Bug 31019 - python-pillow new security issues CVE-2022-30595 and CVE-2022-45198
Summary: python-pillow new security issues CVE-2022-30595 and CVE-2022-45198
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-10-24 17:58 CEST by David Walser
Modified: 2023-05-16 21:19 CEST (History)
5 users (show)

See Also:
Source RPM: python-pillow-9.1.0-1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-10-24 17:58:28 CEST 
Pillow 9.1.1 has been released on May 17, fixing a security issue:
https://github.com/python-pillow/Pillow/releases/tag/9.1.1
David Walser 2022-10-24 17:58:46 CEST

Status comment: (none) => Fixed upstream in 9.1.1
Assignee: bugsquad => python

Comment 1 David Walser 2022-12-15 04:38:47 CET 
Ubuntu has issued an advisory on December 13:
https://ubuntu.com/security/notices/USN-5777-1

It fixes a new issue that is fixed upstream in 9.2.0.

Summary: python-pillow new security issue CVE-2022-30595 => python-pillow new security issues CVE-2022-30595 and CVE-2022-45198
Status comment: Fixed upstream in 9.1.1 => Fixed upstream in 9.2.0

Comment 2 papoteur 2023-05-13 14:14:48 CEST 
Update python-pillow to 9.2.0
python3-pillow-qt-9.2.0-1.mga8
python3-pillow-tk-9.2.0-1.mga8
python3-pillow-devel-9.2.0-1.mga8
python3-pillow-9.2.0-1.mga8

The build of the documentation is disabled.

Source:
python-pillow-9.2.0-1.mga8

Status comment: Fixed upstream in 9.2.0 => (none)
Assignee: python => qa-bugs
CC: (none) => yves.brungard_mageia

Comment 3 papoteur 2023-05-13 14:17:44 CEST 
urpmq --whatrequires python3-pillow
PySolFC
calibre
cinnamon
deluge
eduvpn-client
img2pdf
kitty
kodi
lutris
mate-dock-applet
mythtv-plugin-archive
nml
ocrfeeder
openshot-qt
pagure
paperwork
python3-bokeh
python3-cairosvg
python3-cairosvg
python3-cairosvg
python3-cloudmap
python3-django-easy-thumbnails
python3-django-simple-captcha
python3-eyed3
python3-fabulous
python3-imageio
python3-matplotlib
python3-pikepdf
python3-pillow
python3-pyinsane
python3-pyocr
python3-pypillowfight
python3-pystray
python3-qrcode
python3-reportlab
python3-scikit-image
python3-wxpython4
weboob
Comment 4 Len Lawrence 2023-05-14 19:37:23 CEST 
mga8, x64

Before updating checked that Calibre was working.  Installed paperwork.
paperwork involves scanning documents and OCR so too complicate to test just now.

Updated the packages and ran calibre under strace.  Imported a PDF from local docs/books directory.  Converted the document to epub 2 format.  Selected an existing book from the Title menu and perused it.

The trace did not mention pillow so it is simply a coding resource.

Opened paperwork and looked at the internal documentation.

pagure seems to be a website.

nml appears to be related to nmlc,
 "NMLC — A compiler from NML code to NFO and/or GRF files"

Played with OpenShot - imported a video and played it, added markers - working OK as far as I could tell.

im2pdf works fine.
$ img2pdf test.jpf > test.pdf
Generates a single page PDF document containing a high resolution copy of the image.

This should be enough.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 5 Thomas Andrews 2023-05-16 00:02:06 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-05-16 19:03:39 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2023-05-16 21:19:01 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0164.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.