Bug 1219048 (CVE-2023-50447)

Summary: VUL-0: CVE-2023-50447: python-Pillow: Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: camila.matos, cloud-bugs, daniel.garcia, doreilly, okurz, steven.kowalik, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/391807/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-50447:8.4:(AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-01-22 04:37:56 UTC 
Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-50447
https://devhub.checkmarx.com/cve-details/CVE-2023-50447/
https://duartecsantos.github.io/2023-01-02-CVE-2023-50447/
https://github.com/python-pillow/Pillow/releases
https://www.cve.org/CVERecord?id=CVE-2023-50447
https://seclists.org/oss-sec/2024/q1/36
http://www.openwall.com/lists/oss-security/2024/01/20/1
Comment 2 OBSbugzilla Bot 2024-01-22 07:35:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1219048) was mentioned in
https://build.opensuse.org/request/show/1140356 Factory / python-Pillow
Comment 7 Maintenance Automation 2024-01-23 20:31:04 UTC 
SUSE-SU-2024:0185-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1219048
CVE References: CVE-2023-50447
Sources used:
openSUSE Leap 15.3 (src): python-Pillow-7.2.0-150300.3.6.1
openSUSE Leap 15.5 (src): python-Pillow-7.2.0-150300.3.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Maintenance Automation 2024-01-24 16:30:28 UTC 
SUSE-SU-2024:0205-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1219048
CVE References: CVE-2023-50447
Sources used:
openSUSE Leap 15.4 (src): python-Pillow-9.5.0-150400.5.9.1
openSUSE Leap 15.5 (src): python-Pillow-9.5.0-150400.5.9.1
Python 3 Module 15-SP5 (src): python-Pillow-9.5.0-150400.5.9.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): python-Pillow-9.5.0-150400.5.9.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): python-Pillow-9.5.0-150400.5.9.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): python-Pillow-9.5.0-150400.5.9.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): python-Pillow-9.5.0-150400.5.9.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): python-Pillow-9.5.0-150400.5.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Maintenance Automation 2024-01-31 12:30:04 UTC 
SUSE-SU-2024:0290-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1194521, 1219048
CVE References: CVE-2022-22817, CVE-2023-50447
Sources used:
HPE Helion OpenStack 8 (src): python-Pillow-4.2.1-3.26.1
SUSE OpenStack Cloud 8 (src): python-Pillow-4.2.1-3.26.1
SUSE OpenStack Cloud Crowbar 8 (src): python-Pillow-4.2.1-3.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Maintenance Automation 2024-02-09 12:30:03 UTC 
SUSE-SU-2024:0439-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1219048
CVE References: CVE-2023-50447
Sources used:
SUSE OpenStack Cloud 9 (src): python-Pillow-5.2.0-3.23.1
SUSE OpenStack Cloud Crowbar 9 (src): python-Pillow-5.2.0-3.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Daniel Garcia 2024-05-13 08:03:52 UTC 
As far as I can tell, openSUSE:Backports:SLE-15-SP4 is not under maintenance.
Comment 19 OBSbugzilla Bot 2024-05-13 08:55:01 UTC 
This is an autogenerated message for OBS integration:
This bug (1219048) was mentioned in
https://build.opensuse.org/request/show/1173597 Backports:SLE-15-SP5 / python-Pillow
Comment 20 Marcus Meissner 2024-05-13 19:04:55 UTC 
openSUSE-SU-2024:0125-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1219048
CVE References: CVE-2023-50447
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP5 (src):    python-Pillow-8.4.0-bp155.3.3.1