Summary: | <dev-python/pillow-10.2.0: RCE when processing files with attacker-provided filenames | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Hank Leininger <hlein> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | IN_PROGRESS --- | ||
Severity: | normal | CC: | ajak, mgorny, python |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://duartecsantos.github.io/2023-01-02-CVE-2023-50447/ | ||
Whiteboard: | A2 [glsa+ cleanup] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 928390, 922404 | ||
Bug Blocks: |
Description
Hank Leininger
2024-01-20 18:21:36 UTC
mgorny, why did you add the 10.3.0 stable bug as a dependency? Has this vulnerability not been fixed fully in 10.2.0? Or perhaps some other reason? (In reply to Hans de Graaff from comment #1) > mgorny, why did you add the 10.3.0 stable bug as a dependency? Has this > vulnerability not been fixed fully in 10.2.0? Or perhaps some other reason? 10.2.0-r1 didn't get stabilized on hppa. (In reply to Michał Górny from comment #2) > 10.2.0-r1 didn't get stabilized on hppa. Ok, That means that we can move to the glsa? phase and keep stable until hppa is stable as well. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=816096872d7a07e6233fbe06019e8382ea181358 commit 816096872d7a07e6233fbe06019e8382ea181358 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-05-05 07:36:46 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-05-05 07:37:30 +0000 [ GLSA 202405-12 ] Pillow: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/889594 Bug: https://bugs.gentoo.org/903664 Bug: https://bugs.gentoo.org/916907 Bug: https://bugs.gentoo.org/922577 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202405-12.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) |