Bugzilla – Bug 1195766
VUL-0: CVE-2022-24303: python-Pillow: temporary directory with a space character allows removal of unrelated file after im.show() and related actions
Last modified: 2023-01-18 15:25:15 UTC
rh#2052682 If the path to the temporary directory on Linux or macOS contained a space, this would break removal of the temporary image file after im.show() (and related actions), and potentially remove an unrelated file. This been present since PIL. Reference: https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html References: https://bugzilla.redhat.com/show_bug.cgi?id=2052682 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24303
Affected: - openSUSE:Backports:SLE-15-SP3 - openSUSE:Backports:SLE-15-SP4 Fix PR: https://github.com/python-pillow/Pillow/pull/6010 Note that the upstream patch gets applied to several classes that inherit from UnixViewer, but in the affected versions we ship it should be applied directly to UnixViewer.
Submitting new version from openSUSE:Factory ``` osc mr -m "bsc#1195766" openSUSE:Factory python-Pillow openSUSE:Backports:SLE-15-SP3 osc sr -m "bsc#1195766" openSUSE:Factory python-Pillow openSUSE:Backports:SLE-15-SP4 ``` -> https://build.opensuse.org/request/show/953150 https://build.opensuse.org/request/show/953145
Moving bug to PUBLIC SLES Product I see that we inherit python-pillow from python-Pillow and had it forked. But since it's a sle package we should really updated it in SLES first.
https://build.opensuse.org/package/show/openSUSE:Backports:SLE-15-SP4:Staging:adi:14/python-Pillow is unresolvable due to relying on python3.7 but we only have python3.6 in SLE (backports). I could not find out who is the package maintainer for python-Pillow in SLE so I don't know how or who would be able to fix that. lkocman@suse.com on behalf of sle-release-coord@suse.de are you able to help?
never went in due to build issues in borth SP3 and SP4.