Debian Bug report logs -
#1061172
pillow: CVE-2023-50447
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 20 Jan 2024 09:00:02 UTC
Severity: grave
Tags: security, upstream
Found in version pillow/10.1.0-1
Fixed in version pillow/10.2.0-1
Done: Matthias Klose <doko@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Matthias Klose <doko@debian.org>:
Bug#1061172; Package src:pillow.
(Sat, 20 Jan 2024 09:00:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Matthias Klose <doko@debian.org>.
(Sat, 20 Jan 2024 09:00:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: pillow
Version: 10.1.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for pillow.
CVE-2023-50447[0]:
| Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code
| Execution via the environment parameter, a different vulnerability
| than CVE-2022-22817 (which was about the expression parameter).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-50447
https://www.cve.org/CVERecord?id=CVE-2023-50447
[1] https://duartecsantos.github.io/2023-01-02-CVE-2023-50447/
[2] https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html#imagemath-eval-restricted-environment-keys
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Matthias Klose <doko@debian.org>:
You have taken responsibility.
(Sat, 20 Jan 2024 10:09:16 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 20 Jan 2024 10:09:16 GMT) (full text, mbox, link).
Message #10 received at 1061172-close@bugs.debian.org (full text, mbox, reply):
Source: pillow
Source-Version: 10.2.0-1
Done: Matthias Klose <doko@debian.org>
We believe that the bug you reported is fixed in the latest version of
pillow, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1061172@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matthias Klose <doko@debian.org> (supplier of updated pillow package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 20 Jan 2024 10:47:10 +0100
Source: pillow
Architecture: source
Version: 10.2.0-1
Distribution: unstable
Urgency: medium
Maintainer: Matthias Klose <doko@debian.org>
Changed-By: Matthias Klose <doko@debian.org>
Closes: 1061172
Changes:
pillow (10.2.0-1) unstable; urgency=medium
.
* New upstream version. Addresses CVE-2023-50447. Closes: #1061172.
Checksums-Sha1:
3ac2b27fb1144a5ff1d2911247db2a1b5aadc368 2320 pillow_10.2.0-1.dsc
042f79b6367619eca2d68bec77491022cc3885e9 36611452 pillow_10.2.0.orig.tar.xz
15038d05b4ad1519a9c4cb804cad482da5dfd387 16612 pillow_10.2.0-1.debian.tar.xz
0b2f4e39ec182907c7fb626655a8e9370853c0de 9926 pillow_10.2.0-1_source.buildinfo
Checksums-Sha256:
d8bcc5289fdf42dd97db0e9abcd2af6ee015dc09e89fd4c577edbbe0615ef646 2320 pillow_10.2.0-1.dsc
e3f418659e7db75a9480d5c75ab887eea4c07c157a4b437215d03cf0c6ef658f 36611452 pillow_10.2.0.orig.tar.xz
fc4759fe323f7d2942a526834690c3e7dc03b88fbd07ad8e30df3d5ce359441f 16612 pillow_10.2.0-1.debian.tar.xz
3d1ded18fa2b1c09c6397d0a6ee17c26e6da13406be0face9a807fd18af1a681 9926 pillow_10.2.0-1_source.buildinfo
Files:
f09f8920ab84491921c26b62749eb1f5 2320 python optional pillow_10.2.0-1.dsc
7265311e9baf8be8154eb9a4a4c52b73 36611452 python optional pillow_10.2.0.orig.tar.xz
0a210b475c86bff4d48dcd3bb093fc19 16612 python optional pillow_10.2.0-1.debian.tar.xz
14ecc8413ca2e63ac4457f2e2538f32c 9926 python optional pillow_10.2.0-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCgAuFiEE1WVxuIqLuvFAv2PWvX6qYHePpvUFAmWrl4EQHGRva29AZGVi
aWFuLm9yZwAKCRC9fqpgd4+m9WkKD/wLcjOpWJXcMTbglYeixBqyH8MKDGrquIHW
QrS3yO6bhQRp/Ecq2YYdCb8QxWJhItLZkYJr/AJ+yOuVc5sbJKheZ+EgOOn1uWxA
LBvDJBtITrIzaoLlxSgo1zT5tteWwn1uP8MYslkqS09gc2CDi+9qE5+lhdTI1r1Q
zf/8qJZhhjCd3YCvYCkIeR/Fu7sVwO6zdQBoVkhjC27+RNuVBHvc3mGIHmjjwUZP
+1h4yJDDm42Z5ahvZeWA3yNntOEE89zwjv0kcSnkyn+FCXpbcTq2j11lnaLxaurX
X384oIVTXJ5SpSUQKvLVz1pTIEqOtj0JQpG55zJQXvu4VsB6krhviifhae9euWS0
UvXEOMAcPOY/HCym4cxw+VGOd54hxRyIxZrwlEbj5digTHlzwWMeQ4Ya8zpk59ff
OUp5EnjY6mS1UScHDEAXbEb2VJAnsSxHvtD4C2mHxka4AEM33ys9/SxiR6w26shl
tvwXJfmm1Qt6PSy9cFgjKtN/aY8dMLdxQ/zED9xpaz36Rjl32KeNFuEBGyA1AthW
xE/74XJI1BFAvrKkyf6977o67+8GTVadveSMk63sjG0X4u2AMicPjU5/v1rlZlL1
k1/0T+zpwaxIWrGfnjHQ5fNGyakP1nZ892NqA4w5NzAOAi/1vsc9NwagovVAXguI
6A1Qt8CALg==
=7iKQ
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Jan 21 08:20:52 2024;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon