pillow contains code that wraps python eval calls that are passed files to operate on. The calls are filtered, but in such a way that malicious chosen filenames can get around the filters to run arbitrary code. 10.2.0 contains a fix. It is already in ::gentoo, awaiting stabilization (https://bugs.gentoo.org/922404). I'd argue down the 9.0 CVSS score, but still significant.
mgorny, why did you add the 10.3.0 stable bug as a dependency? Has this vulnerability not been fixed fully in 10.2.0? Or perhaps some other reason?
(In reply to Hans de Graaff from comment #1) > mgorny, why did you add the 10.3.0 stable bug as a dependency? Has this > vulnerability not been fixed fully in 10.2.0? Or perhaps some other reason? 10.2.0-r1 didn't get stabilized on hppa.
(In reply to Michał Górny from comment #2) > 10.2.0-r1 didn't get stabilized on hppa. Ok, That means that we can move to the glsa? phase and keep stable until hppa is stable as well.