Bugzilla – Bug 1195766
VUL-0: CVE-2022-24303: python-Pillow: temporary directory with a space character allows removal of unrelated file after im.show() and related actions
Last modified: 2023-01-18 15:25:15 UTC
If the path to the temporary directory on Linux or macOS contained a space, this would break removal of the temporary image file after im.show() (and related actions), and potentially remove an unrelated file. This been present since PIL.
Note that the upstream patch gets applied to several classes that inherit from UnixViewer, but in the affected versions we ship it should be applied directly to UnixViewer.
Submitting new version from openSUSE:Factory
osc mr -m "bsc#1195766" openSUSE:Factory python-Pillow openSUSE:Backports:SLE-15-SP3
osc sr -m "bsc#1195766" openSUSE:Factory python-Pillow openSUSE:Backports:SLE-15-SP4
Moving bug to PUBLIC SLES Product I see that we inherit python-pillow from python-Pillow and had it forked. But since it's a sle package we should really updated it in SLES first.
https://build.opensuse.org/package/show/openSUSE:Backports:SLE-15-SP4:Staging:adi:14/python-Pillow is unresolvable due to relying on python3.7 but we only have python3.6 in SLE (backports). I could not find out who is the package maintainer for python-Pillow in SLE so I don't know how or who would be able to fix that. firstname.lastname@example.org on behalf of email@example.com are you able to help?
never went in due to build issues in borth SP3 and SP4.