mirror of
https://github.com/python-pillow/Pillow.git
synced 2024-12-25 17:36:18 +03:00
Clean up for #7864
Before back fill, clean up. - Add suggested CVE format to template - Move Security to the top of release notes - Fix headings - Update all existing CVE notes to match template
This commit is contained in:
parent
786ded02e8
commit
04f60eba9c
|
@ -1,6 +1,35 @@
|
|||
10.0.0
|
||||
------
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
Limit size even if one dimension is zero
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
When performing decompression bomb checks, Pillow did not reject images with
|
||||
excessive width and zero height, or zero width and excessive height. That has
|
||||
now been fixed.
|
||||
|
||||
This effectively dates to the PIL fork, since problem images would still have
|
||||
been processed before Pillow started checking for decompression bombs.
|
||||
|
||||
Fix CVE-2023-44271
|
||||
^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Added ImageFont.MAX_STRING_LENGTH.
|
||||
|
||||
.. note:: More information about this vulnerability included in database record :cve:`2023-44271`
|
||||
|
||||
To protect against potential DOS attacks when using arbitrary strings as text
|
||||
input, Pillow will now raise a :py:exc:`ValueError` if the number of characters
|
||||
passed into ImageFont methods is over a certain limit,
|
||||
:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`.
|
||||
|
||||
This threshold can be changed by setting
|
||||
:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`. It can be disabled by setting
|
||||
``ImageFont.MAX_STRING_LENGTH = None``.
|
||||
|
||||
Backwards Incompatible Changes
|
||||
==============================
|
||||
|
||||
|
@ -157,31 +186,6 @@ Added ``alpha_only`` argument to ``getbbox()``
|
|||
and the image has an alpha channel, trim transparent pixels. Otherwise, trim
|
||||
pixels when all channels are zero.
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
Limit size even if one dimension is zero
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
When performing decompression bomb checks, Pillow did not reject images with
|
||||
excessive width and zero height, or zero width and excessive height. That has
|
||||
now been fixed.
|
||||
|
||||
This effectively dates to the PIL fork, since problem images would still have
|
||||
been processed before Pillow started checking for decompression bombs.
|
||||
|
||||
Added ImageFont.MAX_STRING_LENGTH
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
:cve:`2023-44271`: To protect against potential DOS attacks when using arbitrary strings as text
|
||||
input, Pillow will now raise a :py:exc:`ValueError` if the number of characters
|
||||
passed into ImageFont methods is over a certain limit,
|
||||
:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`.
|
||||
|
||||
This threshold can be changed by setting
|
||||
:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`. It can be disabled by setting
|
||||
``ImageFont.MAX_STRING_LENGTH = None``.
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
||||
|
|
|
@ -4,9 +4,15 @@
|
|||
Security
|
||||
========
|
||||
|
||||
This release addresses :cve:`2023-4863`, by providing an updated install script and
|
||||
updated wheels to include libwebp 1.3.2, preventing a potential heap buffer overflow
|
||||
in WebP.
|
||||
Fix CVE-2023-4863
|
||||
^^^^^^^^^^^^^^^^^
|
||||
|
||||
Updated install script and wheels with libwebp 1.3.2
|
||||
|
||||
.. note:: More information about this vulnerability included in database record :cve:`2023-4863`
|
||||
|
||||
This release provides an updated install script and updated wheels to
|
||||
include libwebp 1.3.2, preventing a potential heap buffer overflow in WebP.
|
||||
|
||||
Updated tests to pass with latest zlib version
|
||||
==============================================
|
||||
|
|
|
@ -1,6 +1,42 @@
|
|||
10.2.0
|
||||
------
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
ImageFont.getmask: Applied ImageFont.MAX_STRING_LENGTH
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
To protect against potential DOS attacks when using arbitrary strings as text input,
|
||||
Pillow will now raise a :py:exc:`ValueError` if the number of characters passed into
|
||||
:py:meth:`PIL.ImageFont.ImageFont.getmask` is over a certain limit,
|
||||
:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`.
|
||||
|
||||
This threshold can be changed by setting :py:data:`PIL.ImageFont.MAX_STRING_LENGTH`. It
|
||||
can be disabled by setting ``ImageFont.MAX_STRING_LENGTH = None``.
|
||||
|
||||
A decompression bomb check has also been added to
|
||||
:py:meth:`PIL.ImageFont.ImageFont.getmask`.
|
||||
|
||||
ImageFont.getmask: Trim glyph size
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
To protect against potential DOS attacks when using PIL fonts,
|
||||
:py:class:`PIL.ImageFont.ImageFont` now trims the size of individual glyphs so that
|
||||
they do not extend beyond the bitmap image.
|
||||
|
||||
Fix CVE-2023-50447
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
ImageMath.eval: Restricted environment keys.
|
||||
|
||||
.. note:: More information about this vulnerability included in database record :cve:`2023-50447`
|
||||
|
||||
If an attacker has control over the keys passed to the
|
||||
``environment`` argument of :py:meth:`PIL.ImageMath.eval`, they may be able to execute
|
||||
arbitrary code. To prevent this, keys matching the names of builtins and keys
|
||||
containing double underscores will now raise a :py:exc:`ValueError`.
|
||||
|
||||
Deprecations
|
||||
============
|
||||
|
||||
|
@ -63,38 +99,6 @@ JPEG tables-only streamtype
|
|||
When saving JPEG files, ``streamtype`` can now be set to 1, for tables-only. This will
|
||||
output only the quantization and Huffman tables for the image.
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
ImageFont.getmask: Applied ImageFont.MAX_STRING_LENGTH
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
To protect against potential DOS attacks when using arbitrary strings as text input,
|
||||
Pillow will now raise a :py:exc:`ValueError` if the number of characters passed into
|
||||
:py:meth:`PIL.ImageFont.ImageFont.getmask` is over a certain limit,
|
||||
:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`.
|
||||
|
||||
This threshold can be changed by setting :py:data:`PIL.ImageFont.MAX_STRING_LENGTH`. It
|
||||
can be disabled by setting ``ImageFont.MAX_STRING_LENGTH = None``.
|
||||
|
||||
A decompression bomb check has also been added to
|
||||
:py:meth:`PIL.ImageFont.ImageFont.getmask`.
|
||||
|
||||
ImageFont.getmask: Trim glyph size
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
To protect against potential DOS attacks when using PIL fonts,
|
||||
:py:class:`PIL.ImageFont.ImageFont` now trims the size of individual glyphs so that
|
||||
they do not extend beyond the bitmap image.
|
||||
|
||||
ImageMath.eval: Restricted environment keys
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
:cve:`2023-50447`: If an attacker has control over the keys passed to the
|
||||
``environment`` argument of :py:meth:`PIL.ImageMath.eval`, they may be able to execute
|
||||
arbitrary code. To prevent this, keys matching the names of builtins and keys
|
||||
containing double underscores will now raise a :py:exc:`ValueError`.
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
||||
|
|
|
@ -1,12 +1,19 @@
|
|||
|
||||
3.1.1
|
||||
=====
|
||||
-----
|
||||
|
||||
CVE-2016-0740 -- Buffer overflow in TiffDecode.c
|
||||
------------------------------------------------
|
||||
Security
|
||||
========
|
||||
|
||||
Pillow 3.1.0 and earlier when linked against libtiff >= 4.0.0 on x64
|
||||
may overflow a buffer when reading a specially crafted tiff file (:cve:`2016-0740`).
|
||||
Fix CVE-2016-0740
|
||||
^^^^^^^^^^^^^^^^^
|
||||
|
||||
Buffer overflow in TiffDecode.c.
|
||||
|
||||
.. note:: More information about this vulnerability included in database record :cve:`2016-0740`
|
||||
|
||||
Pillow 3.1.0 and earlier when linked against
|
||||
libtiff >= 4.0.0 on x64 may overflow a buffer when reading a
|
||||
specially crafted tiff file.
|
||||
|
||||
Specifically, libtiff >= 4.0.0 changed the return type of
|
||||
``TIFFScanlineSize`` from ``int32`` to machine dependent
|
||||
|
@ -19,12 +26,15 @@ image data over 64k is written over the heap, causing a segfault.
|
|||
|
||||
This issue was found by security researcher FourOne.
|
||||
|
||||
Fix CVE-2016-0775
|
||||
^^^^^^^^^^^^^^^^^
|
||||
|
||||
CVE-2016-0775 -- Buffer overflow in FliDecode.c
|
||||
-----------------------------------------------
|
||||
Buffer overflow in FliDecode.c.
|
||||
|
||||
In all versions of Pillow, dating back at least to the last PIL 1.1.7
|
||||
release, FliDecode.c has a buffer overflow error (:cve:`2016-0775`).
|
||||
.. note:: More information about this vulnerability included in database record :cve:`2016-0775`
|
||||
|
||||
In all versions of Pillow, dating back at least to
|
||||
the last PIL 1.1.7 release, FliDecode.c has a buffer overflow error.
|
||||
|
||||
Around line 192:
|
||||
|
||||
|
@ -49,11 +59,15 @@ off the end of the memory buffer, causing a segfault.
|
|||
|
||||
This issue was found by Alyssa Besseling at Atlassian.
|
||||
|
||||
CVE-2016-2533 -- Buffer overflow in PcdDecode.c
|
||||
-----------------------------------------------
|
||||
Fix CVE-2016-2533
|
||||
^^^^^^^^^^^^^^^^^
|
||||
|
||||
In all versions of Pillow, dating back at least to the last PIL 1.1.7
|
||||
release, ``PcdDecode.c`` has a buffer overflow error (:cve:`2016-2533`).
|
||||
Buffer overflow in PcdDecode.c.
|
||||
|
||||
.. note:: More information about this vulnerability available in :cve:`2016-2533`
|
||||
|
||||
In all versions of Pillow, dating back at least to the
|
||||
last PIL 1.1.7 release, ``PcdDecode.c`` has a buffer overflow error.
|
||||
|
||||
The ``state.buffer`` for ``PcdDecode.c`` is allocated based on a 3
|
||||
bytes per pixel sizing, where ``PcdDecode.c`` wrote into the buffer
|
||||
|
@ -62,7 +76,7 @@ the buffer into other Python object storage. In some cases, this
|
|||
causes a segfault, in others an internal Python malloc error.
|
||||
|
||||
Integer overflow in Resample.c
|
||||
------------------------------
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
If a large value was passed into the new size for an image, it is
|
||||
possible to overflow an ``int32`` value passed into malloc.
|
||||
|
|
|
@ -1,13 +1,19 @@
|
|||
|
||||
3.1.2
|
||||
=====
|
||||
-----
|
||||
|
||||
CVE-2016-3076 -- Buffer overflow in Jpeg2KEncode.c
|
||||
--------------------------------------------------
|
||||
Security
|
||||
========
|
||||
|
||||
Pillow between 2.5.0 and 3.1.1 may overflow a buffer when writing
|
||||
large Jpeg2000 files, allowing for code execution or other memory
|
||||
corruption (:cve:`2016-3076`).
|
||||
Fix CVE-2016-3076
|
||||
^^^^^^^^^^^^^^^^^
|
||||
|
||||
Buffer overflow in Jpeg2KEncode.c.
|
||||
|
||||
.. note:: More information about this vulnerability included in database record :cve:`2016-3076`
|
||||
|
||||
Pillow between 2.5.0 and 3.1.1 may overflow a buffer
|
||||
when writing large Jpeg2000 files, allowing for code execution or other
|
||||
memory corruption.
|
||||
|
||||
This occurs specifically in the function ``j2k_encode_entry``, at the line:
|
||||
|
||||
|
|
|
@ -1,6 +1,38 @@
|
|||
6.2.0
|
||||
-----
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
This release catches several buffer overruns and fixes CVE-2019-16865.
|
||||
|
||||
Buffer overruns
|
||||
^^^^^^^^^^^^^^^
|
||||
|
||||
In RawDecode.c, an error is now thrown if skip is calculated to be less than
|
||||
zero. It is intended to skip padding between lines, not to go backwards.
|
||||
|
||||
In PsdImagePlugin, if the combined sizes of the individual parts is larger than
|
||||
the declared size of the extra data field, then it looked for the next layer by
|
||||
seeking backwards. This is now corrected by seeking to (the start of the layer
|
||||
+ the size of the extra data field) instead of (the read parts of the layer +
|
||||
the rest of the layer).
|
||||
|
||||
Decompression bomb checks have been added to GIF and ICO formats.
|
||||
|
||||
An error is now raised if a TIFF dimension is a string, rather than trying to
|
||||
perform operations on it.
|
||||
|
||||
Fix CVE-2019-16865
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
DOS attack vulnerabilities.
|
||||
|
||||
.. note:: More information about this vulnerability included in database record :cve:`2019-16865`
|
||||
|
||||
The CVE is regarding DOS problems, such as consuming large
|
||||
amounts of memory, or taking a large amount of time to process an image.
|
||||
|
||||
API Additions
|
||||
=============
|
||||
|
||||
|
@ -65,27 +97,6 @@ There has been a longstanding warning that the defaults of ``Image.frombuffer``
|
|||
may change in the future for the "raw" decoder. The change will now take place
|
||||
in Pillow 7.0.
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
This release catches several buffer overruns, as well as addressing
|
||||
:cve:`2019-16865`. The CVE is regarding DOS problems, such as consuming large
|
||||
amounts of memory, or taking a large amount of time to process an image.
|
||||
|
||||
In RawDecode.c, an error is now thrown if skip is calculated to be less than
|
||||
zero. It is intended to skip padding between lines, not to go backwards.
|
||||
|
||||
In PsdImagePlugin, if the combined sizes of the individual parts is larger than
|
||||
the declared size of the extra data field, then it looked for the next layer by
|
||||
seeking backwards. This is now corrected by seeking to (the start of the layer
|
||||
+ the size of the extra data field) instead of (the read parts of the layer +
|
||||
the rest of the layer).
|
||||
|
||||
Decompression bomb checks have been added to GIF and ICO formats.
|
||||
|
||||
An error is now raised if a TIFF dimension is a string, rather than trying to
|
||||
perform operations on it.
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
||||
|
|
|
@ -4,15 +4,56 @@
|
|||
Security
|
||||
========
|
||||
|
||||
This release addresses several security problems.
|
||||
This release fixes several buffer overruns and DOS attacks reported in CVE-2019-19911, CVE-2020-5310, CVE-2020-5311, CVE-2020-5312 and CVE-2020-5313.
|
||||
|
||||
:cve:`2019-19911` is regarding FPX images. If an image reports that it has a large
|
||||
number of bands, a large amount of resources will be used when trying to process the
|
||||
image. This is fixed by limiting the number of bands to those usable by Pillow.
|
||||
Fix CVE-2019-19911
|
||||
^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Buffer overruns were found when processing an SGI (:cve:`2020-5311`),
|
||||
PCX (:cve:`2020-5312`) or FLI image (:cve:`2020-5313`). Checks have been added
|
||||
to prevent this.
|
||||
DOS attack vulnerability.
|
||||
|
||||
:cve:`2020-5310`: Overflow checks have been added when calculating the size of a
|
||||
.. note:: More information about this vulnerability included in database record :cve:`2019-19911`
|
||||
|
||||
If an FPX image reports that it has a large number of bands, a large amount of
|
||||
resources will be used when trying to process the image. This is fixed by
|
||||
limiting the number of bands to those usable by Pillow.
|
||||
|
||||
|
||||
Fix CVE-2020-5310
|
||||
^^^^^^^^^^^^^^^^^
|
||||
|
||||
Overflow checks added to TIFF image processing.
|
||||
|
||||
.. note:: More information about this vulnerability included in database record :cve:`2020-5310`
|
||||
|
||||
Overflow checks have been added when calculating the size of a
|
||||
memory block to be reallocated in the processing of a TIFF image.
|
||||
|
||||
Fix CVE-2020-5311
|
||||
^^^^^^^^^^^^^^^^^
|
||||
|
||||
Overflow checks added to SGI image processing.
|
||||
|
||||
.. note:: More information about this vulnerability included in database record :cve:`2020-5311`
|
||||
|
||||
Buffer overruns were found when processing an SGI image. Checks
|
||||
have been added to prevent this.
|
||||
|
||||
Fix CVE-2020-5312
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Overflow checks added to PCX image processing.
|
||||
|
||||
.. note:: More information about this vulnerability included in database record :cve:`2020-5312`
|
||||
|
||||
Buffer overruns were found when processing an SGI PCX. Checks have
|
||||
been added to prevent this.
|
||||
|
||||
Fix CVE-2020-5313
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Overflow checks added to FLI image processing.
|
||||
|
||||
.. note:: More information about this vulnerability included in database record :cve:`2020-5313`
|
||||
|
||||
Buffer overruns were found when processing an FLI image. Checks
|
||||
have been added to prevent this.
|
||||
|
|
|
@ -1,6 +1,46 @@
|
|||
7.1.0
|
||||
-----
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
This release includes many security fixes.
|
||||
|
||||
Fix CVE-2020-10177
|
||||
^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Multiple out-of-bounds reads in FLI decoding.
|
||||
|
||||
.. note:: More information about this vulnerability included in database record :cve:`2020-10177`
|
||||
|
||||
Fix CVE-2020-10378
|
||||
^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Bounds overflow in PCX decoding.
|
||||
|
||||
.. note:: More information about this vulnerability included in database record :cve:`2020-10378`
|
||||
|
||||
Fix CVE-2020-10379
|
||||
^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Two buffer overflows in TIFF decoding
|
||||
|
||||
.. note:: More information about this vulnerability included in database record :cve:`2020-10379`
|
||||
|
||||
Fix CVE-2020-10994
|
||||
^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Bounds overflow in JPEG 2000 decoding
|
||||
|
||||
.. note:: More information about this vulnerability included in database record :cve:`2020-10994`
|
||||
|
||||
Fix CVE-2020-11538
|
||||
^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Buffer overflow in SGI-RLE decoding
|
||||
|
||||
.. note:: More information about this vulnerability included in database record :cve:`2020-11538`
|
||||
|
||||
API Changes
|
||||
===========
|
||||
|
||||
|
@ -67,17 +107,6 @@ Passing a different value on Windows or macOS will force taking a snapshot
|
|||
using the selected X server; pass an empty string to use the default X server.
|
||||
XCB support is not included in pre-compiled wheels for Windows and macOS.
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
This release includes security fixes.
|
||||
|
||||
* :cve:`2020-10177` Fix multiple out-of-bounds reads in FLI decoding
|
||||
* :cve:`2020-10378` Fix bounds overflow in PCX decoding
|
||||
* :cve:`2020-10379` Fix two buffer overflows in TIFF decoding
|
||||
* :cve:`2020-10994` Fix bounds overflow in JPEG 2000 decoding
|
||||
* :cve:`2020-11538` Fix buffer overflow in SGI-RLE decoding
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
||||
|
|
|
@ -4,7 +4,14 @@
|
|||
Security
|
||||
========
|
||||
|
||||
Update FreeType used in binary wheels to `2.10.4`_ to fix :cve:`2020-15999`:
|
||||
Fix CVE-2020-15999
|
||||
^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Update FreeType version in wheels.
|
||||
|
||||
.. note:: More information about this vulnerability included in database record :cve:`2020-15999`
|
||||
|
||||
Update FreeType used in binary wheels to `2.10.4`_.
|
||||
|
||||
- A heap buffer overflow has been found in the handling of embedded PNG bitmaps,
|
||||
introduced in FreeType version 2.6.
|
||||
|
|
|
@ -1,6 +1,62 @@
|
|||
8.1.0
|
||||
-----
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
This release includes security fixes.
|
||||
|
||||
* An out-of-bounds read when saving TIFFs with custom metadata through LibTIFF
|
||||
* An out-of-bounds read when saving a GIF of 1px width
|
||||
|
||||
Fix CVE-2020-35653
|
||||
^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Buffer read overrun in PCX decoding.
|
||||
|
||||
.. note:: More information about this vulnerability included in database record :cve:`2020-35653`
|
||||
|
||||
The PCX image decoder used the reported image stride to calculate
|
||||
the row buffer, rather than calculating it from the image size. This issue dates back
|
||||
to the PIL fork. Thanks to Google's `OSS-Fuzz`_ project for finding this.
|
||||
|
||||
Fix CVE-2020-35654
|
||||
^^^^^^^^^^^^^^^^^^
|
||||
|
||||
TIFF out-of-bounds write error.
|
||||
|
||||
.. note:: More information about this vulnerability included in database record :cve:`2020-35654`
|
||||
|
||||
Out-of-bounds write in ``TiffDecode.c`` when reading corrupt YCbCr
|
||||
files in some LibTIFF versions (4.1.0/Ubuntu 20.04, but not 4.0.9/Ubuntu 18.04).
|
||||
In some cases LibTIFF's interpretation of the file is different when reading in RGBA mode,
|
||||
leading to an out-of-bounds write in ``TiffDecode.c``. This potentially affects Pillow
|
||||
versions from 6.0.0 to 8.0.1, depending on the version of LibTIFF. This was reported through
|
||||
`Tidelift`_.
|
||||
|
||||
Fix CVE-2020-35655
|
||||
^^^^^^^^^^^^^^^^^^
|
||||
|
||||
SGI Decode buffer overrun
|
||||
|
||||
.. note:: More information about this vulnerability included in database record :cve:`2020-35655`
|
||||
|
||||
4 byte read overflow in ``SgiRleDecode.c``, where the code was not correctly
|
||||
checking the offsets and length tables. Independently reported through `Tidelift`_ and Google's
|
||||
`OSS-Fuzz`_. This vulnerability covers Pillow versions 4.3.0->8.0.1.
|
||||
|
||||
.. _Tidelift: https://tidelift.com/subscription/pkg/pypi-pillow?utm_source=pillow&utm_medium=referral&utm_campaign=docs
|
||||
.. _OSS-Fuzz: https://github.com/google/oss-fuzz
|
||||
|
||||
Dependencies
|
||||
^^^^^^^^^^^^
|
||||
|
||||
OpenJPEG in the macOS and Linux wheels has been updated from 2.3.1 to 2.4.0, including
|
||||
security fixes.
|
||||
|
||||
LibTIFF in the macOS and Linux wheels has been updated from 4.1.0 to 4.2.0, including
|
||||
security fixes discovered by fuzzers.
|
||||
|
||||
Deprecations
|
||||
============
|
||||
|
||||
|
@ -33,46 +89,6 @@ With this release, a list of images can be provided to the ``append_images`` par
|
|||
when saving, to replace the scaled down versions. This is the same functionality that
|
||||
already exists for the ICNS format.
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
This release includes security fixes.
|
||||
|
||||
* An out-of-bounds read when saving TIFFs with custom metadata through LibTIFF
|
||||
* An out-of-bounds read when saving a GIF of 1px width
|
||||
* :cve:`2020-35653` Buffer read overrun in PCX decoding
|
||||
|
||||
The PCX image decoder used the reported image stride to calculate the row buffer,
|
||||
rather than calculating it from the image size. This issue dates back to the PIL fork.
|
||||
Thanks to Google's `OSS-Fuzz`_ project for finding this.
|
||||
|
||||
* :cve:`2020-35654` Fix TIFF out-of-bounds write error
|
||||
|
||||
Out-of-bounds write in ``TiffDecode.c`` when reading corrupt YCbCr files in some
|
||||
LibTIFF versions (4.1.0/Ubuntu 20.04, but not 4.0.9/Ubuntu 18.04). In some cases
|
||||
LibTIFF's interpretation of the file is different when reading in RGBA mode, leading to
|
||||
an out-of-bounds write in ``TiffDecode.c``. This potentially affects Pillow versions
|
||||
from 6.0.0 to 8.0.1, depending on the version of LibTIFF. This was reported through
|
||||
`Tidelift`_.
|
||||
|
||||
* :cve:`2020-35655` Fix for SGI Decode buffer overrun
|
||||
|
||||
4 byte read overflow in ``SgiRleDecode.c``, where the code was not correctly checking the
|
||||
offsets and length tables. Independently reported through `Tidelift`_ and Google's
|
||||
`OSS-Fuzz`_. This vulnerability covers Pillow versions 4.3.0->8.0.1.
|
||||
|
||||
.. _Tidelift: https://tidelift.com/subscription/pkg/pypi-pillow?utm_source=pillow&utm_medium=referral&utm_campaign=docs
|
||||
.. _OSS-Fuzz: https://github.com/google/oss-fuzz
|
||||
|
||||
Dependencies
|
||||
^^^^^^^^^^^^
|
||||
|
||||
OpenJPEG in the macOS and Linux wheels has been updated from 2.3.1 to 2.4.0, including
|
||||
security fixes.
|
||||
|
||||
LibTIFF in the macOS and Linux wheels has been updated from 4.1.0 to 4.2.0, including
|
||||
security fixes discovered by fuzzers.
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
||||
|
|
|
@ -4,20 +4,51 @@
|
|||
Security
|
||||
========
|
||||
|
||||
:cve:`2021-25289`: The previous fix for :cve:`2020-35654` was insufficient
|
||||
due to incorrect error checking in ``TiffDecode.c``.
|
||||
Fix CVE-2021-25289
|
||||
^^^^^^^^^^^^^^^^^^
|
||||
|
||||
:cve:`2021-25290`: In ``TiffDecode.c``, there is a negative-offset ``memcpy``
|
||||
The previous fix for CVE-2020-35654 was insufficient.
|
||||
|
||||
.. note:: More information about this vulnerability included in database record :cve:`2021-25289`
|
||||
|
||||
The previous fix for :cve:`2020-35654` was insufficient due to incorrect error checking in ``TiffDecode.c``.
|
||||
|
||||
Fix CVE-2021-25290
|
||||
^^^^^^^^^^^^^^^^^^
|
||||
|
||||
In ``TiffDecode.c`` there is a negative-offset.
|
||||
|
||||
.. note:: More information about this vulnerability included in database record :cve:`2021-25290`
|
||||
|
||||
In ``TiffDecode.c``, there is a negative-offset ``memcpy``
|
||||
with an invalid size.
|
||||
|
||||
:cve:`2021-25291`: In ``TiffDecode.c``, invalid tile boundaries could lead to
|
||||
Fix CVE-2021-25291
|
||||
^^^^^^^^^^^^^^^^^^
|
||||
|
||||
``TiffDecode.c`` has invalid tile boundaries.
|
||||
|
||||
.. note:: More information about this vulnerability included in database record :cve:`2021-25291`
|
||||
|
||||
In ``TiffDecode.c``, invalid tile boundaries could lead to
|
||||
an out-of-bounds read in ``TIFFReadRGBATile``.
|
||||
|
||||
:cve:`2021-25292`: The PDF parser has a catastrophic backtracking regex
|
||||
Fix CVE-2021-25292
|
||||
^^^^^^^^^^^^^^^^^^
|
||||
|
||||
The PDF parser has a catastrophic backtracking regex.
|
||||
|
||||
.. note:: More information about this vulnerability included in database record :cve:`2021-25292`:
|
||||
|
||||
The PDF parser has a catastrophic backtracking regex
|
||||
that could be used as a DOS attack.
|
||||
|
||||
:cve:`2021-25293`: There is an out-of-bounds read in ``SgiRleDecode.c``,
|
||||
since Pillow 4.3.0.
|
||||
Fix CVE-2021-25293
|
||||
^^^^^^^^^^^^^^^^^^
|
||||
|
||||
There is an out-of-bounds read in ``SgiRleDecode.c`` since Pillow 4.3.0.
|
||||
|
||||
.. note:: More information about this vulnerability included in database record :cve:`2021-25293`
|
||||
|
||||
|
||||
Other Changes
|
||||
|
|
|
@ -4,9 +4,41 @@
|
|||
Security
|
||||
========
|
||||
|
||||
There is an exhaustion of memory DOS in the BLP (:cve:`2021-27921`),
|
||||
ICNS (:cve:`2021-27922`) and ICO (:cve:`2021-27923`) container formats
|
||||
where Pillow did not properly check the reported size of the contained image.
|
||||
These images could cause arbitrarily large memory allocations. This was reported
|
||||
by Jiayi Lin, Luke Shaffer, Xinran Xie, and Akshay Ajayan of
|
||||
`Arizona State University <https://www.asu.edu/>`_.
|
||||
Fix CVE-2021-27921
|
||||
^^^^^^^^^^^^^^^^^^
|
||||
|
||||
There is an exhaustion of memory DOS in BLP images.
|
||||
|
||||
.. note:: More information about this vulnerability included in database record :cve:`2021-27921`
|
||||
|
||||
There is an exhaustion of memory DOS in BLP
|
||||
images where Pillow did not properly check the reported size of the
|
||||
contained image. These images could cause arbitrarily large memory
|
||||
allocations.
|
||||
|
||||
Fix CVE-2021-27922
|
||||
^^^^^^^^^^^^^^^^^^
|
||||
|
||||
There is an exhaustion of memory DOS in ICNS images.
|
||||
|
||||
.. note:: More information about this vulnerability included in database record :cve:`2021-27921`
|
||||
|
||||
There is an exhaustion of memory DOS in the ICNS
|
||||
images where Pillow did not properly check the reported size of the
|
||||
contained image. These images could cause arbitrarily large memory
|
||||
allocations.
|
||||
|
||||
Fix CVE-2021-27923
|
||||
^^^^^^^^^^^^^^^^^^
|
||||
|
||||
There is an exhaustion of memory DOS in ICO images.
|
||||
|
||||
.. note:: More information about this vulnerability included in database record :cve:`2021-27923`
|
||||
|
||||
There is an exhaustion of memory DOS in ICO
|
||||
images where Pillow did not properly check the reported size of the
|
||||
contained image. These images could cause arbitrarily large memory
|
||||
allocations.
|
||||
|
||||
These were reported by Jiayi Lin, Luke Shaffer, Xinran Xie and
|
||||
Akshay Ajayan of `Arizona State University <https://www.asu.edu/>`_.
|
||||
|
|
|
@ -1,6 +1,73 @@
|
|||
8.2.0
|
||||
-----
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
These were all found with `OSS-Fuzz`_.
|
||||
|
||||
Fix CVE-2021-25287, CVE-2021-25288, CVE-2021-28675
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
OOB read in Jpeg2KDecode
|
||||
|
||||
.. note:: More information about these vulnerabilities included in database records
|
||||
:cve:`2021-25287`, :cve:`2021-25288`, :cve:`2021-28675`
|
||||
|
||||
* For J2k images with multiple bands, it's legal to have different widths for each band,
|
||||
e.g. 1 byte for ``L``, 4 bytes for ``A``.
|
||||
* This dates to Pillow 2.4.0.
|
||||
|
||||
Fix CVE-2021-28675 -- DOS attack in PsdImagePlugin
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
.. note:: More information about this vulnerability included in database record :cve:`2021-28675`
|
||||
|
||||
* :py:class:`.PsdImagePlugin.PsdImageFile` did not sanity check the number of input
|
||||
layers with regard to the size of the data block, this could lead to a
|
||||
denial-of-service on :py:meth:`~PIL.Image.open` prior to
|
||||
:py:meth:`~PIL.Image.Image.load`.
|
||||
* This dates to the PIL fork.
|
||||
|
||||
Fix CVE-2021-28676 -- FLI image DOS attack
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
.. note:: More information about this vulnerability included in database record :cve:`2021-28676`
|
||||
|
||||
* ``FliDecode.c`` did not properly check that the block advance was non-zero,
|
||||
potentially leading to an infinite loop on load.
|
||||
* This dates to the PIL fork.
|
||||
|
||||
Fix CVE-2021-28677 -- EPS DOS on _open
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
.. note:: More information about this vulnerability included in database record :cve:`2021-28677`
|
||||
|
||||
* The readline used in EPS has to deal with any combination of ``\r`` and ``\n`` as line
|
||||
endings. It accidentally used a quadratic method of accumulating lines while looking
|
||||
for a line ending.
|
||||
* A malicious EPS file could use this to perform a denial-of-service of Pillow in the
|
||||
open phase, before an image was accepted for opening.
|
||||
* This dates to the PIL fork.
|
||||
|
||||
CVE-2021-28678 -- BLP DOS attack
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
.. note:: More information about this vulnerability included in database record :cve:`2021-28678`
|
||||
|
||||
* ``BlpImagePlugin`` did not properly check that reads after jumping to file offsets
|
||||
returned data. This could lead to a denial-of-service where the decoder could be run a
|
||||
large number of times on empty data.
|
||||
* This dates to Pillow 5.1.0.
|
||||
|
||||
Fix memory DOS in ImageFont
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
* A corrupt or specially crafted TTF font could have font metrics that lead to
|
||||
unreasonably large sizes when rendering text in font. ``ImageFont.py`` did not check
|
||||
the image size before allocating memory for it.
|
||||
* This dates to the PIL fork.
|
||||
|
||||
Deprecations
|
||||
============
|
||||
|
||||
|
@ -123,61 +190,6 @@ be specified through a keyword argument::
|
|||
|
||||
im.save("out.tif", icc_profile=...)
|
||||
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
These were all found with `OSS-Fuzz`_.
|
||||
|
||||
:cve:`2021-25287`, :cve:`2021-25288`: Fix OOB read in Jpeg2KDecode
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
* For J2k images with multiple bands, it's legal to have different widths for each band,
|
||||
e.g. 1 byte for ``L``, 4 bytes for ``A``.
|
||||
* This dates to Pillow 2.4.0.
|
||||
|
||||
:cve:`2021-28675`: Fix DOS in PsdImagePlugin
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
* :py:class:`.PsdImagePlugin.PsdImageFile` did not sanity check the number of input
|
||||
layers with regard to the size of the data block, this could lead to a
|
||||
denial-of-service on :py:meth:`~PIL.Image.open` prior to
|
||||
:py:meth:`~PIL.Image.Image.load`.
|
||||
* This dates to the PIL fork.
|
||||
|
||||
:cve:`2021-28676`: Fix FLI DOS
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
* ``FliDecode.c`` did not properly check that the block advance was non-zero,
|
||||
potentially leading to an infinite loop on load.
|
||||
* This dates to the PIL fork.
|
||||
|
||||
:cve:`2021-28677`: Fix EPS DOS on _open
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
* The readline used in EPS has to deal with any combination of ``\r`` and ``\n`` as line
|
||||
endings. It accidentally used a quadratic method of accumulating lines while looking
|
||||
for a line ending.
|
||||
* A malicious EPS file could use this to perform a denial-of-service of Pillow in the
|
||||
open phase, before an image was accepted for opening.
|
||||
* This dates to the PIL fork.
|
||||
|
||||
:cve:`2021-28678`: Fix BLP DOS
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
* ``BlpImagePlugin`` did not properly check that reads after jumping to file offsets
|
||||
returned data. This could lead to a denial-of-service where the decoder could be run a
|
||||
large number of times on empty data.
|
||||
* This dates to Pillow 5.1.0.
|
||||
|
||||
Fix memory DOS in ImageFont
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
* A corrupt or specially crafted TTF font could have font metrics that lead to
|
||||
unreasonably large sizes when rendering text in font. ``ImageFont.py`` did not check
|
||||
the image size before allocating memory for it.
|
||||
* This dates to the PIL fork.
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
||||
|
|
|
@ -1,6 +1,34 @@
|
|||
8.3.0
|
||||
-----
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
Buffer overflow
|
||||
^^^^^^^^^^^^^^^
|
||||
|
||||
Fix CVE-2021-34552
|
||||
^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Buffer overflow
|
||||
|
||||
.. note:: More information about this vulnerability included in database record :cve:`2021-34552`
|
||||
|
||||
PIL since 1.1.4 and Pillow since 1.0 allowed parameters passed into a convert function to trigger
|
||||
buffer overflow in Convert.c.
|
||||
|
||||
Parsing XML
|
||||
^^^^^^^^^^^
|
||||
|
||||
Pillow previously parsed XMP data using Python's ``xml`` module. However, this module
|
||||
is not secure.
|
||||
|
||||
- :py:meth:`~PIL.Image.Image.getexif` has used ``xml`` to potentially retrieve
|
||||
orientation data since Pillow 7.2.0. It has been refactored to use ``re`` instead.
|
||||
- :py:meth:`~PIL.JpegImagePlugin.JpegImageFile.getxmp` was added in Pillow 8.2.0. It
|
||||
will now use ``defusedxml`` instead. If the dependency is not present, an empty
|
||||
dictionary will be returned and a warning raised.
|
||||
|
||||
Deprecations
|
||||
============
|
||||
|
||||
|
@ -79,28 +107,6 @@ format, through the new ``bitmap_format`` argument::
|
|||
|
||||
im.save("out.ico", bitmap_format="bmp")
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
Buffer overflow
|
||||
^^^^^^^^^^^^^^^
|
||||
|
||||
This release addresses :cve:`2021-34552`. PIL since 1.1.4 and Pillow since 1.0
|
||||
allowed parameters passed into a convert function to trigger buffer overflow in
|
||||
Convert.c.
|
||||
|
||||
Parsing XML
|
||||
^^^^^^^^^^^
|
||||
|
||||
Pillow previously parsed XMP data using Python's ``xml`` module. However, this module
|
||||
is not secure.
|
||||
|
||||
- :py:meth:`~PIL.Image.Image.getexif` has used ``xml`` to potentially retrieve
|
||||
orientation data since Pillow 7.2.0. It has been refactored to use ``re`` instead.
|
||||
- :py:meth:`~PIL.JpegImagePlugin.JpegImageFile.getxmp` was added in Pillow 8.2.0. It
|
||||
will now use ``defusedxml`` instead. If the dependency is not present, an empty
|
||||
dictionary will be returned and a warning raised.
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
||||
|
|
|
@ -4,14 +4,25 @@
|
|||
Security
|
||||
========
|
||||
|
||||
* :cve:`2021-23437`: Avoid a potential ReDoS (regular expression denial of service)
|
||||
in :py:class:`~PIL.ImageColor`'s :py:meth:`~PIL.ImageColor.getrgb` by raising
|
||||
:py:exc:`ValueError` if the color specifier is too long. Present since Pillow 5.2.0.
|
||||
Fix CVE-2021-23437
|
||||
^^^^^^^^^^^^^^^^^^
|
||||
|
||||
* Fix 6-byte out-of-bounds (OOB) read. The previous bounds check in ``FliDecode.c``
|
||||
incorrectly calculated the required read buffer size when copying a chunk, potentially
|
||||
reading six extra bytes off the end of the allocated buffer from the heap. Present
|
||||
since Pillow 7.1.0. This bug was found by Google's `OSS-Fuzz`_ `CIFuzz`_ runs.
|
||||
Avoid potential ReDoS (regular expression denial of service)
|
||||
|
||||
.. note:: More information about this vulnerability included in database record :cve:`2021-23437`
|
||||
|
||||
Avoid a potential ReDoS (regular expression denial of service) in :py:class:`~PIL.ImageColor`'s
|
||||
:py:meth:`~PIL.ImageColor.getrgb` by raising :py:exc:`ValueError` if the color specifier is
|
||||
too long. Present since Pillow 5.2.0.
|
||||
|
||||
Fix 6-byte out-of-bounds (OOB) read
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Fix 6-byte out-of-bounds (OOB) read. The previous bounds check in ``FliDecode.c`` incorrectly
|
||||
calculated the required read buffer size when copying a chunk, potentially reading six extra
|
||||
bytes off the end of the allocated buffer from the heap. Present since Pillow 7.1.0.
|
||||
|
||||
This bug was found by Google's `OSS-Fuzz`_ `CIFuzz`_ runs.
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
|
|
@ -24,6 +24,46 @@ success of Python.
|
|||
|
||||
Thank you, Fredrik.
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
Ensure JpegImagePlugin stops at the end of a truncated file
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
``JpegImagePlugin`` may append an EOF marker to the end of a truncated file, so that
|
||||
the last segment of the data will still be processed by the decoder.
|
||||
|
||||
If the EOF marker is not detected as such however, this could lead to an infinite
|
||||
loop where ``JpegImagePlugin`` keeps trying to end the file.
|
||||
|
||||
Remove consecutive duplicate tiles that only differ by their offset
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
To prevent attempts to slow down loading times for images, if an image has consecutive
|
||||
duplicate tiles that only differ by their offset, only load the last tile. Credit to
|
||||
Google's `OSS-Fuzz`_ project for finding this issue.
|
||||
|
||||
Fix CVE-2022-22817
|
||||
^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Restrict builtins available to ImageMath.eval
|
||||
|
||||
.. note:: More information about this vulnerability included in database record :cve:`2022-22817`
|
||||
|
||||
To limit :py:class:`PIL.ImageMath` to working with images, Pillow
|
||||
will now restrict the builtins available to :py:meth:`PIL.ImageMath.eval`. This will
|
||||
help prevent problems arising if users evaluate arbitrary expressions, such as
|
||||
``ImageMath.eval("exec(exit())")``.
|
||||
|
||||
Fix CVE-2022-22817 -- ImagePath.Path array handling
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
.. note:: More information about this vulnerability included in database record :cve:`2022-22815`
|
||||
|
||||
(:cwe:`126`) and :cve:`2022-22816` (:cwe:`665`) were found when initializing ``ImagePath.Path``.
|
||||
|
||||
.. _OSS-Fuzz: https://github.com/google/oss-fuzz
|
||||
|
||||
Backwards Incompatible Changes
|
||||
==============================
|
||||
|
||||
|
@ -97,41 +137,6 @@ Support has been added for the "title" argument in
|
|||
argument will also now be supported, e.g. ``im.show(title="My Image")`` and
|
||||
``ImageShow.show(im, title="My Image")``.
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
Ensure JpegImagePlugin stops at the end of a truncated file
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
``JpegImagePlugin`` may append an EOF marker to the end of a truncated file, so that
|
||||
the last segment of the data will still be processed by the decoder.
|
||||
|
||||
If the EOF marker is not detected as such however, this could lead to an infinite
|
||||
loop where ``JpegImagePlugin`` keeps trying to end the file.
|
||||
|
||||
Remove consecutive duplicate tiles that only differ by their offset
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
To prevent attempts to slow down loading times for images, if an image has consecutive
|
||||
duplicate tiles that only differ by their offset, only load the last tile. Credit to
|
||||
Google's `OSS-Fuzz`_ project for finding this issue.
|
||||
|
||||
Restrict builtins available to ImageMath.eval
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
:cve:`2022-22817`: To limit :py:class:`PIL.ImageMath` to working with images, Pillow
|
||||
will now restrict the builtins available to :py:meth:`PIL.ImageMath.eval`. This will
|
||||
help prevent problems arising if users evaluate arbitrary expressions, such as
|
||||
``ImageMath.eval("exec(exit())")``.
|
||||
|
||||
Fixed ImagePath.Path array handling
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
:cve:`2022-22815` (:cwe:`126`) and :cve:`2022-22816` (:cwe:`665`) were
|
||||
found when initializing ``ImagePath.Path``.
|
||||
|
||||
.. _OSS-Fuzz: https://github.com/google/oss-fuzz
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
||||
|
|
|
@ -6,12 +6,26 @@ Security
|
|||
|
||||
This release addresses several security problems.
|
||||
|
||||
:cve:`2022-24303`: If the path to the temporary directory on Linux or macOS
|
||||
Fix CVE-2022-24303
|
||||
^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Temp image removal
|
||||
|
||||
.. note:: More information about this vulnerability included in database record :cve:`2022-24303`
|
||||
|
||||
If the path to the temporary directory on Linux or macOS
|
||||
contained a space, this would break removal of the temporary image file after
|
||||
``im.show()`` (and related actions), and potentially remove an unrelated file. This
|
||||
has been present since PIL.
|
||||
|
||||
:cve:`2022-22817`: While Pillow 9.0 restricted top-level builtins available to
|
||||
Fix CVE-2022-24303
|
||||
^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Restrict lambda expressions
|
||||
|
||||
.. note:: More information about this vulnerability included in database record :cve:`2022-22817`
|
||||
|
||||
While Pillow 9.0 restricted top-level builtins available to
|
||||
:py:meth:`PIL.ImageMath.eval`, it did not prevent builtins available to lambda
|
||||
expressions. These are now also restricted.
|
||||
|
||||
|
|
|
@ -6,7 +6,14 @@ Security
|
|||
|
||||
This release addresses several security problems.
|
||||
|
||||
:cve:`2022-30595`: When reading a TGA file with RLE packets that cross scan lines,
|
||||
Fix CVE-2022-30595
|
||||
^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Heap buffer overflow
|
||||
|
||||
.. note:: More information about this vulnerability included in database record :cve:`2022-30595`
|
||||
|
||||
When reading a TGA file with RLE packets that cross scan lines,
|
||||
Pillow reads the information past the end of the first line without deducting that
|
||||
from the length of the remaining file data. This vulnerability was introduced in Pillow
|
||||
9.1.0, and can cause a heap buffer overflow.
|
||||
|
|
|
@ -69,4 +69,5 @@ expected to be backported to earlier versions.
|
|||
3.0.0
|
||||
2.8.0
|
||||
2.7.0
|
||||
2.3.1
|
||||
versioning
|
||||
|
|
|
@ -1,6 +1,21 @@
|
|||
xx.y.z
|
||||
------
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
TODO
|
||||
^^^^
|
||||
|
||||
TODO
|
||||
|
||||
Fix CVE-YYYY-XXXXX -- TODO
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
.. note:: More information about this vulnerability included in database record :cve:`YYYY-XXXXX`
|
||||
|
||||
TODO
|
||||
|
||||
Backwards Incompatible Changes
|
||||
==============================
|
||||
|
||||
|
@ -31,14 +46,6 @@ TODO
|
|||
|
||||
TODO
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
TODO
|
||||
^^^^
|
||||
|
||||
TODO
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user