{"update": {"autokarma": false, "autotime": false, "stable_karma": 3, "stable_days": 7, "unstable_karma": -3, "require_bugs": true, "require_testcases": true, "display_name": "", "notes": "Backport fix for CVE-2023-50447.\n\n----\n\nUpdate patch for CVE-2023-44271", "type": "security", "status": "obsolete", "request": null, "severity": "high", "suggest": "unspecified", "locked": false, "pushed": true, "critpath": false, "critpath_groups": "", "close_bugs": true, "date_submitted": "2024-01-27 21:56:45", "date_modified": null, "date_approved": null, "date_testing": "2024-01-28 02:53:13", "date_stable": null, "alias": "FEDORA-2024-4ef97ebbfc", "test_gating_status": "ignored", "from_tag": null, "date_pushed": "2024-01-28 02:53:13", "meets_testing_requirements": true, "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2024-4ef97ebbfc", "title": "python-pillow-9.5.0-3.fc38", "version_hash": "b5a092e51d30aeee95b5bae8d48894b9c1de95d9", "release": {"name": "F38", "long_name": "Fedora 38", "version": "38", "id_prefix": "FEDORA", "branch": "f38", "dist_tag": "f38", "stable_tag": "f38-updates", "testing_tag": "f38-updates-testing", "candidate_tag": "f38-updates-candidate", "pending_signing_tag": "f38-signing-pending", "pending_testing_tag": "f38-updates-testing-pending", "pending_stable_tag": "f38-updates-pending", "override_tag": "f38-override", "mail_template": "fedora_errata_template", "state": "archived", "composed_by_bodhi": true, "create_automatic_updates": false, "package_manager": "dnf", "testing_repository": "updates-testing", "released_on": null, "eol": "2024-05-21", "critpath_mandatory_days_in_testing": 14, "mandatory_days_in_testing": 7, "critpath_min_karma": 2, "min_karma": 1, "setting_status": null}, "user": {"name": "smani", "email": "manisandro@gmail.com", "id": 117, "avatar": "https://seccdn.libravatar.org/avatar/30146b3eb0f2f15ffe42bd8fcd8a1fef46a4ce6a2025fb7052caaa089ce2e0cd?s=24&d=retro", "openid": "smani.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "provenpackager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "mkdocs-sig"}]}, "comments": [{"karma": 0, "karma_critpath": 0, "text": "This update has been submitted for testing by smani. ", "timestamp": "2024-01-27 21:56:46", "update_id": 581002, "user_id": 91, "id": 3365125, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update's test gating status has been changed to 'ignored'.", "timestamp": "2024-01-27 21:56:46", "update_id": 581002, "user_id": 91, "id": 3365126, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has obsoleted [python-pillow-9.5.0-2.fc38](https://bodhi.fedoraproject.org/updates/FEDORA-2023-13b03a90f9), and has inherited its bugs and notes.", "timestamp": "2024-01-27 21:56:47", "update_id": 581002, "user_id": 91, "id": 3365128, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been pushed to testing.", "timestamp": "2024-01-28 02:54:02", "update_id": 581002, "user_id": 91, "id": 3365280, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": -1, "karma_critpath": 0, "text": "The patch for CVE-2023-44271 is buggy as I mentioned earlier. The patch uses a function which is not backported as a part of the patch:\n\n```\nFile \"/usr/lib64/python3.11/site-packages/PIL/ImageFont.py\", line 483, in getsize\n    _string_length_check(text)\n    ^^^^^^^^^^^^^^^^^^^^\nNameError: name '_string_length_check' is not defined\n```", "timestamp": "2024-01-29 08:19:32", "update_id": 581002, "user_id": 2936, "id": 3366284, "bug_feedback": [{"karma": -1, "comment_id": 3366284, "bug_id": 2247821, "bug": {"bug_id": 2247821, "title": "CVE-2023-44271 python-pillow: uncontrolled resource consumption when textlength in an ImageDraw instance operates on a long text argument [fedora-all]", "security": true, "parent": false}}, {"karma": 1, "comment_id": 3366284, "bug_id": 2259480, "bug": {"bug_id": 2259480, "title": "TRIAGE CVE-2023-50447 python-pillow: pillow:Arbitrary Code Execution via the environment parameter [fedora-all]", "security": true, "parent": false}}], "testcase_feedback": [], "user": {"name": "lbalhar", "email": "lbalhar@redhat.com", "id": 2936, "avatar": "https://seccdn.libravatar.org/avatar/789052d5e25db3b2c36725adeaa296f78df20334671edbb69ba42f419e1bfac4?s=24&d=retro", "openid": "lbalhar.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "python-sig"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "realtime"}, {"name": "machine-learning-sig"}, {"name": "3d-printing-sig"}, {"name": "python-packagers-sig"}]}}, {"karma": 0, "karma_critpath": 0, "text": "Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.", "timestamp": "2024-01-29 08:19:32", "update_id": 581002, "user_id": 91, "id": 3366285, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "0 due other users comments", "timestamp": "2024-02-04 00:10:52", "update_id": 581002, "user_id": 124, "id": 3391459, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "filiperosset", "email": "rosset.filipe@gmail.com", "id": 124, "avatar": "https://seccdn.libravatar.org/avatar/f4394b8fb4c9a99c4b534dc724912fe75a5b87fe15048985ece8388c2441d0ca?s=24&d=retro", "openid": "filiperosset.id.fedoraproject.org", "groups": [{"name": "proventesters"}, {"name": "provenpackager"}, {"name": "packager"}, {"name": "trust admins"}, {"name": "signed_fpca"}, {"name": "fedora-contributor"}, {"name": "l10n"}, {"name": "cvsl10n"}, {"name": "ipausers"}, {"name": "fedora-br"}, {"name": "fedorabugs"}, {"name": "ambassadors"}]}}, {"karma": 0, "karma_critpath": 0, "text": "This update can be pushed to stable now if the maintainer wishes", "timestamp": "2024-02-04 02:54:25", "update_id": 581002, "user_id": 91, "id": 3391607, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update's test gating status has been changed to 'waiting'.", "timestamp": "2024-02-08 02:25:15", "update_id": 581002, "user_id": 91, "id": 3396739, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update's test gating status has been changed to 'ignored'.", "timestamp": "2024-02-08 05:46:53", "update_id": 581002, "user_id": 91, "id": 3397543, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update's test gating status has been changed to 'waiting'.", "timestamp": "2024-02-13 14:34:16", "update_id": 581002, "user_id": 91, "id": 3406936, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update's test gating status has been changed to 'ignored'.", "timestamp": "2024-02-13 16:34:08", "update_id": 581002, "user_id": 91, "id": 3406945, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update's test gating status has been changed to 'waiting'.", "timestamp": "2024-03-10 01:43:47", "update_id": 581002, "user_id": 91, "id": 3443921, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update's test gating status has been changed to 'ignored'.", "timestamp": "2024-03-10 03:41:18", "update_id": 581002, "user_id": 91, "id": 3444933, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": -1, "karma_critpath": 0, "text": "", "timestamp": "2024-03-29 04:07:23", "update_id": 581002, "user_id": 5881, "id": 3469952, "bug_feedback": [{"karma": 0, "comment_id": 3469952, "bug_id": 2247821, "bug": {"bug_id": 2247821, "title": "CVE-2023-44271 python-pillow: uncontrolled resource consumption when textlength in an ImageDraw instance operates on a long text argument [fedora-all]", "security": true, "parent": false}}, {"karma": 0, "comment_id": 3469952, "bug_id": 2259480, "bug": {"bug_id": 2259480, "title": "TRIAGE CVE-2023-50447 python-pillow: pillow:Arbitrary Code Execution via the environment parameter [fedora-all]", "security": true, "parent": false}}], "testcase_feedback": [], "user": {"name": "geraldosimiao", "email": "geraldo.simiao.kutz@gmail.com", "id": 5881, "avatar": "https://seccdn.libravatar.org/avatar/03fa5b58e8ac78544bf41ad8ecf9ee1920f2ebedb86542c2f4cdf7ef15813168?s=24&d=retro", "openid": "geraldosimiao.id.fedoraproject.org", "groups": [{"name": "qa"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "ambassadors"}, {"name": "fedora-br"}, {"name": "advocates"}, {"name": "respins-sig"}]}}, {"karma": 0, "karma_critpath": 0, "text": "This update's test gating status has been changed to 'waiting'.", "timestamp": "2024-05-15 23:07:25", "update_id": 581002, "user_id": 91, "id": 3525660, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update's test gating status has been changed to 'ignored'.", "timestamp": "2024-05-16 00:05:08", "update_id": 581002, "user_id": 91, "id": 3525757, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update is marked obsolete because the F38 release is archived.", "timestamp": "2024-05-21 16:32:12", "update_id": 581002, "user_id": 91, "id": 3532347, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}], "builds": [{"nvr": "python-pillow-9.5.0-3.fc38", "signed": true, "release_id": 66, "type": "rpm", "epoch": 0}], "bugs": [{"bug_id": 2247821, "title": "CVE-2023-44271 python-pillow: uncontrolled resource consumption when textlength in an ImageDraw instance operates on a long text argument [fedora-all]", "security": true, "parent": false, "feedback": [{"karma": -1, "comment_id": 3289683, "bug_id": 2247821, "comment": {"karma": -1, "karma_critpath": 0, "text": "This update is broken. You are using function `_string_length_check` in the code but that function is not defined. Moreover, not all vulnerable methods are fixed.\n\nFor example, this code should raise an error:\n```\n>>> from PIL import ImageFont\n>>> loaded_font = ImageFont.truetype(\"./FreeMono.ttf\", 20, layout_engine=ImageFont.Layout.BASIC)\n>>> loaded_font.getlength(\"A\" * 1000001)\n12000012.0\n```\n\nAnd this one demonstrates the missing function:\n```\n>>> from PIL import ImageFont\n>>> loaded_font = ImageFont.truetype(\"./FreeMono.ttf\", 20, layout_engine=ImageFont.Layout.BASIC)\n>>> loaded_font.getsize(\"A\" * 1000001)\n<stdin>:1: DeprecationWarning: getsize is deprecated and will be removed in Pillow 10 (2023-07-01). Use getbbox or getlength instead.\nTraceback (most recent call last):\n  File \"<stdin>\", line 1, in <module>\n  File \"/usr/lib64/python3.11/site-packages/PIL/ImageFont.py\", line 483, in getsize\n    _string_length_check(text)\n    ^^^^^^^^^^^^^^^^^^^^\nNameError: name '_string_length_check' is not defined\n```", "timestamp": "2023-11-22 09:03:22", "update_id": 565737, "user_id": 2936, "id": 3289683, "testcase_feedback": [], "user": {"name": "lbalhar", "email": "lbalhar@redhat.com", "id": 2936, "avatar": "https://seccdn.libravatar.org/avatar/789052d5e25db3b2c36725adeaa296f78df20334671edbb69ba42f419e1bfac4?s=24&d=retro", "openid": "lbalhar.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "python-sig"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "realtime"}, {"name": "machine-learning-sig"}, {"name": "3d-printing-sig"}, {"name": "python-packagers-sig"}]}}}, {"karma": -1, "comment_id": 3276859, "bug_id": 2247821, "comment": {"karma": 0, "karma_critpath": 0, "text": "Unfortunately, the patch bacported from upstream from version 10 to fix the CVE-2023-44271 is not enough for version 9.5 we have in Fedora 38. The problem is that classes in ImageFont module have also `getsize` method which is deprecated in version 9 and removed in version 10 which means that the fix in version 10 is not applied to these methods and they stay vulnerable in this update.", "timestamp": "2023-11-10 13:59:04", "update_id": 561869, "user_id": 2936, "id": 3276859, "testcase_feedback": [], "user": {"name": "lbalhar", "email": "lbalhar@redhat.com", "id": 2936, "avatar": "https://seccdn.libravatar.org/avatar/789052d5e25db3b2c36725adeaa296f78df20334671edbb69ba42f419e1bfac4?s=24&d=retro", "openid": "lbalhar.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "python-sig"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "realtime"}, {"name": "machine-learning-sig"}, {"name": "3d-printing-sig"}, {"name": "python-packagers-sig"}]}}}, {"karma": -1, "comment_id": 3366284, "bug_id": 2247821, "comment": {"karma": -1, "karma_critpath": 0, "text": "The patch for CVE-2023-44271 is buggy as I mentioned earlier. The patch uses a function which is not backported as a part of the patch:\n\n```\nFile \"/usr/lib64/python3.11/site-packages/PIL/ImageFont.py\", line 483, in getsize\n    _string_length_check(text)\n    ^^^^^^^^^^^^^^^^^^^^\nNameError: name '_string_length_check' is not defined\n```", "timestamp": "2024-01-29 08:19:32", "update_id": 581002, "user_id": 2936, "id": 3366284, "testcase_feedback": [], "user": {"name": "lbalhar", "email": "lbalhar@redhat.com", "id": 2936, "avatar": "https://seccdn.libravatar.org/avatar/789052d5e25db3b2c36725adeaa296f78df20334671edbb69ba42f419e1bfac4?s=24&d=retro", "openid": "lbalhar.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "python-sig"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "realtime"}, {"name": "machine-learning-sig"}, {"name": "3d-printing-sig"}, {"name": "python-packagers-sig"}]}}}, {"karma": 0, "comment_id": 3469952, "bug_id": 2247821, "comment": {"karma": -1, "karma_critpath": 0, "text": "", "timestamp": "2024-03-29 04:07:23", "update_id": 581002, "user_id": 5881, "id": 3469952, "testcase_feedback": [], "user": {"name": "geraldosimiao", "email": "geraldo.simiao.kutz@gmail.com", "id": 5881, "avatar": "https://seccdn.libravatar.org/avatar/03fa5b58e8ac78544bf41ad8ecf9ee1920f2ebedb86542c2f4cdf7ef15813168?s=24&d=retro", "openid": "geraldosimiao.id.fedoraproject.org", "groups": [{"name": "qa"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "ambassadors"}, {"name": "fedora-br"}, {"name": "advocates"}, {"name": "respins-sig"}]}}}]}, {"bug_id": 2259480, "title": "TRIAGE CVE-2023-50447 python-pillow: pillow:Arbitrary Code Execution via the environment parameter [fedora-all]", "security": true, "parent": false, "feedback": [{"karma": 1, "comment_id": 3366284, "bug_id": 2259480, "comment": {"karma": -1, "karma_critpath": 0, "text": "The patch for CVE-2023-44271 is buggy as I mentioned earlier. The patch uses a function which is not backported as a part of the patch:\n\n```\nFile \"/usr/lib64/python3.11/site-packages/PIL/ImageFont.py\", line 483, in getsize\n    _string_length_check(text)\n    ^^^^^^^^^^^^^^^^^^^^\nNameError: name '_string_length_check' is not defined\n```", "timestamp": "2024-01-29 08:19:32", "update_id": 581002, "user_id": 2936, "id": 3366284, "testcase_feedback": [], "user": {"name": "lbalhar", "email": "lbalhar@redhat.com", "id": 2936, "avatar": "https://seccdn.libravatar.org/avatar/789052d5e25db3b2c36725adeaa296f78df20334671edbb69ba42f419e1bfac4?s=24&d=retro", "openid": "lbalhar.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "python-sig"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "realtime"}, {"name": "machine-learning-sig"}, {"name": "3d-printing-sig"}, {"name": "python-packagers-sig"}]}}}, {"karma": 0, "comment_id": 3469952, "bug_id": 2259480, "comment": {"karma": -1, "karma_critpath": 0, "text": "", "timestamp": "2024-03-29 04:07:23", "update_id": 581002, "user_id": 5881, "id": 3469952, "testcase_feedback": [], "user": {"name": "geraldosimiao", "email": "geraldo.simiao.kutz@gmail.com", "id": 5881, "avatar": "https://seccdn.libravatar.org/avatar/03fa5b58e8ac78544bf41ad8ecf9ee1920f2ebedb86542c2f4cdf7ef15813168?s=24&d=retro", "openid": "geraldosimiao.id.fedoraproject.org", "groups": [{"name": "qa"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "ambassadors"}, {"name": "fedora-br"}, {"name": "advocates"}, {"name": "respins-sig"}]}}}]}], "updateid": "FEDORA-2024-4ef97ebbfc", "karma": -2, "content_type": "rpm", "test_cases": []}, "can_edit": false, "ci_allowed": false}