python3-pillow: Fix CVE-2021-23437

Backport an upstream fix since an uprev would include
potentially-breaking functionality changes.

Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

2 files changed, 50 insertions, 0 deletions

diff --git a/meta-python/recipes-devtools/python/python3-pillow/0001-Raise-ValueError-if-color-specifier-is-too-long.patch b/meta-python/recipes-devtools/python/python3-pillow/0001-Raise-ValueError-if-color-specifier-is-too-long.patch
new file mode 100644
index 0000000000..91e16f5415
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-pillow/0001-Raise-ValueError-if-color-specifier-is-too-long.patch
@@ -0,0 +1,49 @@
+From 9e08eb8f78fdfd2f476e1b20b7cf38683754866b Mon Sep 17 00:00:00 2001
+From: Hugo van Kemenade <hugovk@users.noreply.github.com>
+Date: Mon, 23 Aug 2021 19:10:49 +0300
+Subject: [PATCH] Raise ValueError if color specifier is too long
+
+CVE: CVE-2021-23437
+
+Upstream-Status: Backport
+(https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b)
+
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+---
+ Tests/test_imagecolor.py | 9 +++++++++
+ src/PIL/ImageColor.py    | 2 ++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/Tests/test_imagecolor.py b/Tests/test_imagecolor.py
+index b5d69379..dbe8b9e9 100644
+--- a/Tests/test_imagecolor.py
++++ b/Tests/test_imagecolor.py
+@@ -191,3 +191,12 @@ def test_rounding_errors():
+     assert (255, 255) == ImageColor.getcolor("white", "LA")
+     assert (163, 33) == ImageColor.getcolor("rgba(0, 255, 115, 33)", "LA")
+     Image.new("LA", (1, 1), "white")
++
++
++def test_color_too_long():
++    # Arrange
++    color_too_long = "hsl(" + "1" * 100 + ")"
++
++    # Act / Assert
++    with pytest.raises(ValueError):
++        ImageColor.getrgb(color_too_long)
+diff --git a/src/PIL/ImageColor.py b/src/PIL/ImageColor.py
+index 51df4404..25f92f2c 100644
+--- a/src/PIL/ImageColor.py
++++ b/src/PIL/ImageColor.py
+@@ -32,6 +32,8 @@ def getrgb(color):
+     :param color: A color string
+     :return: ``(red, green, blue[, alpha])``
+     """
++    if len(color) > 100:
++        raise ValueError("color specifier is too long")
+     color = color.lower()
+ 
+     rgb = colormap.get(color, None)
+-- 
+2.33.0
+
diff --git a/meta-python/recipes-devtools/python/python3-pillow_8.2.0.bb b/meta-python/recipes-devtools/python/python3-pillow_8.2.0.bb
index 40745bb763..8b3a2996f4 100644
--- a/meta-python/recipes-devtools/python/python3-pillow_8.2.0.bb
+++ b/meta-python/recipes-devtools/python/python3-pillow_8.2.0.bb
@@ -10,6 +10,7 @@ SRC_URI = "git://github.com/python-pillow/Pillow.git;branch=8.2.x \
            file://0001-explicitly-set-compile-options.patch \
            file://0001-Limit-sprintf-modes-to-10-characters.patch \
            file://0001-Use-snprintf-instead-of-sprintf.patch \
+           file://0001-Raise-ValueError-if-color-specifier-is-too-long.patch \
 "
 SRCREV ?= "e0e353c0ef7516979a9aedce3792596649ce4433"