{"id":"MGASA-2022-0166","summary":"Updated python-pillow packages fix security vulnerability","details":"path_getbbox in path.c in Pillow before 9.0.0 improperly initializes\nImagePath.Path. (CVE-2022-22815)\npath_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read\nduring initialization of ImagePath.Path. (CVE-2022-22816)\nPIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary\nexpressions (CVE-2022-22817)\nPillow before 9.0.1 allows attackers to delete files because spaces in\ntemporary pathnames are mishandled. (CVE-2022-24303)\n","modified":"2026-02-04T02:45:36.935623Z","published":"2022-05-12T10:24:45Z","related":["CVE-2022-22815","CVE-2022-22816","CVE-2022-22817","CVE-2022-24303"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2022-0166.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=29887"},{"type":"REPORT","url":"https://ubuntu.com/security/notices/USN-5227-1"},{"type":"REPORT","url":"https://www.debian.org/security/2022/dsa-5053"},{"type":"REPORT","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CK3IGXU77EQTXZAYI2PTIAI4XLFS7AFP/"},{"type":"REPORT","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JR2LTB6KTUEU7YVPJ5MHA2GHOIL2JQQE/"}],"affected":[{"package":{"name":"python-pillow","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/python-pillow?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.1.0-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2022-0166.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}