Security - Eval Injection

Question

dpramani opened this issue 5 months ago · comments

Hi

I am using the 7.7.1th version of minimalcompact/thumbor in one of my apps.

Current version of pillow seems to be vulnerable to Eval Injection.

Are there releases that handles this ?

Thanks

Pablo Aguiar · Answer 1 · Tue Jan 23 2024 01:26:51 GMT+0800 (China Standard Time)

Thumbor makes no use of ImageMath.eval. Therefore, it's not affected by such vulnerability. Thanks for reporting, @dpramani

dpramani · Answer 2 · Tue Jan 23 2024 02:13:12 GMT+0800 (China Standard Time)

dpramani · Answer 3 · Wed Feb 21 2024 08:36:46 GMT+0800 (China Standard Time)

@scorphus What's the current version of pillow being used ? Is it 10.0.1?

Marcelo Jorge Vieira · Answer 4 · Thu Feb 29 2024 07:36:17 GMT+0800 (China Standard Time)

# TODO: Pillow version 10.1.0 is raising a PIL.Image.DecompressionBombError on tests
"Pillow==10.*,<10.1.0",