[GHSA-cxf7-qrc5-9446] Remote shell execution vulnerability in image_processing

[wonda-tea-coffee]

Updates

• Affected products
• Description

Comments
As noted below, this vulnerability has not been fixed.
janko/image_processing#100

[github]

Hi there @janko! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our highly-trained Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[CallmeMari]

Hi @wonda-tea-coffee, thank you for your contribution. The remote shell execution vulnerability this advisory is describing has been fixed for the #apply function. A new GitHub Security Advisory would be a better way to inform users about other vulnerable functions.

[wonda-tea-coffee]

Hi @CallmeMari, Thank you for your reply.
janko/image_processing#100 also mentions a vulnerability about the apply function.
Therefore, the apply function is still vulnerable to RCE vulnerabilities.

[ronwoch]

Hi @wonda-tea-coffee,
I agree that the issue seems to indicate that the initial fix was not a complete success. In cases like this, it is usually best to request the Maintainers to release an additional security advisory to clarify that the original fix was not successful.

[wonda-tea-coffee]

@ronwoch
I see.
Then I will close this Issue.