"CVE-2022-24303: If the path to the temporary directory on Linux or macOS contained a space, this would break removal of the temporary image file after im.show() (and related actions), and potentially remove an unrelated file. This been present since PIL." Please bump to 9.0.1.
From https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html: ``` CVE-2022-24303: If the path to the temporary directory on Linux or macOS contained a space, this would break removal of the temporary image file after im.show() (and related actions), and potentially remove an unrelated file. This been present since PIL. CVE-2022-22817: While Pillow 9.0 restricted top-level builtins available to PIL.ImageMath.eval(), it did not prevent builtins available to lambda expressions. These are now also restricted. ```
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9568918f494bc25512465018c824efa849b75110 commit 9568918f494bc25512465018c824efa849b75110 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-02-03 04:24:16 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-02-03 04:24:16 +0000 dev-python/pillow: add 9.0.1 Add 9.0.1-r1 with PEP 517 too, but we're not yet ready to stable that. Bug: https://bugs.gentoo.org/832598 Signed-off-by: Sam James <sam@gentoo.org> dev-python/pillow/Manifest | 1 + dev-python/pillow/pillow-9.0.1-r1.ebuild | 115 +++++++++++++++++++++++++++++++ dev-python/pillow/pillow-9.0.1.ebuild | 106 ++++++++++++++++++++++++++++ 3 files changed, 222 insertions(+)