Ubuntu has issued an advisory today (January 13): https://ubuntu.com/security/notices/USN-5227-1 The issues are fixed upstream in 9.0.0. Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 9.0.0Whiteboard: (none) => MGA8TOO
Debian has issued an advisory for this on January 21: https://www.debian.org/security/2022/dsa-5053
Fedora has issued an advisory for this today (February 4): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CK3IGXU77EQTXZAYI2PTIAI4XLFS7AFP/
Fedora has issued an advisory on March 26: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JR2LTB6KTUEU7YVPJ5MHA2GHOIL2JQQE/ The issue is fixed upstream in 9.0.1. Mageia 8 is also affected.
Status comment: Fixed upstream in 9.0.0 => Fixed upstream in 9.0.1Summary: python-pillow new security issues CVE-2022-2281[5-7] => python-pillow new security issues CVE-2022-2281[5-7] and CVE-2022-24303
Submitted: python3-pillow-tk-9.1.0-1.1.mga8 python3-pillow-devel-9.1.0-1.1.mga8 python3-pillow-9.1.0-1.1.mga8 python3-pillow-doc-9.1.0-1.1.mga8 urpmq --whatrequires python3-pillow gives a list of applications which use this library. For example PySolFC
Version: Cauldron => 8Whiteboard: MGA8TOO => (none)CC: (none) => yves.brungard_mageiaAssignee: python => qa-bugs
For future reference, subrel should be removed when updating to a new version. Also, clear the status comment field when assigning to QA.
Status comment: Fixed upstream in 9.0.1 => (none)
In fact, the subrel makes the release tag higher than Cauldron. We could rebuild Cauldron, but it's better to remove this, remove the subrel, and do it right. I've asked a sysadmin to remove it.
Keywords: (none) => feedback
Repushed without subrel. python-pillow-9.1.0-1.mga8.src.rpm
Keywords: feedback => (none)
mga8, x64 Tried out the solitaire game before installing the update candidates. Clean update. Played the game under strace. $ strace -o pysol.trace /usr/games/pysol pygame 2.0.0 (SDL 2.0.14, python 3.8.12) Hello from the pygame community. https://www.pygame.org/contribute.html Managed to clear the deck but the trace does not find python-pillow. $ grep pillow pysol.trace getcwd("/home/lcl/qa/python-pillow", 4097) = 27 lstat("/home/lcl/qa/python-pillow", {st_mode=S_IFDIR|0755, st_size=1278, ...}) = 0 $ grep pillow pysol.trace | grep python3 $ There are certainly references to python3.8 and /usr/games/pysol. I guess since python-pillow is not a library or system resource it would not appear explicitly in the trace anyway so the search is a bit pointless. Something to remember for future tests of such packages. On previous bugs for this package local scripts were used to exercise some of the pillow functions. They still work. Example conversion of PNG image to JPEG. $ python3 ./convert kappaCrucis.png $ ll kappaCrucis* -rw-r--r-- 1 lcl lcl 681855 May 8 17:59 kappaCrucis.jpg -rw-r--r-- 1 lcl lcl 6891745 Apr 13 2016 kappaCrucis.png The new image displayed properly. $ python pillow/thumbnail3 kappaCrucis.jpg $ python pillow/thumbnail3 kappaCrucis.jpg lcl@canopus:python-pillow $ ll kappaCrucis* -rw-r--r-- 1 lcl lcl 681855 May 8 17:59 kappaCrucis.jpg -rw-r--r-- 1 lcl lcl 54981 May 8 18:09 kappaCrucis.thumb $ display kappaCrucis.thumb <OK> Seems to be fine.
CC: (none) => tarazed25Whiteboard: (none) => MGA8-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Advisory committed to svn as type: security subject: Updated python-pillow packages fix security vulnerability CVE: - CVE-2022-22815 - CVE-2022-22816 - CVE-2022-22817 - CVE-2022-24303 src: 8: core: - python-pillow-9.1.0-1.mga8 description: | path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. (CVE-2022-22815) path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. (CVE-2022-22816) PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions (CVE-2022-22817) Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. (CVE-2022-24303) references: - https://bugs.mageia.org/show_bug.cgi?id=29887 - https://ubuntu.com/security/notices/USN-5227-1 - https://www.debian.org/security/2022/dsa-5053 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CK3IGXU77EQTXZAYI2PTIAI4XLFS7AFP/ - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JR2LTB6KTUEU7YVPJ5MHA2GHOIL2JQQE/
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0166.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED