https://bugzilla.redhat.com/show_bug.cgi?id=2042522
Bug ID: 2042522
Summary: CVE-2022-22816 python-pillow: buffer over-read during
initialization of ImagePath.Path in path_getbbox() in
path.c
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: bdettelb(a)redhat.com, cstratak(a)redhat.com,
epel-packagers-sig(a)lists.fedoraproject.org,
infra-sig(a)lists.fedoraproject.org,
manisandro(a)gmail.com, miminar(a)redhat.com,
orion(a)nwra.com, python-maint(a)redhat.com,
python-sig(a)lists.fedoraproject.org, torsava(a)redhat.com
Target Milestone: ---
Classification: Other
path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during
initialization of ImagePath.Path.
References:
https://github.com/python-pillow/Pillow/blob/c5d9223a8b5e9295d15b5a9b1ef1da…https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-image…
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2042522
https://bugzilla.redhat.com/show_bug.cgi?id=2059360
Bug ID: 2059360
Summary: yarnpkg for fedora 35 installs binary
'/usr/bin/%{fc_name}'
Product: Fedora
Version: 35
Status: NEW
Component: yarnpkg
Assignee: zsvetlik(a)redhat.com
Reporter: martin.kuehl(a)gmail.com
QA Contact: extras-qa(a)fedoraproject.org
CC: epel-packagers-sig(a)lists.fedoraproject.org,
ngompa13(a)gmail.com, zsvetlik(a)redhat.com
Target Milestone: ---
Classification: Fedora
Description of problem:
the current yarnpkg rpm installs a binary at the path '/usr/bin/%{fc_name}'
this is also visible at:
https://packages.fedoraproject.org/pkgs/yarnpkg/yarnpkg/fedora-35.html#files
Version-Release number of selected component (if applicable):
yarnpkg-1.22.10-3.fc35
How reproducible:
always
Steps to Reproduce:
1. dnf repoquery --list yarnpkg | grep /usr/bin
or look at
https://packages.fedoraproject.org/pkgs/yarnpkg/yarnpkg/fedora-35.html#files
Actual results:
/usr/bin/%{fc_name}
/usr/bin/yarn
/usr/bin/yarnpkg
Expected results:
judging by the package for fedora 36:
/usr/bin/nodejs-yarn
/usr/bin/yarn
/usr/bin/yarnpkg
Additional info:
if i remember correctly that's rpm spec template syntax so there might be some
stray escaping or something?
it's also apparently fixed for f36 so backporting that package would be just
fine.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2059360