All upstream versions of dev-python/imageio default to downloading a compiled freeimage shared library from GitHub. The code seems to be silently triggered when formats using freeimage are used. It fetches straight from the master branch of a remote GitHub repository, and seems to have no protection against malicious actors.
The bug has been referenced in the following commit(s):
Author: Michał Górny <firstname.lastname@example.org>
AuthorDate: 2022-10-04 08:18:48 +0000
Commit: Michał Górny <email@example.com>
CommitDate: 2022-10-04 08:29:55 +0000
dev-python/imageio: Block fetching remote shared libraries (!)
Signed-off-by: Michał Górny <firstname.lastname@example.org>
dev-python/imageio/Manifest | 2 ++
.../files/imageio-2.22.0-block-download.patch | 32 ++++++++++++++++++++++
...geio-2.22.0.ebuild => imageio-2.22.0-r1.ebuild} | 29 ++++++++++++++++++++
3 files changed, 63 insertions(+)
Interesting catch! I'm not sure we care so much about the potential for someone malicious to interfere with those libraries given they're fetched over HTTPS, but it's definitely problematic that those shared libraries are probably still vulnerable to vulnerabilities disclosed in the past.
Remember sourceforge and GIMP?
I've requested CVEs for both issues:
1. Old freeimage is vulnerable
2. Fetching code from internet without verification
The upstream issues are:
Requested CVEs, MITRE apparently doesn't consider fetching code from the internet without verification a vulnerability.