[GHSA-9j59-75qj-795w] Path traversal in Pillow

[sunSUNQ]

Updates

• Affected products
• References

Comments
Add patch links related to CVE-2022-24303.

[shelbyc]

Hi @sunSUNQ, I think these links may have been submitted in error. Version 9.0.1 of Pillow was released in 2022, and the commit that is already in GHSA-9j59-75qj-795w, python-pillow/Pillow@427221e, is from 2022. python-pillow/Pillow@fea3daf and python-pillow/Pillow@a0be7b0 are tagged with 5.4.0 and were committed in 2018.

EDIT: I remembered our conversation in #4016 about commits that introduced vulnerable code. Are these the commits that introduced vulnerable code that led to GHSA-9j59-75qj-795w?

[sunSUNQ]

I apologize, this was an incorrect submission. The links I intended to submit are python-pillow/Pillow@1430321 and python-pillow/Pillow@10c4f75.

[shelbyc]

@sunSUNQ Thanks for the clarification! I read the release notes for 9.0.1 at https://github.com/python-pillow/Pillow/blob/e8ab5640774716c5486d3cb05167f74f742ad6ef/CHANGES.rst?plain=1#L1172 and checked python-pillow/Pillow#6010 to compare python-pillow/Pillow@1430321 and python-pillow/Pillow@10c4f75 to the commits in the PR, and they are consistent with two of the three commits in python-pillow/Pillow#6010. Thank you for taking the time to clarify your contribution!

[advisory-database]

Hi @sunSUNQ! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!