1 files changed, 31 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-1.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-1.patch
new file mode 100644
index 0000000000..f9e3c49505
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-1.patch
@@ -0,0 +1,31 @@
+From 45c726fd4daa63236a8f3653530f297dc87b160a Mon Sep 17 00:00:00 2001
+From: Eric Soroos <eric-github@soroos.net>
+Date: Fri, 27 Oct 2023 11:21:18 +0200
+Subject: [PATCH] Don't allow __ or builtins in env dictionarys for
+ ImageMath.eval
+Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/45c726fd4daa63236a8f3653530f297dc87b160a]
+CVE: CVE-2023-50447
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/PIL/ImageMath.py | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
+index 392151c10..4cea3855e 100644
+--- a/src/PIL/ImageMath.py
+++ b/src/PIL/ImageMath.py
+@@ -261,6 +261,10 @@ def eval(expression, _dict={}, **kw):
+     args.update(_dict)
+     args.update(kw)
+     for k, v in list(args.items()):
+        if '__' in k or hasattr(__builtins__, k):
+            msg = f"'{k}' not allowed"
+            raise ValueError(msg)
+
+         if hasattr(v, "im"):
+             args[k] = _Operand(v)
+ 
+-- 
+2.25.1

diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-1.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-1.patch new file mode 100644 index 0000000000..f9e3c49505 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-1.patch
@@ -0,0 +1,31 @@
	1	From 45c726fd4daa63236a8f3653530f297dc87b160a Mon Sep 17 00:00:00 2001
	2	From: Eric Soroos <eric-github@soroos.net>
	3	Date: Fri, 27 Oct 2023 11:21:18 +0200
	4	Subject: [PATCH] Don't allow __ or builtins in env dictionarys for
	5	ImageMath.eval
	6
	7	Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/45c726fd4daa63236a8f3653530f297dc87b160a]
	8	CVE: CVE-2023-50447
	9	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	10	---
	11	src/PIL/ImageMath.py \| 4 ++++
	12	1 file changed, 4 insertions(+)
	13
	14	diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
	15	index 392151c10..4cea3855e 100644
	16	--- a/src/PIL/ImageMath.py
	17	+++ b/src/PIL/ImageMath.py
	18	@@ -261,6 +261,10 @@ def eval(expression, _dict={}, **kw):
	19	args.update(_dict)
	20	args.update(kw)
	21	for k, v in list(args.items()):
	22	+ if '__' in k or hasattr(__builtins__, k):
	23	+ msg = f"'{k}' not allowed"
	24	+ raise ValueError(msg)
	25	+
	26	if hasattr(v, "im"):
	27	args[k] = _Operand(v)
	28
	29	--
	30	2.25.1
	31