python3-pillow: Fix CVE-2021-23437

Backport an upstream fix since an uprev would include potentially-breaking functionality changes. Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2026-01-01 13:58:06 +00:00 · 2021-10-06 13:39:06 -04:00 · 2021-10-06 13:39:06 -04:00 · 406a405af2
commit 406a405af2
parent 3f8d565e39
2 changed files with 50 additions and 0 deletions
--- a/meta-python/recipes-devtools/python/python3-pillow/0001-Raise-ValueError-if-color-specifier-is-too-long.patch
+++ b/meta-python/recipes-devtools/python/python3-pillow/0001-Raise-ValueError-if-color-specifier-is-too-long.patch
@ -0,0 +1,49 @@
+From 9e08eb8f78fdfd2f476e1b20b7cf38683754866b Mon Sep 17 00:00:00 2001
+From: Hugo van Kemenade <hugovk@users.noreply.github.com>
+Date: Mon, 23 Aug 2021 19:10:49 +0300
+Subject: [PATCH] Raise ValueError if color specifier is too long
+
+CVE: CVE-2021-23437
+
+Upstream-Status: Backport
+(https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b)
+
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+---
+ Tests/test_imagecolor.py | 9 +++++++++
+ src/PIL/ImageColor.py    | 2 ++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/Tests/test_imagecolor.py b/Tests/test_imagecolor.py
+index b5d69379..dbe8b9e9 100644
+--- a/Tests/test_imagecolor.py
+++ b/Tests/test_imagecolor.py
+@@ -191,3 +191,12 @@ def test_rounding_errors():
+     assert (255, 255) == ImageColor.getcolor("white", "LA")
+     assert (163, 33) == ImageColor.getcolor("rgba(0, 255, 115, 33)", "LA")
+     Image.new("LA", (1, 1), "white")
+
+
+def test_color_too_long():
+    # Arrange
+    color_too_long = "hsl(" + "1" * 100 + ")"
+
+    # Act / Assert
+    with pytest.raises(ValueError):
+        ImageColor.getrgb(color_too_long)
+diff --git a/src/PIL/ImageColor.py b/src/PIL/ImageColor.py
+index 51df4404..25f92f2c 100644
+--- a/src/PIL/ImageColor.py
+++ b/src/PIL/ImageColor.py
+@@ -32,6 +32,8 @@ def getrgb(color):
+     :param color: A color string
+     :return: ``(red, green, blue[, alpha])``
+     """
+    if len(color) > 100:
+        raise ValueError("color specifier is too long")
+     color = color.lower()
+ 
+     rgb = colormap.get(color, None)
+-- 
+2.33.0
+
--- a/meta-python/recipes-devtools/python/python3-pillow_8.2.0.bb
+++ b/meta-python/recipes-devtools/python/python3-pillow_8.2.0.bb
@ -10,6 +10,7 @@ SRC_URI = "git://github.com/python-pillow/Pillow.git;branch=8.2.x \
           file://0001-explicitly-set-compile-options.patch \
           file://0001-Limit-sprintf-modes-to-10-characters.patch \
           file://0001-Use-snprintf-instead-of-sprintf.patch \
+           file://0001-Raise-ValueError-if-color-specifier-is-too-long.patch \
 "
 SRCREV ?= "e0e353c0ef7516979a9aedce3792596649ce4433"