CaROS/meta-openembedded
3
1
Fork 0
mirror of git://git.openembedded.org/meta-openembedded synced 2026-01-01 13:58:06 +00:00
Code Issues Packages Projects Releases Wiki Activity
c74ebbddfd
meta-openembedded/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-1.patch
Vijay Anusuri c74ebbddfd python3-pillow: Fix for CVE-2023-50447 
Upstream-Status: Backport
[45c726fd4d
&
0ca3c33c59
&
557ba59d13]

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2024-03-03 16:38:27 -05:00

32 lines
985 B
Diff
Raw Blame History

From 45c726fd4daa63236a8f3653530f297dc87b160a Mon Sep 17 00:00:00 2001
From: Eric Soroos <eric-github@soroos.net>
Date: Fri, 27 Oct 2023 11:21:18 +0200
Subject: [PATCH] Don't allow __ or builtins in env dictionarys for
ImageMath.eval
Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/45c726fd4daa63236a8f3653530f297dc87b160a]
CVE: CVE-2023-50447
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
src/PIL/ImageMath.py | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
index 392151c10..4cea3855e 100644
--- a/src/PIL/ImageMath.py
+++ b/src/PIL/ImageMath.py
@@ -261,6 +261,10 @@ def eval(expression, _dict={}, **kw):
args.update(_dict)
args.update(kw)
for k, v in list(args.items()):
+ if '__' in k or hasattr(__builtins__, k):
+ msg = f"'{k}' not allowed"
+ raise ValueError(msg)
+
if hasattr(v, "im"):
args[k] = _Operand(v)
--
2.25.1
Reference in New Issue View Git Blame Copy Permalink