pillow contains code that wraps python eval calls that are passed files to operate on. The calls are filtered, but in such a way that malicious chosen filenames can get around the filters to run arbitrary code. 10.2.0 contains a fix. It is already in ::gentoo, awaiting stabilization (https://bugs.gentoo.org/922404). I'd argue down the 9.0 CVSS score, but still significant.
mgorny, why did you add the 10.3.0 stable bug as a dependency? Has this vulnerability not been fixed fully in 10.2.0? Or perhaps some other reason?
(In reply to Hans de Graaff from comment #1) > mgorny, why did you add the 10.3.0 stable bug as a dependency? Has this > vulnerability not been fixed fully in 10.2.0? Or perhaps some other reason? 10.2.0-r1 didn't get stabilized on hppa.
(In reply to Michał Górny from comment #2) > 10.2.0-r1 didn't get stabilized on hppa. Ok, That means that we can move to the glsa? phase and keep stable until hppa is stable as well.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=816096872d7a07e6233fbe06019e8382ea181358 commit 816096872d7a07e6233fbe06019e8382ea181358 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-05-05 07:36:46 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-05-05 07:37:30 +0000 [ GLSA 202405-12 ] Pillow: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/889594 Bug: https://bugs.gentoo.org/903664 Bug: https://bugs.gentoo.org/916907 Bug: https://bugs.gentoo.org/922577 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202405-12.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+)