Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 922577 (CVE-2023-50447) - <dev-python/pillow-10.2.0: RCE when processing files with attacker-provided filenames
Summary: <dev-python/pillow-10.2.0: RCE when processing files with attacker-provided f...
Status: IN_PROGRESS
Alias: CVE-2023-50447
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://duartecsantos.github.io/2023-...
Whiteboard: A2 [glsa stable]
Keywords:
Depends on: 928390 922404
Blocks:
  Show dependency tree
 
Reported: 2024-01-20 18:21 UTC by Hank Leininger
Modified: 2024-04-05 06:32 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hank Leininger 2024-01-20 18:21:36 UTC 
pillow contains code that wraps python eval calls that are passed files to operate on. The calls are filtered, but in such a way that malicious chosen filenames can get around the filters to run arbitrary code.

10.2.0 contains a fix. It is already in ::gentoo, awaiting stabilization (https://bugs.gentoo.org/922404).

I'd argue down the 9.0 CVSS score, but still significant.
Comment 1 Hans de Graaff gentoo-dev Security 2024-04-01 16:44:51 UTC 
mgorny, why did you add the 10.3.0 stable bug as a dependency? Has this vulnerability not been fixed fully in 10.2.0? Or perhaps some other reason?
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2024-04-01 17:45:35 UTC 
(In reply to Hans de Graaff from comment #1)
> mgorny, why did you add the 10.3.0 stable bug as a dependency? Has this
> vulnerability not been fixed fully in 10.2.0? Or perhaps some other reason?

10.2.0-r1 didn't get stabilized on hppa.
Comment 3 Hans de Graaff gentoo-dev Security 2024-04-03 06:10:41 UTC 
(In reply to Michał Górny from comment #2)

> 10.2.0-r1 didn't get stabilized on hppa.

Ok, That means that we can move to the glsa? phase and keep stable until hppa is stable as well.