packages/python-pillow
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2022-24303

Browse Source
This commit is contained in:
dongyuzhen 2022-02-17 17:28:15 +08:00
parent 4b6e49caee
commit 7a2df100fa
6 changed files with 510 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
backport-0001-CVE-2022-24303.patch Normal file
View File

@ -0,0 +1,53 @@
From 5cca90a37ce005498c80f4717ba67c5d8f45c540 Mon Sep 17 00:00:00 2001
From: mihail <mihail@shinder.ml>
Date: Mon, 20 Dec 2021 12:08:31 +0300
Subject: [PATCH] Add: XDGViewer which uses xdg-open
Synopsis
xdg-open { file | URL }
xdg-open { --help | --manual | --version }
Use 'man xdg-open' or 'xdg-open --manual' for additional info.
Conflict:NA
Reference:https://github.com/python-pillow/Pillow/commit/5cca90a37ce005498c80f4717ba67c5d8f45c540
---
src/PIL/ImageShow.py | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/src/PIL/ImageShow.py b/src/PIL/ImageShow.py
index 1ada825..137135e 100644
--- a/src/PIL/ImageShow.py
+++ b/src/PIL/ImageShow.py
@@ -186,6 +186,16 @@ class UnixViewer(Viewer):
os.remove(path)
return 1
+class XDGViewer(UnixViewer):
+ """
+ The freedesktop.org ``xdg-open`` command.
+ """
+
+ def get_command_ex(self, file, **options):
+ command = executable = "xdg-open"
+ return command, executable
+
+
class DisplayViewer(UnixViewer):
"""The ImageMagick ``display`` command."""
@@ -219,6 +229,8 @@ class XVViewer(UnixViewer):
if sys.platform not in ("win32", "darwin"): # unixoids
+ if shutil.which("xdg-open"):
+ register(XDGViewer)
if shutil.which("display"):
register(DisplayViewer)
if shutil.which("eog"):
--
2.27.0

142
backport-0002-CVE-2022-24303.patch Normal file
View File

@ -0,0 +1,142 @@
From 86944abbabad62e53e644bd7375b9a56d66c1675 Mon Sep 17 00:00:00 2001
From: Andrew Murray <radarhere@users.noreply.github.com>
Date: Sat, 15 Jan 2022 16:08:37 +1100
Subject: [PATCH] Deprecated show_file "file" argument in favour of "path"
Conflict:NA
Reference:https://github.com/python-pillow/Pillow/commit/86944abbabad62e53e644bd7375b9a56d66c1675
---
Tests/test_imageshow.py | 15 +++++++++++
src/PIL/ImageShow.py | 59 +++++++++++++++++++++++++++++++----------
2 files changed, 60 insertions(+), 14 deletions(-)
diff --git a/Tests/test_imageshow.py b/Tests/test_imageshow.py
index 78e80f5..f79a531 100644
--- a/Tests/test_imageshow.py
+++ b/Tests/test_imageshow.py
@@ -63,3 +63,18 @@ def test_viewer():
def test_viewers():
for viewer in ImageShow._viewers:
viewer.get_command("test.jpg")
+
+
+@pytest.mark.skipif(
+ not on_ci() or is_win32(),
+ reason="Only run on CIs; hangs on Windows CIs",
+)
+def test_file_deprecated():
+ for viewer in ImageShow._viewers:
+ with pytest.warns(DeprecationWarning):
+ try:
+ viewer.show_file(file="test.jpg")
+ except NotImplementedError:
+ pass
+ with pytest.raises(TypeError):
+ viewer.show_file()
diff --git a/src/PIL/ImageShow.py b/src/PIL/ImageShow.py
index 137135e..b3b9a5b 100644
--- a/src/PIL/ImageShow.py
+++ b/src/PIL/ImageShow.py
@@ -16,6 +16,7 @@ import shutil
import subprocess
import sys
import tempfile
+import warnings
from shlex import quote
from PIL import Image
@@ -106,9 +107,19 @@ class Viewer:
"""Display the given image."""
return self.show_file(self.save_image(image), **options)
- def show_file(self, file, **options):
- """Display the given file."""
- os.system(self.get_command(file, **options))
+ def show_file(self, path=None, **options):
+ """Display given file."""
+ if path is None:
+ if "file" in options:
+ warnings.warn(
+ "The 'file' argument is deprecated and will be removed in Pillow "
+ "10 (2023-07-01). Use 'path' instead.",
+ DeprecationWarning,
+ )
+ path = options.pop("file")
+ else:
+ raise TypeError("Missing required argument: 'path'")
+ os.system(self.get_command(path, **options))
return 1
@@ -146,18 +157,28 @@ class MacViewer(Viewer):
command = f"({command} {quote(file)}; sleep 20; rm -f {quote(file)})&"
return command
- def show_file(self, file, **options):
+ def show_file(self, path=None, **options):
"""Display given file"""
- fd, path = tempfile.mkstemp()
+ if path is None:
+ if "file" in options:
+ warnings.warn(
+ "The 'file' argument is deprecated and will be removed in Pillow "
+ "10 (2023-07-01). Use 'path' instead.",
+ DeprecationWarning,
+ )
+ path = options.pop("file")
+ else:
+ raise TypeError("Missing required argument: 'path'")
+ fd, temp_path = tempfile.mkstemp()
with os.fdopen(fd, "w") as f:
- f.write(file)
- with open(path) as f:
+ f.write(path)
+ with open(temp_path) as f:
subprocess.Popen(
["im=$(cat); open -a Preview.app $im; sleep 20; rm -f $im"],
shell=True,
stdin=f,
)
- os.remove(path)
+ os.remove(temp_path)
return 1
@@ -173,17 +194,27 @@ class UnixViewer(Viewer):
command = self.get_command_ex(file, **options)[0]
return f"({command} {quote(file)}; rm -f {quote(file)})&"
- def show_file(self, file, **options):
+ def show_file(self, path=None, **options):
"""Display given file"""
- fd, path = tempfile.mkstemp()
+ if path is None:
+ if "file" in options:
+ warnings.warn(
+ "The 'file' argument is deprecated and will be removed in Pillow "
+ "10 (2023-07-01). Use 'path' instead.",
+ DeprecationWarning,
+ )
+ path = options.pop("file")
+ else:
+ raise TypeError("Missing required argument: 'path'")
+ fd, temp_path = tempfile.mkstemp()
with os.fdopen(fd, "w") as f:
- f.write(file)
- with open(path) as f:
- command = self.get_command_ex(file, **options)[0]
+ f.write(path)
+ with open(temp_path) as f:
+ command = self.get_command_ex(path, **options)[0]
subprocess.Popen(
["im=$(cat);" + command + " $im; rm -f $im"], shell=True, stdin=f
)
- os.remove(path)
+ os.remove(temp_path)
return 1
class XDGViewer(UnixViewer):
--
2.27.0

215
backport-0003-CVE-2022-24303.patch Normal file
View File

@ -0,0 +1,215 @@
From 8da80130dbc747f3954b4904247d26289fe722f9 Mon Sep 17 00:00:00 2001
From: Andrew Murray <radarhere@users.noreply.github.com>
Date: Mon, 17 Jan 2022 08:59:17 +1100
Subject: [PATCH] In show_file, use os.remove to remove temporary images
Conflict:NA
Reference:https://github.com/python-pillow/Pillow/pull/6010/commits/8da80130dbc747f3954b4904247d26289fe722f9
---
Tests/test_imageshow.py | 6 +-
src/PIL/ImageShow.py | 124 ++++++++++++++++++++++++++++++----------
2 files changed, 98 insertions(+), 32 deletions(-)
diff --git a/Tests/test_imageshow.py b/Tests/test_imageshow.py
index f79a531..5983ebf 100644
--- a/Tests/test_imageshow.py
+++ b/Tests/test_imageshow.py
@@ -69,11 +69,13 @@ def test_viewers():
not on_ci() or is_win32(),
reason="Only run on CIs; hangs on Windows CIs",
)
-def test_file_deprecated():
+def test_file_deprecated(tmp_path):
+ f = str(tmp_path / "temp.jpg")
for viewer in ImageShow._viewers:
+ hopper().save(f)
with pytest.warns(DeprecationWarning):
try:
- viewer.show_file(file="test.jpg")
+ viewer.show_file(file=f)
except NotImplementedError:
pass
with pytest.raises(TypeError):
diff --git a/src/PIL/ImageShow.py b/src/PIL/ImageShow.py
index b3b9a5b..e4eb2f8 100644
--- a/src/PIL/ImageShow.py
+++ b/src/PIL/ImageShow.py
@@ -15,7 +15,6 @@ import os
import shutil
import subprocess
import sys
-import tempfile
import warnings
from shlex import quote
@@ -169,16 +168,15 @@ class MacViewer(Viewer):
path = options.pop("file")
else:
raise TypeError("Missing required argument: 'path'")
- fd, temp_path = tempfile.mkstemp()
- with os.fdopen(fd, "w") as f:
- f.write(path)
- with open(temp_path) as f:
- subprocess.Popen(
- ["im=$(cat); open -a Preview.app $im; sleep 20; rm -f $im"],
- shell=True,
- stdin=f,
- )
- os.remove(temp_path)
+ subprocess.call(["open", "-a", "Preview.app", path])
+ subprocess.Popen(
+ [
+ sys.executable,
+ "-c",
+ "import os, sys, time;time.sleep(20);os.remove(sys.argv[1])",
+ path,
+ ]
+ )
return 1
@@ -194,6 +192,16 @@ class UnixViewer(Viewer):
command = self.get_command_ex(file, **options)[0]
return f"({command} {quote(file)}; rm -f {quote(file)})&"
+
+class XDGViewer(UnixViewer):
+ """
+ The freedesktop.org ``xdg-open`` command.
+ """
+
+ def get_command_ex(self, file, **options):
+ command = executable = "xdg-open"
+ return command, executable
+
def show_file(self, path=None, **options):
"""Display given file"""
if path is None:
@@ -206,27 +214,10 @@ class UnixViewer(Viewer):
path = options.pop("file")
else:
raise TypeError("Missing required argument: 'path'")
- fd, temp_path = tempfile.mkstemp()
- with os.fdopen(fd, "w") as f:
- f.write(path)
- with open(temp_path) as f:
- command = self.get_command_ex(path, **options)[0]
- subprocess.Popen(
- ["im=$(cat);" + command + " $im; rm -f $im"], shell=True, stdin=f
- )
- os.remove(temp_path)
+ subprocess.Popen(["xdg-open", path])
+ os.remove(path)
return 1
-class XDGViewer(UnixViewer):
- """
- The freedesktop.org ``xdg-open`` command.
- """
-
- def get_command_ex(self, file, **options):
- command = executable = "xdg-open"
- return command, executable
-
-
class DisplayViewer(UnixViewer):
"""The ImageMagick ``display`` command."""
@@ -235,6 +226,32 @@ class DisplayViewer(UnixViewer):
command = executable = "display"
return command, executable
+ def show_file(self, path=None, **options):
+ """
+ Display given file.
+
+ Before Pillow 9.1.0, the first argument was ``file``. This is now deprecated,
+ and ``path`` should be used instead.
+ """
+ if path is None:
+ if "file" in options:
+ warnings.warn(
+ "The 'file' argument is deprecated and will be removed in Pillow "
+ "10 (2023-07-01). Use 'path' instead.",
+ DeprecationWarning,
+ )
+ path = options.pop("file")
+ else:
+ raise TypeError("Missing required argument: 'path'")
+ args = ["display"]
+ if "title" in options:
+ args += ["-name", options["title"]]
+ args.append(path)
+
+ subprocess.Popen(args)
+ os.remove(path)
+ return 1
+
class EogViewer(UnixViewer):
"""The GNOME Image Viewer ``eog`` command."""
@@ -243,6 +260,27 @@ class EogViewer(UnixViewer):
command = executable = "eog"
return command, executable
+ def show_file(self, path=None, **options):
+ """
+ Display given file.
+
+ Before Pillow 9.1.0, the first argument was ``file``. This is now deprecated,
+ and ``path`` should be used instead.
+ """
+ if path is None:
+ if "file" in options:
+ warnings.warn(
+ "The 'file' argument is deprecated and will be removed in Pillow "
+ "10 (2023-07-01). Use 'path' instead.",
+ DeprecationWarning,
+ )
+ path = options.pop("file")
+ else:
+ raise TypeError("Missing required argument: 'path'")
+ subprocess.Popen(["eog", "-n", path])
+ os.remove(path)
+ return 1
+
class XVViewer(UnixViewer):
"""
@@ -258,6 +296,32 @@ class XVViewer(UnixViewer):
command += f" -name {quote(title)}"
return command, executable
+ def show_file(self, path=None, **options):
+ """
+ Display given file.
+
+ Before Pillow 9.1.0, the first argument was ``file``. This is now deprecated,
+ and ``path`` should be used instead.
+ """
+ if path is None:
+ if "file" in options:
+ warnings.warn(
+ "The 'file' argument is deprecated and will be removed in Pillow "
+ "10 (2023-07-01). Use 'path' instead.",
+ DeprecationWarning,
+ )
+ path = options.pop("file")
+ else:
+ raise TypeError("Missing required argument: 'path'")
+ args = ["xv"]
+ if "title" in options:
+ args += ["-name", options["title"]]
+ args.append(path)
+
+ subprocess.Popen(args)
+ os.remove(path)
+ return 1
+
if sys.platform not in ("win32", "darwin"): # unixoids
if shutil.which("xdg-open"):
--
2.27.0

30
backport-0004-CVE-2022-24303.patch Normal file
View File

@ -0,0 +1,30 @@
From 143032103c9f2d55a0a7960bd3e630cb72549e8a Mon Sep 17 00:00:00 2001
From: Andrew Murray <3112309+radarhere@users.noreply.github.com>
Date: Tue, 18 Jan 2022 11:24:01 +1100
Subject: [PATCH] Updated formatting
Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
Conflict:NA
Reference:https://github.com/python-pillow/Pillow/pull/6010/commits/143032103c9f2d55a0a7960bd3e630cb72549e8a
---
src/PIL/ImageShow.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/PIL/ImageShow.py b/src/PIL/ImageShow.py
index e4eb2f8..429f9bd 100644
--- a/src/PIL/ImageShow.py
+++ b/src/PIL/ImageShow.py
@@ -173,7 +173,7 @@ class MacViewer(Viewer):
[
sys.executable,
"-c",
- "import os, sys, time;time.sleep(20);os.remove(sys.argv[1])",
+ "import os, sys, time; time.sleep(20); os.remove(sys.argv[1])",
path,
]
)
--
2.27.0

61
backport-0005-CVE-2022-24303.patch Normal file
View File

@ -0,0 +1,61 @@
From 10c4f75aaa383bd9671e923e3b91d391ea12d781 Mon Sep 17 00:00:00 2001
From: Andrew Murray <radarhere@users.noreply.github.com>
Date: Thu, 3 Feb 2022 08:58:12 +1100
Subject: [PATCH] Added delay after opening image with xdg-open
Conflict:NA
Reference:https://github.com/python-pillow/Pillow/pull/6010/commits/10c4f75aaa383bd9671e923e3b91d391ea12d781
---
src/PIL/ImageShow.py | 21 ++++++++++++---------
1 file changed, 12 insertions(+), 9 deletions(-)
diff --git a/src/PIL/ImageShow.py b/src/PIL/ImageShow.py
index 429f9bd..312faad 100644
--- a/src/PIL/ImageShow.py
+++ b/src/PIL/ImageShow.py
@@ -121,6 +121,16 @@ class Viewer:
os.system(self.get_command(path, **options))
return 1
+ def _remove_path_after_delay(self, path):
+ subprocess.Popen(
+ [
+ sys.executable,
+ "-c",
+ "import os, sys, time; time.sleep(20); os.remove(sys.argv[1])",
+ path,
+ ]
+ )
+
# --------------------------------------------------------------------
@@ -169,14 +179,7 @@ class MacViewer(Viewer):
else:
raise TypeError("Missing required argument: 'path'")
subprocess.call(["open", "-a", "Preview.app", path])
- subprocess.Popen(
- [
- sys.executable,
- "-c",
- "import os, sys, time; time.sleep(20); os.remove(sys.argv[1])",
- path,
- ]
- )
+ self._remove_path_after_delay(path)
return 1
@@ -215,7 +218,7 @@ class XDGViewer(UnixViewer):
else:
raise TypeError("Missing required argument: 'path'")
subprocess.Popen(["xdg-open", path])
- os.remove(path)
+ self._remove_path_after_delay(path)
return 1
--
2.27.0

10
python-pillow.spec
View File

@ -5,7 +5,7 @@
Name: python-pillow
Version: 8.1.2
Release: 4
Release: 5
Summary: Python image processing library
License: MIT
URL: http://python-pillow.github.io/
@ -34,6 +34,11 @@ Patch6016: backport-0002-CVE-2022-22815-CVE-2022-22816.patch
Patch6017: backport-0003-CVE-2022-22815-CVE-2022-22816.patch
Patch6018: backport-0001-CVE-2022-22817.patch
Patch6019: backport-0002-CVE-2022-22817.patch
Patch6020: backport-0001-CVE-2022-24303.patch
Patch6021: backport-0002-CVE-2022-24303.patch
Patch6022: backport-0003-CVE-2022-24303.patch
Patch6023: backport-0004-CVE-2022-24303.patch
Patch6024: backport-0005-CVE-2022-24303.patch
Patch9000: backport-disable-test-sanity.patch
@ -170,6 +175,9 @@ pytest --ignore=_build.python2 --ignore=_build.python3 --ignore=_build.pypy3 -v
%{python3_sitearch}/PIL/__pycache__/ImageQt*
%changelog
* Thu Feb 17 2022 dongyuzhen <dongyuzhen@h-partners.com> - 8.1.2-5
- fix CVE-2022-24303
* Wed Feb 9 2022 yangcheng <yangcheng1203@163.com> - 8.1.2-4
- Type:CVE
- CVE:CVE-2022-22815,CVE-2022-22816,CVE-2022-22817