Pillow/docs/releasenotes/9.0.1.rst

9.0.1
-----

Security
========

This release addresses several security problems.

:cve:`2022-24303`: Temp image removal
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

If the path to the temporary directory on Linux or macOS
contained a space, this would break removal of the temporary image file after
``im.show()`` (and related actions), and potentially remove an unrelated file. This
has been present since PIL.

:cve:`2022-22817`: Restrict lambda expressions
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

While Pillow 9.0 restricted top-level builtins available to
:py:meth:`!PIL.ImageMath.eval`, it did not prevent builtins
available to lambda expressions. These are now also restricted.

Other Changes
=============

Pillow 9.0 added support for ``xdg-open`` as an image viewer, but there have been
reports that the temporary image file was removed too quickly to be loaded into the
final application. A delay has been added.
Added release notes for 9.0.1 2022-02-03 01:48:56 +03:00			`9.0.1`
			`-----`

			`Security`
			`========`

			`This release addresses several security problems.`

Fix headers and retro-add notes for #7864 - Include CVE link in title (via @hugovk) - Retro-add release notes for 2.3.2, 2.5.2 for CVE-2014-3589 2024-03-14 20:58:05 +03:00			:cve:`2022-24303`: Temp image removal
			`^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^`
Clean up for #7864 2024-03-13 21:40:00 +03:00
Clean up for #7864 Before back fill, clean up. - Add suggested CVE format to template - Move Security to the top of release notes - Fix headings - Update all existing CVE notes to match template 2024-03-13 21:15:16 +03:00			`If the path to the temporary directory on Linux or macOS`
Added release notes for 9.0.1 2022-02-03 01:48:56 +03:00			`contained a space, this would break removal of the temporary image file after`
			``im.show()`` (and related actions), and potentially remove an unrelated file. This
Corrected sentence [ci skip] 2022-02-03 19:19:49 +03:00			`has been present since PIL.`
Added release notes for 9.0.1 2022-02-03 01:48:56 +03:00
Fix headers and retro-add notes for #7864 - Include CVE link in title (via @hugovk) - Retro-add release notes for 2.3.2, 2.5.2 for CVE-2014-3589 2024-03-14 20:58:05 +03:00			:cve:`2022-22817`: Restrict lambda expressions
			`^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^`
Clean up for #7864 2024-03-13 21:52:53 +03:00
Clean up for #7864 Before back fill, clean up. - Add suggested CVE format to template - Move Security to the top of release notes - Fix headings - Update all existing CVE notes to match template 2024-03-13 21:15:16 +03:00			`While Pillow 9.0 restricted top-level builtins available to`
Deprecate eval(), replacing it with lambda_eval() and unsafe_eval() 2024-03-25 12:38:52 +03:00			:py:meth:`!PIL.ImageMath.eval`, it did not prevent builtins
Fix headers and retro-add notes for #7864 - Include CVE link in title (via @hugovk) - Retro-add release notes for 2.3.2, 2.5.2 for CVE-2014-3589 2024-03-14 20:58:05 +03:00			`available to lambda expressions. These are now also restricted.`
Added release notes for 9.0.1 2022-02-03 01:48:56 +03:00
			`Other Changes`
			`=============`

			Pillow 9.0 added support for ``xdg-open`` as an image viewer, but there have been
			`reports that the temporary image file was removed too quickly to be loaded into the`
			`final application. A delay has been added.`