aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorptrcnull <git@ptrcnull.me>2022-02-27 13:56:06 +0100
committerKevin Daudt <kdaudt@alpinelinux.org>2022-03-02 21:34:14 +0000
commit25bd02cc147975c28a6b9611043167f8efb7562b (patch)
tree74f9a3e5115e9303d97cb3f78e2f90e24fd32d73
parenta89783c34b9c5169b435b70058fcd610e68f705d (diff)
downloadaports-25bd02cc147975c28a6b9611043167f8efb7562b.tar.gz
aports-25bd02cc147975c28a6b9611043167f8efb7562b.tar.bz2
aports-25bd02cc147975c28a6b9611043167f8efb7562b.tar.xz
main/py3-pillow: mitigate CVE-2022-22817, CVE-2022-24303
this includes additional fix for CVE-2022-22817, as it wasn't fixed properly
-rw-r--r--main/py3-pillow/APKBUILD10
-rw-r--r--main/py3-pillow/CVE-2022-22817-2.patch62
-rw-r--r--main/py3-pillow/CVE-2022-24303.patch338
3 files changed, 408 insertions, 2 deletions
diff --git a/main/py3-pillow/APKBUILD b/main/py3-pillow/APKBUILD
index a3f6606970..f643594aba 100644
--- a/main/py3-pillow/APKBUILD
+++ b/main/py3-pillow/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Fabian Affolter <fabian@affolter-engineering.ch>
pkgname=py3-pillow
pkgver=8.4.0
-pkgrel=2
+pkgrel=3
pkgdesc="Python Imaging Library"
options="!check"
url="https://python-pillow.org/"
@@ -14,6 +14,8 @@ checkdepends="py3-pytest py3-numpy"
source="https://files.pythonhosted.org/packages/source/P/Pillow/Pillow-$pkgver.tar.gz
CVE-2022-22815-22816.patch
CVE-2022-22817.patch
+ CVE-2022-22817-2.patch
+ CVE-2022-24303.patch
"
builddir="$srcdir/Pillow-$pkgver"
@@ -21,10 +23,12 @@ provides="py-pillow=$pkgver-r$pkgrel" # backwards compatibility
replaces="py-pillow" # backwards compatiblity
# secfixes:
+# 8.4.0-r3:
+# - CVE-2022-22817
+# - CVE-2022-24303
# 8.4.0-r2:
# - CVE-2022-22815
# - CVE-2022-22816
-# - CVE-2022-22817
# 8.4.0-r0:
# - CVE-2021-23437
# 8.3.0-r0:
@@ -75,4 +79,6 @@ sha512sums="
ca59f5fc7e4a6dc150d52dfec297ac01b0ecdf46aebb785eda53228d25c427ad98185332cac84a947fca85a71dac4731f33df4d18c3529431b02f159d819fd9f Pillow-8.4.0.tar.gz
3891369d4c57b709fc0b758b03490eaec4731c62de0c941135182d3c902e6e748ba90fc5abc20b9c8909484c487b44e5dd019e39f35b4dba99d40e95fff2e18d CVE-2022-22815-22816.patch
0dc4ff93ddc401405b641d497901a2e9421aac0b785d4a81889fd999f21ebd8815562dd39d81894af6601c75f0ea3abf27212e9837f56026cc1a35271c02837e CVE-2022-22817.patch
+b7a077440ea9c67c713fc989fdadb4af3e03b036be24a14512e90d8771c9f48ae6c63ab7077de227561b38b87335c9f23e3018c9e61add087243b07d96f5b11f CVE-2022-22817-2.patch
+56e3f9f845fb237479b41f8f0f9b0af3e297879d4ffb5c898d257a951e06d87b24f5847f0048e6d7f8ce2b6967fae6c88065550ea3113686640df28c4ee6aeab CVE-2022-24303.patch
"
diff --git a/main/py3-pillow/CVE-2022-22817-2.patch b/main/py3-pillow/CVE-2022-22817-2.patch
new file mode 100644
index 0000000000..dda2b62475
--- /dev/null
+++ b/main/py3-pillow/CVE-2022-22817-2.patch
@@ -0,0 +1,62 @@
+Patch-Source: https://github.com/python-pillow/Pillow/pull/6009
+From dd46100bdc7fbb6c2fb71008a49c40f081eb0c7c Mon Sep 17 00:00:00 2001
+From: Andrew Murray <radarhere@users.noreply.github.com>
+Date: Mon, 10 Jan 2022 21:49:55 +1100
+Subject: [PATCH] Restrict builtins within lambdas for ImageMath.eval
+
+---
+ Tests/test_imagemath.py | 12 ++++++++++--
+ src/PIL/ImageMath.py | 15 +++++++++++----
+ 2 files changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
+index 25811aa89d..39d91eadea 100644
+--- a/Tests/test_imagemath.py
++++ b/Tests/test_imagemath.py
+@@ -52,9 +52,17 @@ def test_ops():
+ assert pixel(ImageMath.eval("float(B)**33", images)) == "F 8589934592.0"
+
+
+-def test_prevent_exec():
++@pytest.mark.parametrize(
++ "expression",
++ (
++ "exec('pass')",
++ "(lambda: exec('pass'))()",
++ "(lambda: (lambda: exec('pass'))())()",
++ ),
++)
++def test_prevent_exec(expression):
+ with pytest.raises(ValueError):
+- ImageMath.eval("exec('pass')")
++ ImageMath.eval(expression)
+
+
+ def test_logical():
+diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
+index 4b6e4ccda3..09d9898d75 100644
+--- a/src/PIL/ImageMath.py
++++ b/src/PIL/ImageMath.py
+@@ -240,11 +240,18 @@ def eval(expression, _dict={}, **kw):
+ if hasattr(v, "im"):
+ args[k] = _Operand(v)
+
+- code = compile(expression, "<string>", "eval")
+- for name in code.co_names:
+- if name not in args and name != "abs":
+- raise ValueError(f"'{name}' not allowed")
++ compiled_code = compile(expression, "<string>", "eval")
+
++ def scan(code):
++ for const in code.co_consts:
++ if type(const) == type(compiled_code):
++ scan(const)
++
++ for name in code.co_names:
++ if name not in args and name != "abs":
++ raise ValueError(f"'{name}' not allowed")
++
++ scan(compiled_code)
+ out = builtins.eval(expression, {"__builtins": {"abs": abs}}, args)
+ try:
+ return out.im
diff --git a/main/py3-pillow/CVE-2022-24303.patch b/main/py3-pillow/CVE-2022-24303.patch
new file mode 100644
index 0000000000..c8fc5cad25
--- /dev/null
+++ b/main/py3-pillow/CVE-2022-24303.patch
@@ -0,0 +1,338 @@
+Patch-Source: https://github.com/python-pillow/Pillow/pull/6010
+From 8da80130dbc747f3954b4904247d26289fe722f9 Mon Sep 17 00:00:00 2001
+From: Andrew Murray <radarhere@users.noreply.github.com>
+Date: Mon, 17 Jan 2022 08:59:17 +1100
+Subject: [PATCH 1/3] In show_file, use os.remove to remove temporary images
+
+---
+diff --git a/Tests/test_imageshow.py b/Tests/test_imageshow.py
+index 5981e22c..bce3a277 100644
+--- a/Tests/test_imageshow.py
++++ b/Tests/test_imageshow.py
+@@ -79,3 +79,19 @@ def test_ipythonviewer():
+
+ im = hopper()
+ assert test_viewer.show(im) == 1
++
++@pytest.mark.skipif(
++ not on_ci() or is_win32(),
++ reason="Only run on CIs; hangs on Windows CIs",
++)
++def test_file_deprecated(tmp_path):
++ f = str(tmp_path / "temp.jpg")
++ for viewer in ImageShow._viewers:
++ hopper().save(f)
++ with pytest.warns(DeprecationWarning):
++ try:
++ viewer.show_file(file=f)
++ except NotImplementedError:
++ pass
++ with pytest.raises(TypeError):
++ viewer.show_file()
+diff --git a/src/PIL/ImageShow.py b/src/PIL/ImageShow.py
+index 60c97542..724e4555 100644
+--- a/src/PIL/ImageShow.py
++++ b/src/PIL/ImageShow.py
+@@ -15,7 +15,7 @@ import os
+ import shutil
+ import subprocess
+ import sys
+-import tempfile
++import warnings
+ from shlex import quote
+
+ from PIL import Image
+@@ -145,18 +145,33 @@ class MacViewer(Viewer):
+ command = f"({command} {quote(file)}; sleep 20; rm -f {quote(file)})&"
+ return command
+
+- def show_file(self, file, **options):
+- """Display given file"""
+- fd, path = tempfile.mkstemp()
+- with os.fdopen(fd, "w") as f:
+- f.write(file)
+- with open(path) as f:
+- subprocess.Popen(
+- ["im=$(cat); open -a Preview.app $im; sleep 20; rm -f $im"],
+- shell=True,
+- stdin=f,
+- )
+- os.remove(path)
++ def show_file(self, path=None, **options):
++ """
++ Display given file.
++
++ Before Pillow 9.1.0, the first argument was ``file``. This is now deprecated,
++ and will be removed in Pillow 10.0.0 (2023-07-01). ``path`` should be used
++ instead.
++ """
++ if path is None:
++ if "file" in options:
++ warnings.warn(
++ "The 'file' argument is deprecated and will be removed in Pillow "
++ "10 (2023-07-01). Use 'path' instead.",
++ DeprecationWarning,
++ )
++ path = options.pop("file")
++ else:
++ raise TypeError("Missing required argument: 'path'")
++ subprocess.call(["open", "-a", "Preview.app", path])
++ subprocess.Popen(
++ [
++ sys.executable,
++ "-c",
++ "import os, sys, time;time.sleep(20);os.remove(sys.argv[1])",
++ path,
++ ]
++ )
+ return 1
+
+
+@@ -172,16 +187,35 @@ class UnixViewer(Viewer):
+ command = self.get_command_ex(file, **options)[0]
+ return f"({command} {quote(file)}; rm -f {quote(file)})&"
+
+- def show_file(self, file, **options):
+- """Display given file"""
+- fd, path = tempfile.mkstemp()
+- with os.fdopen(fd, "w") as f:
+- f.write(file)
+- with open(path) as f:
+- command = self.get_command_ex(file, **options)[0]
+- subprocess.Popen(
+- ["im=$(cat);" + command + " $im; rm -f $im"], shell=True, stdin=f
+- )
++
++class XDGViewer(UnixViewer):
++ """
++ The freedesktop.org ``xdg-open`` command.
++ """
++
++ def get_command_ex(self, file, **options):
++ command = executable = "xdg-open"
++ return command, executable
++
++ def show_file(self, path=None, **options):
++ """
++ Display given file.
++
++ Before Pillow 9.1.0, the first argument was ``file``. This is now deprecated,
++ and will be removed in Pillow 10.0.0 (2023-07-01). ``path`` should be used
++ instead.
++ """
++ if path is None:
++ if "file" in options:
++ warnings.warn(
++ "The 'file' argument is deprecated and will be removed in Pillow "
++ "10 (2023-07-01). Use 'path' instead.",
++ DeprecationWarning,
++ )
++ path = options.pop("file")
++ else:
++ raise TypeError("Missing required argument: 'path'")
++ subprocess.Popen(["xdg-open", path])
+ os.remove(path)
+ return 1
+
+@@ -193,6 +227,32 @@ class DisplayViewer(UnixViewer):
+ command = executable = "display"
+ return command, executable
+
++ def show_file(self, path=None, **options):
++ """
++ Display given file.
++
++ Before Pillow 9.1.0, the first argument was ``file``. This is now deprecated,
++ and ``path`` should be used instead.
++ """
++ if path is None:
++ if "file" in options:
++ warnings.warn(
++ "The 'file' argument is deprecated and will be removed in Pillow "
++ "10 (2023-07-01). Use 'path' instead.",
++ DeprecationWarning,
++ )
++ path = options.pop("file")
++ else:
++ raise TypeError("Missing required argument: 'path'")
++ args = ["display"]
++ if "title" in options:
++ args += ["-name", options["title"]]
++ args.append(path)
++
++ subprocess.Popen(args)
++ os.remove(path)
++ return 1
++
+
+ class GmDisplayViewer(UnixViewer):
+ """The GraphicsMagick ``gm display`` command."""
+@@ -202,6 +262,27 @@ class GmDisplayViewer(UnixViewer):
+ command = "gm display"
+ return command, executable
+
++ def show_file(self, path=None, **options):
++ """
++ Display given file.
++
++ Before Pillow 9.1.0, the first argument was ``file``. This is now deprecated,
++ and ``path`` should be used instead.
++ """
++ if path is None:
++ if "file" in options:
++ warnings.warn(
++ "The 'file' argument is deprecated and will be removed in Pillow "
++ "10 (2023-07-01). Use 'path' instead.",
++ DeprecationWarning,
++ )
++ path = options.pop("file")
++ else:
++ raise TypeError("Missing required argument: 'path'")
++ subprocess.Popen(["gm", "display", path])
++ os.remove(path)
++ return 1
++
+
+ class EogViewer(UnixViewer):
+ """The GNOME Image Viewer ``eog`` command."""
+@@ -211,6 +292,27 @@ class EogViewer(UnixViewer):
+ command = "eog -n"
+ return command, executable
+
++ def show_file(self, path=None, **options):
++ """
++ Display given file.
++
++ Before Pillow 9.1.0, the first argument was ``file``. This is now deprecated,
++ and ``path`` should be used instead.
++ """
++ if path is None:
++ if "file" in options:
++ warnings.warn(
++ "The 'file' argument is deprecated and will be removed in Pillow "
++ "10 (2023-07-01). Use 'path' instead.",
++ DeprecationWarning,
++ )
++ path = options.pop("file")
++ else:
++ raise TypeError("Missing required argument: 'path'")
++ subprocess.Popen(["eog", "-n", path])
++ os.remove(path)
++ return 1
++
+
+ class XVViewer(UnixViewer):
+ """
+@@ -226,6 +328,32 @@ class XVViewer(UnixViewer):
+ command += f" -name {quote(title)}"
+ return command, executable
+
++ def show_file(self, path=None, **options):
++ """
++ Display given file.
++
++ Before Pillow 9.1.0, the first argument was ``file``. This is now deprecated,
++ and ``path`` should be used instead.
++ """
++ if path is None:
++ if "file" in options:
++ warnings.warn(
++ "The 'file' argument is deprecated and will be removed in Pillow "
++ "10 (2023-07-01). Use 'path' instead.",
++ DeprecationWarning,
++ )
++ path = options.pop("file")
++ else:
++ raise TypeError("Missing required argument: 'path'")
++ args = ["xv"]
++ if "title" in options:
++ args += ["-name", options["title"]]
++ args.append(path)
++
++ subprocess.Popen(args)
++ os.remove(path)
++ return 1
++
+
+ if sys.platform not in ("win32", "darwin"): # unixoids
+ if shutil.which("display"):
+
+From 143032103c9f2d55a0a7960bd3e630cb72549e8a Mon Sep 17 00:00:00 2001
+From: Andrew Murray <3112309+radarhere@users.noreply.github.com>
+Date: Tue, 18 Jan 2022 11:24:01 +1100
+Subject: [PATCH 2/3] Updated formatting
+
+Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
+---
+ src/PIL/ImageShow.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/PIL/ImageShow.py b/src/PIL/ImageShow.py
+index 7212baa1cb..ccdb0b2a0e 100644
+--- a/src/PIL/ImageShow.py
++++ b/src/PIL/ImageShow.py
+@@ -184,7 +184,7 @@ def show_file(self, path=None, **options):
+ [
+ sys.executable,
+ "-c",
+- "import os, sys, time;time.sleep(20);os.remove(sys.argv[1])",
++ "import os, sys, time; time.sleep(20); os.remove(sys.argv[1])",
+ path,
+ ]
+ )
+
+From 10c4f75aaa383bd9671e923e3b91d391ea12d781 Mon Sep 17 00:00:00 2001
+From: Andrew Murray <radarhere@users.noreply.github.com>
+Date: Thu, 3 Feb 2022 08:58:12 +1100
+Subject: [PATCH 3/3] Added delay after opening image with xdg-open
+
+---
+ src/PIL/ImageShow.py | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/src/PIL/ImageShow.py b/src/PIL/ImageShow.py
+index ccdb0b2a0e..f8829fc21e 100644
+--- a/src/PIL/ImageShow.py
++++ b/src/PIL/ImageShow.py
+@@ -126,6 +126,16 @@ def show_file(self, path=None, **options):
+ os.system(self.get_command(path, **options))
+ return 1
+
++ def _remove_path_after_delay(self, path):
++ subprocess.Popen(
++ [
++ sys.executable,
++ "-c",
++ "import os, sys, time; time.sleep(20); os.remove(sys.argv[1])",
++ path,
++ ]
++ )
++
+
+ # --------------------------------------------------------------------
+
+@@ -180,14 +190,7 @@ def show_file(self, path=None, **options):
+ else:
+ raise TypeError("Missing required argument: 'path'")
+ subprocess.call(["open", "-a", "Preview.app", path])
+- subprocess.Popen(
+- [
+- sys.executable,
+- "-c",
+- "import os, sys, time; time.sleep(20); os.remove(sys.argv[1])",
+- path,
+- ]
+- )
++ self._remove_path_after_delay(path)
+ return 1
+
+
+@@ -232,7 +235,7 @@ def show_file(self, path=None, **options):
+ else:
+ raise TypeError("Missing required argument: 'path'")
+ subprocess.Popen(["xdg-open", path])
+- os.remove(path)
++ self._remove_path_after_delay(path)
+ return 1
+
+