https://bugzilla.redhat.com/show_bug.cgi?id=2052682
Bug ID: 2052682 Summary: CVE-2022-24303 python-pillow: temporary directory with a space character allows removal of unrelated file after im.show() and related action Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: gsuckevi@redhat.com CC: bdettelb@redhat.com, cstratak@redhat.com, epel-packagers-sig@lists.fedoraproject.org, infra-sig@lists.fedoraproject.org, manisandro@gmail.com, miminar@redhat.com, orion@nwra.com, python-maint@redhat.com, python-sig@lists.fedoraproject.org, torsava@redhat.com Target Milestone: --- Classification: Other
If the path to the temporary directory on Linux or macOS contained a space, this would break removal of the temporary image file after im.show() (and related actions), and potentially remove an unrelated file. This been present since PIL.
Reference: https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html
https://bugzilla.redhat.com/show_bug.cgi?id=2052682
Guilherme de Almeida Suckevicz gsuckevi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |2052685, 2052684, 2052683
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=2052683 [Bug 2052683] CVE-2022-24303 mingw-python-pillow: python-pillow: temporary directory with a space character allows removal of unrelated file after im.show() and related action [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2052684 [Bug 2052684] CVE-2022-24303 python-pillow: temporary directory with a space character allows removal of unrelated file after im.show() and related action [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2052685 [Bug 2052685] CVE-2022-24303 python3-pillow: python-pillow: temporary directory with a space character allows removal of unrelated file after im.show() and related action [epel-7]
https://bugzilla.redhat.com/show_bug.cgi?id=2052682
--- Comment #1 from Guilherme de Almeida Suckevicz gsuckevi@redhat.com --- Created mingw-python-pillow tracking bugs for this issue:
Affects: fedora-all [bug 2052683]
Created python-pillow tracking bugs for this issue:
Affects: fedora-all [bug 2052684]
Created python3-pillow tracking bugs for this issue:
Affects: epel-7 [bug 2052685]
https://bugzilla.redhat.com/show_bug.cgi?id=2052682
Guilherme de Almeida Suckevicz gsuckevi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|CVE-2022-24303 |CVE-2022-24303 |python-pillow: temporary |python-pillow: temporary |directory with a space |directory with a space |character allows removal of |character allows removal of |unrelated file after |unrelated file after |im.show() and related |im.show() and related |action |actions
https://bugzilla.redhat.com/show_bug.cgi?id=2052682
Guilherme de Almeida Suckevicz gsuckevi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2052688
https://bugzilla.redhat.com/show_bug.cgi?id=2052682
--- Doc Text *updated* by Sandipan Roy saroy@redhat.com --- A flaw was found in python-pillow. The vulnerability occurs due to the not validated remove operation, leading to Improper input validation. This flaw allows an attacker to externally-influenced input commands that modify or remove the intended command.
https://bugzilla.redhat.com/show_bug.cgi?id=2052682
Sandipan Roy saroy@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |2053489
https://bugzilla.redhat.com/show_bug.cgi?id=2052682 Bug 2052682 depends on bug 2052684, which changed state.
Bug 2052684 Summary: CVE-2022-24303 python-pillow: temporary directory with a space character allows removal of unrelated file after im.show() and related actions [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2052684
What |Removed |Added ---------------------------------------------------------------------------- Status|MODIFIED |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=2052682
--- Comment #5 from Sandro Mani manisandro@gmail.com --- Upstream commit https://github.com/python-pillow/Pillow/commit/427221ef5f19157001bf8b1ad7cfe...
https://bugzilla.redhat.com/show_bug.cgi?id=2052682 Bug 2052682 depends on bug 2052683, which changed state.
Bug 2052683 Summary: CVE-2022-24303 mingw-python-pillow: python-pillow: temporary directory with a space character allows removal of unrelated file after im.show() and related actions [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2052683
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=2052682
Lumír Balhar lbalhar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |lbalhar@redhat.com
--- Comment #7 from Lumír Balhar lbalhar@redhat.com --- For reproducer see https://bugzilla.redhat.com/show_bug.cgi?id=2053489#c1 and https://bugzilla.redhat.com/show_bug.cgi?id=2053489#c2
epel-packagers-sig@lists.stg.fedoraproject.org