Summary: | <dev-python/pillow-9.0.1: multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | python |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html | ||
Whiteboard: | B2 [glsa+] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 833368 | ||
Bug Blocks: | 832599 |
Description
John Helmert III
2022-02-03 03:59:41 UTC
From https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html: ``` CVE-2022-24303: If the path to the temporary directory on Linux or macOS contained a space, this would break removal of the temporary image file after im.show() (and related actions), and potentially remove an unrelated file. This been present since PIL. CVE-2022-22817: While Pillow 9.0 restricted top-level builtins available to PIL.ImageMath.eval(), it did not prevent builtins available to lambda expressions. These are now also restricted. ``` The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9568918f494bc25512465018c824efa849b75110 commit 9568918f494bc25512465018c824efa849b75110 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-02-03 04:24:16 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-02-03 04:24:16 +0000 dev-python/pillow: add 9.0.1 Add 9.0.1-r1 with PEP 517 too, but we're not yet ready to stable that. Bug: https://bugs.gentoo.org/832598 Signed-off-by: Sam James <sam@gentoo.org> dev-python/pillow/Manifest | 1 + dev-python/pillow/pillow-9.0.1-r1.ebuild | 115 +++++++++++++++++++++++++++++++ dev-python/pillow/pillow-9.0.1.ebuild | 106 ++++++++++++++++++++++++++++ 3 files changed, 222 insertions(+) GLSA request filed The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=65e54c1c2d5aa2b4a2012ca5e8d6771961ac4118 commit 65e54c1c2d5aa2b4a2012ca5e8d6771961ac4118 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-11-22 03:53:26 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-11-22 03:59:40 +0000 [ GLSA 202211-10 ] Pillow: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/802090 Bug: https://bugs.gentoo.org/811450 Bug: https://bugs.gentoo.org/830934 Bug: https://bugs.gentoo.org/832598 Bug: https://bugs.gentoo.org/855683 Bug: https://bugs.gentoo.org/878769 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202211-10.xml | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) GLSA released, all done! |