**33", images)) == "F 8589934592.0"
-def test_prevent_exec():
+@pytest.mark.parametrize("expression", ("exec('pass')", "(lambda: None)()"))
+def test_prevent_exec(expression):
with pytest.raises(ValueError):
- ImageMath.eval("exec('pass')")
+ ImageMath.eval(expression)
def test_logical():
diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
index 06bea80..64f9c5c 100644
--- a/src/PIL/ImageMath.py
+++ b/src/PIL/ImageMath.py
@@ -250,6 +250,9 @@ def eval(expression, _dict={}, **kw):
for name in code.co_names:
if name not in args and name != "abs":
raise ValueError(f"'{name}' not allowed")
+ for const in code.co_consts:
+ if getattr(const, "co_name", None) == "<lambda>":
+ raise ValueError("Lambda expressions are not allowed")
out = builtins.eval(expression, {"__builtins": {"abs": abs}}, args)
try:
--
2.27.0

28
backport-0003-CVE-2022-22815-CVE-2022-22816.patch Normal file
View File

@ -0,0 +1,28 @@
From fe32501922ef5e1be9a7d307132719bd5d52ca35 Mon Sep 17 00:00:00 2001
From: Andrew Murray <radarhere@users.noreply.github.com>
Date: Fri, 14 Jan 2022 10:16:35 +1100
Subject: [PATCH] Corrected allocation
Conflict:NA
Reference:https://github.com/python-pillow/Pillow/pull/5958/commits/fe32501922ef5e1be9a7d307132719bd5d52ca35
---
src/path.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/path.c b/src/path.c
index a2637b6..d63ae40 100644
--- a/src/path.c
+++ b/src/path.c
@@ -58,7 +58,7 @@ alloc_array(Py_ssize_t count)
if ((unsigned long long)count > (SIZE_MAX / (2 * sizeof(double))) - 1 ) {
return ImagingError_MemoryError();
}
- xy = calloc(2 * count * sizeof(double) + 1, sizeof(double));
+ xy = calloc(2 * count + 1, sizeof(double));
if (!xy) {
ImagingError_MemoryError();
}
--
2.27.0

13
python-pillow.spec
View File

@ -5,7 +5,7 @@
Name: python-pillow Name: python-pillow
Version: 8.1.2 Version: 8.1.2
Release: 3 Release: 4
Summary: Python image processing library Summary: Python image processing library
License: MIT License: MIT
URL: http://python-pillow.github.io/ URL: http://python-pillow.github.io/
@ -29,6 +29,11 @@ Patch6011: backport-0001-CVE-2021-34552.patch
Patch6012: backport-0002-CVE-2021-34552.patch Patch6012: backport-0002-CVE-2021-34552.patch
Patch6013: backport-Updated-default-value-for-SAMPLESPERPIXEL-tag.patch Patch6013: backport-Updated-default-value-for-SAMPLESPERPIXEL-tag.patch
Patch6014: backport-CVE-2021-23437.patch Patch6014: backport-CVE-2021-23437.patch
Patch6015: backport-0001-CVE-2022-22815-CVE-2022-22816.patch
Patch6016: backport-0002-CVE-2022-22815-CVE-2022-22816.patch
Patch6017: backport-0003-CVE-2022-22815-CVE-2022-22816.patch
Patch6018: backport-0001-CVE-2022-22817.patch
Patch6019: backport-0002-CVE-2022-22817.patch
Patch9000: backport-disable-test-sanity.patch Patch9000: backport-disable-test-sanity.patch
@ -165,6 +170,12 @@ pytest --ignore=_build.python2 --ignore=_build.python3 --ignore=_build.pypy3 -v
%{python3_sitearch}/PIL/__pycache__/ImageQt* %{python3_sitearch}/PIL/__pycache__/ImageQt*
%changelog %changelog
* Wed Feb 9 2022 yangcheng <yangcheng1203@163.com> - 8.1.2-4
- Type:CVE
- CVE:CVE-2022-22815,CVE-2022-22816,CVE-2022-22817
- SUG:NA
- DESC:fix CVE-2022-22815,CVE-2022-22816,CVE-2022-22817
* Mon Sep 27 2021 luoyang <luoyang42@huawei.com> - 8.1.2-3 * Mon Sep 27 2021 luoyang <luoyang42@huawei.com> - 8.1.2-3
- fix CVE-2021-23437 - fix CVE-2021-23437