Re: Python review request, CVE-2022-22817 & CVE-2023-50447 in pillow

["Chris Lamb" <lamby@debian.org>]

Sean Whitton wrote:

> I was thinking that it would be appropriate to issue DLA-..-2 and
> ELA-..-2 advisories, but the problem is that buster was under Security
> Team support at the time of the previous update, and stretch was under
> LTS, not ELTS. Another option would be to roll the information into my
> advisories for CVE-2023-50447, the fixes for which I'll upload at the
> same time. What would be preferable?

As a user of LTS/ELTS, I think I would probably prefer the clarity
that a new, 1-based DLA might confer — and especially if it outlined
the situation in brief and, for instance, included the potential
confusion surrounding buster not being LTS at the time of the previous
fix and so on (ie. essentially your paragraph above).

> Based on my understanding of the vulnerability I think that this
> [eval/exec] modification to the tests is okay, but it would be best
> if someone with more knowledge of Python's evaluation model thinks
> it through.

I think it is okay to make this change. :) As it happens, I've had
this StackOverflow answer bookmarked for a little while on the
differences:

   https://stackoverflow.com/a/29456463

… which also has a lot of details that expose just enough info about
Python's evaluation model to be interesting. Curiously
, it also
demonstrates how to use compile(…) in pretty much the same way that
the patch for CVE-2022-22817 performs its check.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk
       `-