python3Packages.pillow: add patches for CVE-2022-22815 CVE-2022-22816 CVE-2022-22817

risicle · Jonathan Ringer · commit 7f6df6405f7c · 2022-01-13T16:28:45.000-08:00
diff --git a/pkgs/development/python-modules/pillow/default.nix b/pkgs/development/python-modules/pillow/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, buildPythonPackage, fetchPypi, isPyPy, isPy3k
+{ lib, stdenv, buildPythonPackage, fetchPypi, isPyPy, isPy3k, fetchpatch
 , defusedxml, olefile, freetype, libjpeg, zlib, libtiff, libwebp, tcl, lcms2, tk, libX11
 , libxcb, openjpeg, libimagequant, pyroma, numpy, pytestCheckHook
 }@args:
@@ -14,6 +14,25 @@ import ./generic.nix (rec {
     sha256 = "1361y215ydmdh4il1vay5831aqivmpwgzjqrphqjdiq0ipnz7qyx";
   };
 
+  patches = [
+    (fetchpatch {
+      name = "CVE-2022-22815.patch";
+      url = "https://github.com/python-pillow/Pillow/commit/1e092419b6806495c683043ab3feb6ce264f3b9c.patch";
+      sha256 = "1mafa8ixh4a4nh98yjp7dhh68kk4sxbzjm468h9gjba0py8657rd";
+    })
+    (fetchpatch {
+      name = "CVE-2022-22816.patch";
+      url = "https://github.com/python-pillow/Pillow/commit/c48271ab354db49cdbd740bc45e13be4f0f7993c.patch";
+      sha256 = "1jr25918lxqljswv1jc7m3nn370xrz0l7g39lbyh5ndjz1dmnpvv";
+    })
+    (fetchpatch {
+      name = "CVE-2022-22817.patch";
+      url = "https://github.com/python-pillow/Pillow/commit/8531b01d6cdf0b70f256f93092caa2a5d91afc11.patch";
+      excludes = [ "docs/releasenotes/9.0.0.rst" ];
+      sha256 = "13va7lmja9bkp1d8bnwpns9nh7p31kal89cvfky4r95lx0ckrnfv";
+    })
+  ];
+
   meta = with lib; {
     homepage = "https://python-pillow.org/";
     description = "The friendly PIL fork (Python Imaging Library)";
diff --git a/pkgs/development/python-modules/pillow/generic.nix b/pkgs/development/python-modules/pillow/generic.nix
@@ -3,13 +3,14 @@
 , disabled
 , src
 , meta
+, patches ? []
 , ...
 }@args:
 
 with args;
 
 buildPythonPackage rec {
-  inherit pname version src meta;
+  inherit pname version src meta patches;
 
   # Disable imagefont tests, because they don't work well with infinality:
   # https://github.com/python-pillow/Pillow/issues/1259
