Bug 29887

Summary: python-pillow new security issues CVE-2022-2281[5-7] and CVE-2022-24303
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, sysadmin-bugs, tarazed25, yvesbrungard
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: python-pillow-8.3.2-1.mga9.src.rpm CVE:
Status comment:

Description David Walser 2022-01-13 17:20:32 CET 
Ubuntu has issued an advisory today (January 13):
https://ubuntu.com/security/notices/USN-5227-1

The issues are fixed upstream in 9.0.0.

Mageia 8 is also affected.
David Walser 2022-01-13 17:20:44 CET

Status comment: (none) => Fixed upstream in 9.0.0
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2022-01-25 23:23:39 CET 
Debian has issued an advisory for this on January 21:
https://www.debian.org/security/2022/dsa-5053
Comment 2 David Walser 2022-02-04 16:17:36 CET 
Fedora has issued an advisory for this today (February 4):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CK3IGXU77EQTXZAYI2PTIAI4XLFS7AFP/
Comment 3 David Walser 2022-03-29 01:11:04 CEST 
Fedora has issued an advisory on March 26:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JR2LTB6KTUEU7YVPJ5MHA2GHOIL2JQQE/

The issue is fixed upstream in 9.0.1.

Mageia 8 is also affected.

Status comment: Fixed upstream in 9.0.0 => Fixed upstream in 9.0.1
Summary: python-pillow new security issues CVE-2022-2281[5-7] => python-pillow new security issues CVE-2022-2281[5-7] and CVE-2022-24303

Comment 4 papoteur 2022-05-06 12:36:38 CEST 
Submitted:
python3-pillow-tk-9.1.0-1.1.mga8
python3-pillow-devel-9.1.0-1.1.mga8
python3-pillow-9.1.0-1.1.mga8
python3-pillow-doc-9.1.0-1.1.mga8

urpmq --whatrequires python3-pillow gives a list of applications which use this library.
For example PySolFC

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
CC: (none) => yves.brungard_mageia
Assignee: python => qa-bugs

Comment 5 David Walser 2022-05-06 15:08:12 CEST 
For future reference, subrel should be removed when updating to a new version.  Also, clear the status comment field when assigning to QA.

Status comment: Fixed upstream in 9.0.1 => (none)

Comment 6 David Walser 2022-05-06 17:34:31 CEST 
In fact, the subrel makes the release tag higher than Cauldron.  We could rebuild Cauldron, but it's better to remove this, remove the subrel, and do it right.  I've asked a sysadmin to remove it.

Keywords: (none) => feedback

Comment 7 David Walser 2022-05-07 23:45:36 CEST 
Repushed without subrel.

python-pillow-9.1.0-1.mga8.src.rpm

Keywords: feedback => (none)

Comment 8 Len Lawrence 2022-05-08 19:13:33 CEST 
mga8, x64
Tried out the solitaire game before installing the update candidates.

Clean update.  Played the game under strace.
$ strace -o pysol.trace /usr/games/pysol
pygame 2.0.0 (SDL 2.0.14, python 3.8.12)
Hello from the pygame community. https://www.pygame.org/contribute.html

Managed to clear the deck but the trace does not find python-pillow.
$ grep pillow pysol.trace
getcwd("/home/lcl/qa/python-pillow", 4097) = 27
lstat("/home/lcl/qa/python-pillow", {st_mode=S_IFDIR|0755, st_size=1278, ...}) = 0
$ grep pillow pysol.trace | grep python3
$

There are certainly references to python3.8 and /usr/games/pysol.
I guess since python-pillow is not a library or system resource it would not appear explicitly in the trace anyway so the search is a bit pointless.  Something to remember for future tests of such packages.

On previous bugs for this package local scripts were used to exercise some of the pillow functions.  They still work.
Example conversion of PNG image to JPEG.
$ python3 ./convert kappaCrucis.png
$ ll kappaCrucis*
-rw-r--r-- 1 lcl lcl  681855 May  8 17:59 kappaCrucis.jpg
-rw-r--r-- 1 lcl lcl 6891745 Apr 13  2016 kappaCrucis.png
The new image displayed properly.
$ python pillow/thumbnail3 kappaCrucis.jpg
$ python pillow/thumbnail3 kappaCrucis.jpg
lcl@canopus:python-pillow $ ll kappaCrucis*
-rw-r--r-- 1 lcl lcl  681855 May  8 17:59 kappaCrucis.jpg
-rw-r--r-- 1 lcl lcl   54981 May  8 18:09 kappaCrucis.thumb
$ display kappaCrucis.thumb
<OK>

Seems to be fine.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 9 Thomas Andrews 2022-05-09 16:04:46 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 10 Dave Hodgins 2022-05-11 23:04:12 CEST 
Advisory committed to svn as
type: security
subject: Updated python-pillow packages fix security vulnerability
CVE:
 - CVE-2022-22815
 - CVE-2022-22816
 - CVE-2022-22817
 - CVE-2022-24303
src:
  8:
   core:
     - python-pillow-9.1.0-1.mga8
description: |
  path_getbbox in path.c in Pillow before 9.0.0 improperly initializes
  ImagePath.Path. (CVE-2022-22815)
  path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read
  during initialization of ImagePath.Path. (CVE-2022-22816)
  PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary
  expressions (CVE-2022-22817)
  Pillow before 9.0.1 allows attackers to delete files because spaces in
  temporary pathnames are mishandled. (CVE-2022-24303)
references:
 - https://bugs.mageia.org/show_bug.cgi?id=29887
 - https://ubuntu.com/security/notices/USN-5227-1
 - https://www.debian.org/security/2022/dsa-5053
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CK3IGXU77EQTXZAYI2PTIAI4XLFS7AFP/
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JR2LTB6KTUEU7YVPJ5MHA2GHOIL2JQQE/

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 11 Mageia Robot 2022-05-12 12:25:50 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0166.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED