MGASA-2024-0244

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2024-0244.html

Import Source

https://advisories.mageia.org/MGASA-2024-0244.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2024-0244

Published

2024-07-01T17:53:27Z

Modified

2026-04-16T04:21:00.537473Z

Summary

Updated python-imageio packages fix security vulnerability

Details

imageio can attempt to download shared freeimage libraries from https://github.com/imageio/imageio-binaries/tree/master/freeimage. The code fetches straight from master and provides no way of verifying whether the correct file was fetched. As a result, if the repository is attacked in the future, all prior versions of imageio would be silently downloading arbitrary shared libraries and running them on user systems. This is a serious problem.

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:9 / python-imageio

Package

Name: python-imageio
Purl: pkg:rpm/mageia/python-imageio?arch=source&distro=mageia-9

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.22.4-1.1.mga9

Ecosystem specific

{
    "section": "core"
}

Database specific

source

"https://advisories.mageia.org/MGASA-2024-0244.json"