Pip audit reporting security vulnerability OSV-2022-715 #6687
Comments
|
My conclusion is that the security vulnerability was only detected intermittently. A later test didn't detect the vulnerability, so the automatic software marked it as fixed, believing that something we'd done in the meantime had resolved the matter. Since then, #6678 has merged a proper fix for this. We plan to release Pillow 9.3.0 with that fix very soon. Follow #6460 for updates. |
|
Oh awesome, thanks! |
|
Pillow 9.3.0 has now been released. This security problem is mentioned in the release notes at https://pillow.readthedocs.io/en/stable/releasenotes/9.3.0.html#decode-jpeg-compressed-blp1-data-in-original-mode |
|
With |
|
I get the same error as @emcek Name Version ID Fix Versions
------ ------- ------------ ------------
pillow 9.3.0 OSV-2022-715
pip freeze | grep Pillow
Pillow==9.3.0looks like oss-fuzz-vulns updated it to include Pillow 9.3 |
|
I think it is just handling the fact that https://osv.dev/vulnerability/OSV-2022-715 states the problem affects Pillow > 9.*, so that automatically includes any new releases we create. https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50217 already thought it was fixed, so it must be independent of that. I've created google/oss-fuzz-vulns#21 to try and sort this out. |
|
That PR has been merged. If you try again, Pillow 9.3.0 should no longer be listed as a problem. |
|
Yes that is correct |
We run pip-audit and just this week started reporting a security vulnerability with 9.2.0, we are running python 3.10.8.
https://osv.dev/vulnerability/OSV-2022-715
When you follow the References link in the issue, it says something about being fixed.
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50217
But yet
pip-auditis still flagging.Should we be treating this as a false flag? Problem is with
pip-auditand it's source of vulnerabilities? Or is this something that needs to be investigated?The text was updated successfully, but these errors were encountered: