All upstream versions of dev-python/imageio default to downloading a compiled freeimage shared library from GitHub. The code seems to be silently triggered when formats using freeimage are used. It fetches straight from the master branch of a remote GitHub repository, and seems to have no protection against malicious actors. Relevant code: https://github.com/imageio/imageio/blob/master/imageio/plugins/_freeimage.py#L37 https://github.com/imageio/imageio/blob/eeafb8d5e6b4ec351afa13a9ca05297cd7c8728a/imageio/core/fetching.py#L33
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=40b85d13e7fd770f834fde7b160219829fad5311 commit 40b85d13e7fd770f834fde7b160219829fad5311 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2022-10-04 08:18:48 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2022-10-04 08:29:55 +0000 dev-python/imageio: Block fetching remote shared libraries (!) Bug: https://bugs.gentoo.org/874849 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-python/imageio/Manifest | 2 ++ .../files/imageio-2.22.0-block-download.patch | 32 ++++++++++++++++++++++ ...geio-2.22.0.ebuild => imageio-2.22.0-r1.ebuild} | 29 ++++++++++++++++++++ 3 files changed, 63 insertions(+)
Interesting catch! I'm not sure we care so much about the potential for someone malicious to interfere with those libraries given they're fetched over HTTPS, but it's definitely problematic that those shared libraries are probably still vulnerable to vulnerabilities disclosed in the past.
Remember sourceforge and GIMP?
I've requested CVEs for both issues: 1. Old freeimage is vulnerable 2. Fetching code from internet without verification
The upstream issues are: https://github.com/imageio/imageio/issues/891 https://github.com/imageio/imageio/issues/892 Requested CVEs, MITRE apparently doesn't consider fetching code from the internet without verification a vulnerability.