Source: pillow Version: 10.1.0-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for pillow. CVE-2023-50447[0]: | Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code | Execution via the environment parameter, a different vulnerability | than CVE-2022-22817 (which was about the expression parameter). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-50447 https://www.cve.org/CVERecord?id=CVE-2023-50447 [1] https://duartecsantos.github.io/2023-01-02-CVE-2023-50447/ [2] https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html#imagemath-eval-restricted-environment-keys Please adjust the affected versions in the BTS as needed. Regards, Salvatore