Bugzilla – Bug 1219048
VUL-0: CVE-2023-50447: python-Pillow: Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter
Last modified: 2024-05-30 14:33:02 UTC
Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter). References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-50447 https://devhub.checkmarx.com/cve-details/CVE-2023-50447/ https://duartecsantos.github.io/2023-01-02-CVE-2023-50447/ https://github.com/python-pillow/Pillow/releases https://www.cve.org/CVERecord?id=CVE-2023-50447 https://seclists.org/oss-sec/2024/q1/36 http://www.openwall.com/lists/oss-security/2024/01/20/1
This is an autogenerated message for OBS integration: This bug (1219048) was mentioned in https://build.opensuse.org/request/show/1140356 Factory / python-Pillow
SUSE-SU-2024:0185-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1219048 CVE References: CVE-2023-50447 Sources used: openSUSE Leap 15.3 (src): python-Pillow-7.2.0-150300.3.6.1 openSUSE Leap 15.5 (src): python-Pillow-7.2.0-150300.3.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:0205-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1219048 CVE References: CVE-2023-50447 Sources used: openSUSE Leap 15.4 (src): python-Pillow-9.5.0-150400.5.9.1 openSUSE Leap 15.5 (src): python-Pillow-9.5.0-150400.5.9.1 Python 3 Module 15-SP5 (src): python-Pillow-9.5.0-150400.5.9.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): python-Pillow-9.5.0-150400.5.9.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): python-Pillow-9.5.0-150400.5.9.1 SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): python-Pillow-9.5.0-150400.5.9.1 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): python-Pillow-9.5.0-150400.5.9.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): python-Pillow-9.5.0-150400.5.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:0290-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1194521, 1219048 CVE References: CVE-2022-22817, CVE-2023-50447 Sources used: HPE Helion OpenStack 8 (src): python-Pillow-4.2.1-3.26.1 SUSE OpenStack Cloud 8 (src): python-Pillow-4.2.1-3.26.1 SUSE OpenStack Cloud Crowbar 8 (src): python-Pillow-4.2.1-3.26.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:0439-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1219048 CVE References: CVE-2023-50447 Sources used: SUSE OpenStack Cloud 9 (src): python-Pillow-5.2.0-3.23.1 SUSE OpenStack Cloud Crowbar 9 (src): python-Pillow-5.2.0-3.23.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
As far as I can tell, openSUSE:Backports:SLE-15-SP4 is not under maintenance.
This is an autogenerated message for OBS integration: This bug (1219048) was mentioned in https://build.opensuse.org/request/show/1173597 Backports:SLE-15-SP5 / python-Pillow
openSUSE-SU-2024:0125-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1219048 CVE References: CVE-2023-50447 JIRA References: Sources used: openSUSE Backports SLE-15-SP5 (src): python-Pillow-8.4.0-bp155.3.3.1