Bug 1195766 - (CVE-2022-24303) VUL-0: CVE-2022-24303: python-Pillow: temporary directory with a space character allows removal of unrelated file after im.show() and related actions
VUL-0: CVE-2022-24303: python-Pillow: temporary directory with a space charac...
Classification: openSUSE
Product: PUBLIC SUSE Linux Enterprise Server 15 SP4
Classification: openSUSE
Component: Security
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Lubos Kocman
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2022-02-10 10:04 UTC by Carlos López
Modified: 2023-01-18 15:25 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2022-02-10 10:04:13 UTC

If the path to the temporary directory on Linux or macOS contained a space, this would break removal of the temporary image file after im.show() (and related actions), and potentially remove an unrelated file. This been present since PIL.


Comment 1 Carlos López 2022-02-10 10:14:24 UTC
 - openSUSE:Backports:SLE-15-SP3
 - openSUSE:Backports:SLE-15-SP4

Fix PR:

Note that the upstream patch gets applied to several classes that inherit from UnixViewer, but in the affected versions we ship it should be applied directly to UnixViewer.
Comment 2 Oliver Kurz 2022-02-10 11:33:55 UTC
Submitting new version from openSUSE:Factory

osc mr -m "bsc#1195766" openSUSE:Factory python-Pillow openSUSE:Backports:SLE-15-SP3
osc sr -m "bsc#1195766" openSUSE:Factory python-Pillow openSUSE:Backports:SLE-15-SP4


Comment 3 Lubos Kocman 2022-02-18 12:30:45 UTC
Moving bug to PUBLIC SLES Product I see that we inherit python-pillow from python-Pillow and had it forked. But since it's a sle package we should really updated it in SLES first.
Comment 4 Oliver Kurz 2022-03-23 13:53:47 UTC
https://build.opensuse.org/package/show/openSUSE:Backports:SLE-15-SP4:Staging:adi:14/python-Pillow is unresolvable due to relying on python3.7 but we only have python3.6 in SLE (backports). I could not find out who is the package maintainer for python-Pillow in SLE so I don't know how or who would be able to fix that. lkocman@suse.com on behalf of sle-release-coord@suse.de are you able to help?
Comment 5 Marcus Meissner 2023-01-18 15:25:04 UTC
never went in due to build issues in borth SP3 and SP4.