Bug#1061172: marked as done (pillow: CVE-2023-50447)

[Debian Bug Tracking System]

Your message dated Sat, 20 Jan 2024 10:05:22 +0000
with message-id <e1rr8e6-00ckxw...@fasolo.debian.org>
and subject line Bug#1061172: fixed in pillow 10.2.0-1
has caused the Debian Bug report #1061172,
regarding pillow: CVE-2023-50447
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1061172: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061172
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: pillow
Version: 10.1.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerability was published for pillow.

CVE-2023-50447[0]:
| Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code
| Execution via the environment parameter, a different vulnerability
| than CVE-2022-22817 (which was about the expression parameter).


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-50447
    https://www.cve.org/CVERecord?id=CVE-2023-50447
[1] https://duartecsantos.github.io/2023-01-02-CVE-2023-50447/
[2] 
https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html#imagemath-eval-restricted-environment-keys

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: pillow
Source-Version: 10.2.0-1
Done: Matthias Klose <d...@debian.org>

We believe that the bug you reported is fixed in the latest version of
pillow, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1061...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthias Klose <d...@debian.org> (supplier of updated pillow package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 20 Jan 2024 10:47:10 +0100
Source: pillow
Architecture: source
Version: 10.2.0-1
Distribution: unstable
Urgency: medium
Maintainer: Matthias Klose <d...@debian.org>
Changed-By: Matthias Klose <d...@debian.org>
Closes: 1061172
Changes:
 pillow (10.2.0-1) unstable; urgency=medium
 .
   * New upstream version. Addresses CVE-2023-50447. Closes: #1061172.
Checksums-Sha1:
 3ac2b27fb1144a5ff1d2911247db2a1b5aadc368 2320 pillow_10.2.0-1.dsc
 042f79b6367619eca2d68bec77491022cc3885e9 36611452 pillow_10.2.0.orig.tar.xz
 15038d05b4ad1519a9c4cb804cad482da5dfd387 16612 pillow_10.2.0-1.debian.tar.xz
 0b2f4e39ec182907c7fb626655a8e9370853c0de 9926 pillow_10.2.0-1_source.buildinfo
Checksums-Sha256:
 d8bcc5289fdf42dd97db0e9abcd2af6ee015dc09e89fd4c577edbbe0615ef646 2320 
pillow_10.2.0-1.dsc
 e3f418659e7db75a9480d5c75ab887eea4c07c157a4b437215d03cf0c6ef658f 36611452 
pillow_10.2.0.orig.tar.xz
 fc4759fe323f7d2942a526834690c3e7dc03b88fbd07ad8e30df3d5ce359441f 16612 
pillow_10.2.0-1.debian.tar.xz
 3d1ded18fa2b1c09c6397d0a6ee17c26e6da13406be0face9a807fd18af1a681 9926 
pillow_10.2.0-1_source.buildinfo
Files:
 f09f8920ab84491921c26b62749eb1f5 2320 python optional pillow_10.2.0-1.dsc
 7265311e9baf8be8154eb9a4a4c52b73 36611452 python optional 
pillow_10.2.0.orig.tar.xz
 0a210b475c86bff4d48dcd3bb093fc19 16612 python optional 
pillow_10.2.0-1.debian.tar.xz
 14ecc8413ca2e63ac4457f2e2538f32c 9926 python optional 
pillow_10.2.0-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCgAuFiEE1WVxuIqLuvFAv2PWvX6qYHePpvUFAmWrl4EQHGRva29AZGVi
aWFuLm9yZwAKCRC9fqpgd4+m9WkKD/wLcjOpWJXcMTbglYeixBqyH8MKDGrquIHW
QrS3yO6bhQRp/Ecq2YYdCb8QxWJhItLZkYJr/AJ+yOuVc5sbJKheZ+EgOOn1uWxA
LBvDJBtITrIzaoLlxSgo1zT5tteWwn1uP8MYslkqS09gc2CDi+9qE5+lhdTI1r1Q
zf/8qJZhhjCd3YCvYCkIeR/Fu7sVwO6zdQBoVkhjC27+RNuVBHvc3mGIHmjjwUZP
+1h4yJDDm42Z5ahvZeWA3yNntOEE89zwjv0kcSnkyn+FCXpbcTq2j11lnaLxaurX
X384oIVTXJ5SpSUQKvLVz1pTIEqOtj0JQpG55zJQXvu4VsB6krhviifhae9euWS0
UvXEOMAcPOY/HCym4cxw+VGOd54hxRyIxZrwlEbj5digTHlzwWMeQ4Ya8zpk59ff
OUp5EnjY6mS1UScHDEAXbEb2VJAnsSxHvtD4C2mHxka4AEM33ys9/SxiR6w26shl
tvwXJfmm1Qt6PSy9cFgjKtN/aY8dMLdxQ/zED9xpaz36Rjl32KeNFuEBGyA1AthW
xE/74XJI1BFAvrKkyf6977o67+8GTVadveSMk63sjG0X4u2AMicPjU5/v1rlZlL1
k1/0T+zpwaxIWrGfnjHQ5fNGyakP1nZ892NqA4w5NzAOAi/1vsc9NwagovVAXguI
6A1Qt8CALg==
=7iKQ
-----END PGP SIGNATURE-----

--- End Message ---