{ "schema_version": "1.7.0", "id": "MGASA-2022-0166", "published": "2022-05-12T10:24:45Z", "modified": "2022-05-12T09:35:35Z", "summary": "Updated python-pillow packages fix security vulnerability", "details": "path_getbbox in path.c in Pillow before 9.0.0 improperly initializes\nImagePath.Path. (CVE-2022-22815)\npath_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read\nduring initialization of ImagePath.Path. (CVE-2022-22816)\nPIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary\nexpressions (CVE-2022-22817)\nPillow before 9.0.1 allows attackers to delete files because spaces in\ntemporary pathnames are mishandled. (CVE-2022-24303)\n", "upstream": [ "CVE-2022-22815", "CVE-2022-22816", "CVE-2022-22817", "CVE-2022-24303" ], "references": [ { "type": "ADVISORY", "url": "https://advisories.mageia.org/MGASA-2022-0166.html" }, { "type": "REPORT", "url": "https://bugs.mageia.org/show_bug.cgi?id=29887" }, { "type": "ADVISORY", "url": "https://ubuntu.com/security/notices/USN-5227-1" }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5053" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CK3IGXU77EQTXZAYI2PTIAI4XLFS7AFP/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JR2LTB6KTUEU7YVPJ5MHA2GHOIL2JQQE/" } ], "affected": [ { "package": { "ecosystem": "Mageia:8", "name": "python-pillow", "purl": "pkg:rpm/mageia/python-pillow?arch=source&distro=mageia-8" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "9.1.0-1.mga8" } ] } ], "ecosystem_specific": { "section": "core" } } ], "credits": [ { "name": "Mageia", "type": "COORDINATOR", "contact": [ "https://wiki.mageia.org/en/Packages_Security_Team" ] } ] }