https://bugzilla.redhat.com/show_bug.cgi?id=2042527
Bug ID: 2042527 Summary: CVE-2022-22817 python-pillow: PIL.ImageMath.eval allows evaluation of arbitrary expressions Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: gsuckevi@redhat.com CC: bdettelb@redhat.com, cstratak@redhat.com, epel-packagers-sig@lists.fedoraproject.org, infra-sig@lists.fedoraproject.org, manisandro@gmail.com, miminar@redhat.com, orion@nwra.com, python-maint@redhat.com, python-sig@lists.fedoraproject.org, torsava@redhat.com Target Milestone: --- Classification: Other
PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method.
Reference: https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict-bui...
https://bugzilla.redhat.com/show_bug.cgi?id=2042527
Guilherme de Almeida Suckevicz gsuckevi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |2042530, 2042531, 2042528
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=2042528 [Bug 2042528] CVE-2022-22817 mingw-python-pillow: python-pillow: PIL.ImageMath.eval allows evaluation of arbitrary expressions [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2042530 [Bug 2042530] CVE-2022-22817 python-pillow: PIL.ImageMath.eval allows evaluation of arbitrary expressions [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2042531 [Bug 2042531] CVE-2022-22817 python3-pillow: python-pillow: PIL.ImageMath.eval allows evaluation of arbitrary expressions [epel-7]
https://bugzilla.redhat.com/show_bug.cgi?id=2042527
--- Comment #1 from Guilherme de Almeida Suckevicz gsuckevi@redhat.com --- Created mingw-python-pillow tracking bugs for this issue:
Affects: fedora-all [bug 2042528]
Created python-pillow tracking bugs for this issue:
Affects: fedora-all [bug 2042530]
Created python3-pillow tracking bugs for this issue:
Affects: epel-7 [bug 2042531]
https://bugzilla.redhat.com/show_bug.cgi?id=2042527
Guilherme de Almeida Suckevicz gsuckevi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2042533
https://bugzilla.redhat.com/show_bug.cgi?id=2042527
--- Comment #3 from Sandro Mani manisandro@gmail.com --- Fix: https://github.com/python-pillow/Pillow/commit/8531b01d6cdf0b70f256f93092caa...
https://bugzilla.redhat.com/show_bug.cgi?id=2042527
Sandipan Roy saroy@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |Pillow 9.0.0
--- Doc Text *updated* --- A flaw was found in python-pillow. The vulnerability occurs due to Improper Neutralization, which can lead to a Command Injection. This flaw allows an attacker to externally-influenced input commands that could modify the intended command.
https://bugzilla.redhat.com/show_bug.cgi?id=2042527
Sandipan Roy saroy@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |2048393, 2048389, 2048388, | |2048392, 2048391, 2048390
https://bugzilla.redhat.com/show_bug.cgi?id=2042527
--- Doc Text *updated* by RaTasha Tillery-Smith rtillery@redhat.com --- A flaw was found in python-pillow. The vulnerability occurs due to Improper Neutralization, leading to command injection. This flaw allows an attacker to externally-influenced input commands that modify the intended command.
https://bugzilla.redhat.com/show_bug.cgi?id=2042527 Bug 2042527 depends on bug 2042528, which changed state.
Bug 2042528 Summary: CVE-2022-22817 mingw-python-pillow: python-pillow: PIL.ImageMath.eval allows evaluation of arbitrary expressions [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2042528
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=2042527 Bug 2042527 depends on bug 2042530, which changed state.
Bug 2042530 Summary: CVE-2022-22817 python-pillow: PIL.ImageMath.eval allows evaluation of arbitrary expressions [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2042530
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=2042527
Lumír Balhar lbalhar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |lbalhar@redhat.com
--- Comment #6 from Lumír Balhar lbalhar@redhat.com --- It's very simple to reproduce and test this vulnerability:
``` from PIL.ImageMath import eval
try: eval("round(5.05)") except ValueError: print("FIXED") else: print("VULNERABLE") ```
https://bugzilla.redhat.com/show_bug.cgi?id=2042527
--- Comment #8 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2022:0609 https://access.redhat.com/errata/RHSA-2022:0609
https://bugzilla.redhat.com/show_bug.cgi?id=2042527
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2022:0609
https://bugzilla.redhat.com/show_bug.cgi?id=2042527
--- Comment #9 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2022:0643 https://access.redhat.com/errata/RHSA-2022:0643
https://bugzilla.redhat.com/show_bug.cgi?id=2042527
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2022:0643
https://bugzilla.redhat.com/show_bug.cgi?id=2042527
--- Comment #10 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions
Via RHSA-2022:0669 https://access.redhat.com/errata/RHSA-2022:0669
https://bugzilla.redhat.com/show_bug.cgi?id=2042527
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2022:0669
https://bugzilla.redhat.com/show_bug.cgi?id=2042527
--- Comment #11 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Enterprise Linux 8.4 Extended Update Support
Via RHSA-2022:0665 https://access.redhat.com/errata/RHSA-2022:0665
https://bugzilla.redhat.com/show_bug.cgi?id=2042527
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2022:0665
https://bugzilla.redhat.com/show_bug.cgi?id=2042527
--- Comment #12 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Enterprise Linux 8.2 Extended Update Support
Via RHSA-2022:0667 https://access.redhat.com/errata/RHSA-2022:0667
https://bugzilla.redhat.com/show_bug.cgi?id=2042527
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2022:0667
https://bugzilla.redhat.com/show_bug.cgi?id=2042527
--- Comment #13 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2022-22817
https://bugzilla.redhat.com/show_bug.cgi?id=2042527
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |ERRATA Status|NEW |CLOSED Last Closed| |2022-03-03 00:21:31
epel-packagers-sig@lists.stg.fedoraproject.org