Bug 31016 - python-imageio downloads vulnerable freeimage library
Summary: python-imageio downloads vulnerable freeimage library
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-10-24 17:18 CEST by David Walser
Modified: 2024-07-01 19:55 CEST (History)
4 users (show)

See Also:
Source RPM: python-imageio-2.9.0-4.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-10-24 17:18:24 CEST 
See these upstream issues:
https://github.com/imageio/imageio/issues/891
https://github.com/imageio/imageio/issues/892

Whatever solution upstream comes up with will need to be backported.
David Walser 2022-10-24 17:18:32 CEST

Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-10-26 09:02:09 CEST 
Assigning to the Python maintainers in advance. It can be revived when the necessary info becomes available (and noticed).

Assignee: bugsquad => python
Status: NEW => NEEDINFO

David Walser 2022-10-26 15:10:08 CEST

Status: NEEDINFO => NEW

Comment 2 David GEIGER 2024-06-15 09:30:00 CEST 
Removing Mageia 8 from whiteboard due to EOL!

Whiteboard: MGA8TOO => MGA9TOO
CC: (none) => geiger.david68210

Comment 3 papoteur 2024-06-28 08:27:49 CEST 
Hello,
I created a patch which raise an error when downloading is launched, saying "Mageia does not allow to install external binary".
I removed also the commands imageio_download_bin and imageio_remove_bin as in Fedora.
Done in Cauldron

Whiteboard: MGA9TOO => (none)
CC: (none) => yvesbrungard
Version: Cauldron => 9

Comment 4 papoteur 2024-06-28 08:30:24 CEST 
Submitting:
SRPMS
python-imageio-2.22.4-1.1.mga9
RPMS:
python3-imageio-2.22.4-1.1.mga9

Assignee: python => qa-bugs

Comment 5 katnatek 2024-06-29 01:05:23 CEST 
I am not sure if the second link in comment#0 issues are fixed by the new packages so I only include the first in advisory text and reference

Keywords: (none) => advisory, feedback

Comment 6 papoteur 2024-06-29 06:58:31 CEST 
(In reply to katnatek from comment #5)
> I am not sure if the second link in comment#0 issues are fixed by the new
> packages so I only include the first in advisory text and reference

Hi,
the second link is about libraries downloaded with the previous commands. As we don't download anything anymore, this is no more our concern. And, yes, in fact, we don't provide a fix for this.
Comment 7 katnatek 2024-06-29 19:31:14 CEST 
RH mageia 9 x86_64

LC_ALL=C urpmi python3-imageio

installing python3-imageio-2.22.4-1.1.mga9.noarch.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: python3-imageio       ##################################################################################################

Create the example in https://github.com/imageio/imageio
Run the example
A jpg file named chelsea.jpg is created
Open the image with gwenview and gimp and look OK
I like a way to confirm the issue is fixed, but I trust in papoteur

Keywords: feedback => (none)
Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm

Comment 8 Thomas Andrews 2024-06-29 20:39:47 CEST 
Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 9 Mageia Robot 2024-07-01 19:55:09 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0244.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.