2052682 – (CVE-2022-24303) CVE-2022-24303 python-pillow: temporary directory with a space character allows removal of unrelated file after im.show() and related actions

Bug 2052682 (CVE-2022-24303) - CVE-2022-24303 python-pillow: temporary directory with a space character allows removal of unrelated file after im.show() and related actions

Summary: CVE-2022-24303 python-pillow: temporary directory with a space character allo...

Keywords:
Status:	NEW
Alias:	CVE-2022-24303
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2052685 2052683 2052684 2053489
Blocks:	2052688
TreeView+	depends on / blocked

Reported:	2022-02-09 19:06 UTC by Guilherme de Almeida Suckevicz
Modified:	2022-11-23 04:56 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in python-pillow. The vulnerability occurs due to the not validated remove operation, leading to Improper input validation. This flaw allows an attacker to externally-influenced input commands that modify or remove the intended command.
Clone Of:
Environment:
Last Closed:

Attachments	(Terms of Use)

Description Guilherme de Almeida Suckevicz 2022-02-09 19:06:02 UTC

If the path to the temporary directory on Linux or macOS contained a space, this would break removal of the temporary image file after im.show() (and related actions), and potentially remove an unrelated file. This been present since PIL.

Reference:
https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html

Comment 1 Guilherme de Almeida Suckevicz 2022-02-09 19:06:26 UTC

Created mingw-python-pillow tracking bugs for this issue:

Affects: fedora-all [bug 2052683]


Created python-pillow tracking bugs for this issue:

Affects: fedora-all [bug 2052684]


Created python3-pillow tracking bugs for this issue:

Affects: epel-7 [bug 2052685]

Comment 5 Sandro Mani 2022-03-28 19:00:38 UTC

Upstream commit https://github.com/python-pillow/Pillow/commit/427221ef5f19157001bf8b1ad7cfe0b905ca8c26

Comment 7 Lumír Balhar 2022-07-22 09:24:32 UTC

For reproducer see https://bugzilla.redhat.com/show_bug.cgi?id=2053489#c1 and https://bugzilla.redhat.com/show_bug.cgi?id=2053489#c2

Note You need to log in before you can comment on or make changes to this bug.