python-pillow/Pillow
1
1
Fork 0
mirror of https://github.com/python-pillow/Pillow.git synced 2024-12-26 01:46:18 +03:00
Code Issues Packages Projects Releases Wiki Activity

Clean up for #7864

Browse Source 
Before back fill, clean up.

- Add suggested CVE format to template
- Move Security to the top of release notes
- Fix headings
- Update all existing CVE notes to match template
This commit is contained in:
Alex Clark 2024-03-13 14:15:16 -04:00
parent 786ded02e8
commit 04f60eba9c
20 changed files with 570 additions and 306 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
docs/releasenotes/10.0.0.rst
View File

@ -1,6 +1,35 @@
10.0.0
------
Security
========
Limit size even if one dimension is zero
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
When performing decompression bomb checks, Pillow did not reject images with
excessive width and zero height, or zero width and excessive height. That has
now been fixed.
This effectively dates to the PIL fork, since problem images would still have
been processed before Pillow started checking for decompression bombs.
Fix CVE-2023-44271
^^^^^^^^^^^^^^^^^^
Added ImageFont.MAX_STRING_LENGTH.
.. note:: More information about this vulnerability included in database record :cve:`2023-44271`
To protect against potential DOS attacks when using arbitrary strings as text
input, Pillow will now raise a :py:exc:`ValueError` if the number of characters
passed into ImageFont methods is over a certain limit,
:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`.
This threshold can be changed by setting
:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`. It can be disabled by setting
``ImageFont.MAX_STRING_LENGTH = None``.
Backwards Incompatible Changes
==============================
@ -157,31 +186,6 @@ Added ``alpha_only`` argument to ``getbbox()``
and the image has an alpha channel, trim transparent pixels. Otherwise, trim
pixels when all channels are zero.
Security
========
Limit size even if one dimension is zero
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
When performing decompression bomb checks, Pillow did not reject images with
excessive width and zero height, or zero width and excessive height. That has
now been fixed.
This effectively dates to the PIL fork, since problem images would still have
been processed before Pillow started checking for decompression bombs.
Added ImageFont.MAX_STRING_LENGTH
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
:cve:`2023-44271`: To protect against potential DOS attacks when using arbitrary strings as text
input, Pillow will now raise a :py:exc:`ValueError` if the number of characters
passed into ImageFont methods is over a certain limit,
:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`.
This threshold can be changed by setting
:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`. It can be disabled by setting
``ImageFont.MAX_STRING_LENGTH = None``.
Other Changes
=============

12
docs/releasenotes/10.0.1.rst
View File

@ -4,9 +4,15 @@
Security
========
This release addresses :cve:`2023-4863`, by providing an updated install script and
updated wheels to include libwebp 1.3.2, preventing a potential heap buffer overflow
in WebP.
Fix CVE-2023-4863
^^^^^^^^^^^^^^^^^
Updated install script and wheels with libwebp 1.3.2
.. note:: More information about this vulnerability included in database record :cve:`2023-4863`
This release provides an updated install script and updated wheels to
include libwebp 1.3.2, preventing a potential heap buffer overflow in WebP.
Updated tests to pass with latest zlib version
==============================================

68
docs/releasenotes/10.2.0.rst
View File

@ -1,6 +1,42 @@
10.2.0
------
Security
========
ImageFont.getmask: Applied ImageFont.MAX_STRING_LENGTH
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
To protect against potential DOS attacks when using arbitrary strings as text input,
Pillow will now raise a :py:exc:`ValueError` if the number of characters passed into
:py:meth:`PIL.ImageFont.ImageFont.getmask` is over a certain limit,
:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`.
This threshold can be changed by setting :py:data:`PIL.ImageFont.MAX_STRING_LENGTH`. It
can be disabled by setting ``ImageFont.MAX_STRING_LENGTH = None``.
A decompression bomb check has also been added to
:py:meth:`PIL.ImageFont.ImageFont.getmask`.
ImageFont.getmask: Trim glyph size
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
To protect against potential DOS attacks when using PIL fonts,
:py:class:`PIL.ImageFont.ImageFont` now trims the size of individual glyphs so that
they do not extend beyond the bitmap image.
Fix CVE-2023-50447
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ImageMath.eval: Restricted environment keys.
.. note:: More information about this vulnerability included in database record :cve:`2023-50447`
If an attacker has control over the keys passed to the
``environment`` argument of :py:meth:`PIL.ImageMath.eval`, they may be able to execute
arbitrary code. To prevent this, keys matching the names of builtins and keys
containing double underscores will now raise a :py:exc:`ValueError`.
Deprecations
============
@ -63,38 +99,6 @@ JPEG tables-only streamtype
When saving JPEG files, ``streamtype`` can now be set to 1, for tables-only. This will
output only the quantization and Huffman tables for the image.
Security
========
ImageFont.getmask: Applied ImageFont.MAX_STRING_LENGTH
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
To protect against potential DOS attacks when using arbitrary strings as text input,
Pillow will now raise a :py:exc:`ValueError` if the number of characters passed into
:py:meth:`PIL.ImageFont.ImageFont.getmask` is over a certain limit,
:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`.
This threshold can be changed by setting :py:data:`PIL.ImageFont.MAX_STRING_LENGTH`. It
can be disabled by setting ``ImageFont.MAX_STRING_LENGTH = None``.
A decompression bomb check has also been added to
:py:meth:`PIL.ImageFont.ImageFont.getmask`.
ImageFont.getmask: Trim glyph size
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
To protect against potential DOS attacks when using PIL fonts,
:py:class:`PIL.ImageFont.ImageFont` now trims the size of individual glyphs so that
they do not extend beyond the bitmap image.
ImageMath.eval: Restricted environment keys
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
:cve:`2023-50447`: If an attacker has control over the keys passed to the
``environment`` argument of :py:meth:`PIL.ImageMath.eval`, they may be able to execute
arbitrary code. To prevent this, keys matching the names of builtins and keys
containing double underscores will now raise a :py:exc:`ValueError`.
Other Changes
=============

44
docs/releasenotes/3.1.1.rst
View File

@ -1,12 +1,19 @@
3.1.1
=====
-----
CVE-2016-0740 -- Buffer overflow in TiffDecode.c
------------------------------------------------
Security
========
Pillow 3.1.0 and earlier when linked against libtiff >= 4.0.0 on x64
may overflow a buffer when reading a specially crafted tiff file (:cve:`2016-0740`).
Fix CVE-2016-0740
^^^^^^^^^^^^^^^^^
Buffer overflow in TiffDecode.c.
.. note:: More information about this vulnerability included in database record :cve:`2016-0740`
Pillow 3.1.0 and earlier when linked against
libtiff >= 4.0.0 on x64 may overflow a buffer when reading a
specially crafted tiff file.
Specifically, libtiff >= 4.0.0 changed the return type of
``TIFFScanlineSize`` from ``int32`` to machine dependent
@ -19,12 +26,15 @@ image data over 64k is written over the heap, causing a segfault.
This issue was found by security researcher FourOne.
Fix CVE-2016-0775
^^^^^^^^^^^^^^^^^
CVE-2016-0775 -- Buffer overflow in FliDecode.c
-----------------------------------------------
Buffer overflow in FliDecode.c.
In all versions of Pillow, dating back at least to the last PIL 1.1.7
release, FliDecode.c has a buffer overflow error (:cve:`2016-0775`).
.. note:: More information about this vulnerability included in database record :cve:`2016-0775`
In all versions of Pillow, dating back at least to
the last PIL 1.1.7 release, FliDecode.c has a buffer overflow error.
Around line 192:
@ -49,11 +59,15 @@ off the end of the memory buffer, causing a segfault.
This issue was found by Alyssa Besseling at Atlassian.
CVE-2016-2533 -- Buffer overflow in PcdDecode.c
-----------------------------------------------
Fix CVE-2016-2533
^^^^^^^^^^^^^^^^^
In all versions of Pillow, dating back at least to the last PIL 1.1.7
release, ``PcdDecode.c`` has a buffer overflow error (:cve:`2016-2533`).
Buffer overflow in PcdDecode.c.
.. note:: More information about this vulnerability available in :cve:`2016-2533`
In all versions of Pillow, dating back at least to the
last PIL 1.1.7 release, ``PcdDecode.c`` has a buffer overflow error.
The ``state.buffer`` for ``PcdDecode.c`` is allocated based on a 3
bytes per pixel sizing, where ``PcdDecode.c`` wrote into the buffer
@ -62,7 +76,7 @@ the buffer into other Python object storage. In some cases, this
causes a segfault, in others an internal Python malloc error.
Integer overflow in Resample.c
------------------------------
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If a large value was passed into the new size for an image, it is
possible to overflow an ``int32`` value passed into malloc.

20
docs/releasenotes/3.1.2.rst
View File

@ -1,13 +1,19 @@
3.1.2
=====
-----
CVE-2016-3076 -- Buffer overflow in Jpeg2KEncode.c
--------------------------------------------------
Security
========
Pillow between 2.5.0 and 3.1.1 may overflow a buffer when writing
large Jpeg2000 files, allowing for code execution or other memory
corruption (:cve:`2016-3076`).
Fix CVE-2016-3076
^^^^^^^^^^^^^^^^^
Buffer overflow in Jpeg2KEncode.c.
.. note:: More information about this vulnerability included in database record :cve:`2016-3076`
Pillow between 2.5.0 and 3.1.1 may overflow a buffer
when writing large Jpeg2000 files, allowing for code execution or other
memory corruption.
This occurs specifically in the function ``j2k_encode_entry``, at the line:

53
docs/releasenotes/6.2.0.rst
View File

@ -1,6 +1,38 @@
6.2.0
-----
Security
========
This release catches several buffer overruns and fixes CVE-2019-16865.
Buffer overruns
^^^^^^^^^^^^^^^
In RawDecode.c, an error is now thrown if skip is calculated to be less than
zero. It is intended to skip padding between lines, not to go backwards.
In PsdImagePlugin, if the combined sizes of the individual parts is larger than
the declared size of the extra data field, then it looked for the next layer by
seeking backwards. This is now corrected by seeking to (the start of the layer
+ the size of the extra data field) instead of (the read parts of the layer +
the rest of the layer).
Decompression bomb checks have been added to GIF and ICO formats.
An error is now raised if a TIFF dimension is a string, rather than trying to
perform operations on it.
Fix CVE-2019-16865
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
DOS attack vulnerabilities.
.. note:: More information about this vulnerability included in database record :cve:`2019-16865`
The CVE is regarding DOS problems, such as consuming large
amounts of memory, or taking a large amount of time to process an image.
API Additions
=============
@ -65,27 +97,6 @@ There has been a longstanding warning that the defaults of ``Image.frombuffer``
may change in the future for the "raw" decoder. The change will now take place
in Pillow 7.0.
Security
========
This release catches several buffer overruns, as well as addressing
:cve:`2019-16865`. The CVE is regarding DOS problems, such as consuming large
amounts of memory, or taking a large amount of time to process an image.
In RawDecode.c, an error is now thrown if skip is calculated to be less than
zero. It is intended to skip padding between lines, not to go backwards.
In PsdImagePlugin, if the combined sizes of the individual parts is larger than
the declared size of the extra data field, then it looked for the next layer by
seeking backwards. This is now corrected by seeking to (the start of the layer
+ the size of the extra data field) instead of (the read parts of the layer +
the rest of the layer).
Decompression bomb checks have been added to GIF and ICO formats.
An error is now raised if a TIFF dimension is a string, rather than trying to
perform operations on it.
Other Changes
=============

57
docs/releasenotes/6.2.2.rst
View File

@ -4,15 +4,56 @@
Security
========
This release addresses several security problems.
This release fixes several buffer overruns and DOS attacks reported in CVE-2019-19911, CVE-2020-5310, CVE-2020-5311, CVE-2020-5312 and CVE-2020-5313.
:cve:`2019-19911` is regarding FPX images. If an image reports that it has a large
number of bands, a large amount of resources will be used when trying to process the
image. This is fixed by limiting the number of bands to those usable by Pillow.
Fix CVE-2019-19911
^^^^^^^^^^^^^^^^^^
Buffer overruns were found when processing an SGI (:cve:`2020-5311`),
PCX (:cve:`2020-5312`) or FLI image (:cve:`2020-5313`). Checks have been added
to prevent this.
DOS attack vulnerability.
:cve:`2020-5310`: Overflow checks have been added when calculating the size of a
.. note:: More information about this vulnerability included in database record :cve:`2019-19911`
If an FPX image reports that it has a large number of bands, a large amount of
resources will be used when trying to process the image. This is fixed by
limiting the number of bands to those usable by Pillow.
Fix CVE-2020-5310
^^^^^^^^^^^^^^^^^
Overflow checks added to TIFF image processing.
.. note:: More information about this vulnerability included in database record :cve:`2020-5310`
Overflow checks have been added when calculating the size of a
memory block to be reallocated in the processing of a TIFF image.
Fix CVE-2020-5311
^^^^^^^^^^^^^^^^^
Overflow checks added to SGI image processing.
.. note:: More information about this vulnerability included in database record :cve:`2020-5311`
Buffer overruns were found when processing an SGI image. Checks
have been added to prevent this.
Fix CVE-2020-5312
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Overflow checks added to PCX image processing.
.. note:: More information about this vulnerability included in database record :cve:`2020-5312`
Buffer overruns were found when processing an SGI PCX. Checks have
been added to prevent this.
Fix CVE-2020-5313
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Overflow checks added to FLI image processing.
.. note:: More information about this vulnerability included in database record :cve:`2020-5313`
Buffer overruns were found when processing an FLI image. Checks
have been added to prevent this.

51
docs/releasenotes/7.1.0.rst
View File

@ -1,6 +1,46 @@
7.1.0
-----
Security
========
This release includes many security fixes.
Fix CVE-2020-10177
^^^^^^^^^^^^^^^^^^
Multiple out-of-bounds reads in FLI decoding.
.. note:: More information about this vulnerability included in database record :cve:`2020-10177`
Fix CVE-2020-10378
^^^^^^^^^^^^^^^^^^
Bounds overflow in PCX decoding.
.. note:: More information about this vulnerability included in database record :cve:`2020-10378`
Fix CVE-2020-10379
^^^^^^^^^^^^^^^^^^
Two buffer overflows in TIFF decoding
.. note:: More information about this vulnerability included in database record :cve:`2020-10379`
Fix CVE-2020-10994
^^^^^^^^^^^^^^^^^^
Bounds overflow in JPEG 2000 decoding
.. note:: More information about this vulnerability included in database record :cve:`2020-10994`
Fix CVE-2020-11538
^^^^^^^^^^^^^^^^^^
Buffer overflow in SGI-RLE decoding
.. note:: More information about this vulnerability included in database record :cve:`2020-11538`
API Changes
===========
@ -67,17 +107,6 @@ Passing a different value on Windows or macOS will force taking a snapshot
using the selected X server; pass an empty string to use the default X server.
XCB support is not included in pre-compiled wheels for Windows and macOS.
Security
========
This release includes security fixes.
* :cve:`2020-10177` Fix multiple out-of-bounds reads in FLI decoding
* :cve:`2020-10378` Fix bounds overflow in PCX decoding
* :cve:`2020-10379` Fix two buffer overflows in TIFF decoding
* :cve:`2020-10994` Fix bounds overflow in JPEG 2000 decoding
* :cve:`2020-11538` Fix buffer overflow in SGI-RLE decoding
Other Changes
=============

9
docs/releasenotes/8.0.1.rst
View File

@ -4,7 +4,14 @@
Security
========
Update FreeType used in binary wheels to `2.10.4`_ to fix :cve:`2020-15999`:
Fix CVE-2020-15999
^^^^^^^^^^^^^^^^^^
Update FreeType version in wheels.
.. note:: More information about this vulnerability included in database record :cve:`2020-15999`
Update FreeType used in binary wheels to `2.10.4`_.
- A heap buffer overflow has been found in the handling of embedded PNG bitmaps,
introduced in FreeType version 2.6.

96
docs/releasenotes/8.1.0.rst
View File

@ -1,6 +1,62 @@
8.1.0
-----
Security
========
This release includes security fixes.
* An out-of-bounds read when saving TIFFs with custom metadata through LibTIFF
* An out-of-bounds read when saving a GIF of 1px width
Fix CVE-2020-35653
^^^^^^^^^^^^^^^^^^
Buffer read overrun in PCX decoding.
.. note:: More information about this vulnerability included in database record :cve:`2020-35653`
The PCX image decoder used the reported image stride to calculate
the row buffer, rather than calculating it from the image size. This issue dates back
to the PIL fork. Thanks to Google's `OSS-Fuzz`_ project for finding this.
Fix CVE-2020-35654
^^^^^^^^^^^^^^^^^^
TIFF out-of-bounds write error.
.. note:: More information about this vulnerability included in database record :cve:`2020-35654`
Out-of-bounds write in ``TiffDecode.c`` when reading corrupt YCbCr
files in some LibTIFF versions (4.1.0/Ubuntu 20.04, but not 4.0.9/Ubuntu 18.04).
In some cases LibTIFF's interpretation of the file is different when reading in RGBA mode,
leading to an out-of-bounds write in ``TiffDecode.c``. This potentially affects Pillow
versions from 6.0.0 to 8.0.1, depending on the version of LibTIFF. This was reported through
`Tidelift`_.
Fix CVE-2020-35655
^^^^^^^^^^^^^^^^^^
SGI Decode buffer overrun
.. note:: More information about this vulnerability included in database record :cve:`2020-35655`
4 byte read overflow in ``SgiRleDecode.c``, where the code was not correctly
checking the offsets and length tables. Independently reported through `Tidelift`_ and Google's
`OSS-Fuzz`_. This vulnerability covers Pillow versions 4.3.0->8.0.1.
.. _Tidelift: https://tidelift.com/subscription/pkg/pypi-pillow?utm_source=pillow&utm_medium=referral&utm_campaign=docs
.. _OSS-Fuzz: https://github.com/google/oss-fuzz
Dependencies
^^^^^^^^^^^^
OpenJPEG in the macOS and Linux wheels has been updated from 2.3.1 to 2.4.0, including
security fixes.
LibTIFF in the macOS and Linux wheels has been updated from 4.1.0 to 4.2.0, including
security fixes discovered by fuzzers.
Deprecations
============
@ -33,46 +89,6 @@ With this release, a list of images can be provided to the ``append_images`` par
when saving, to replace the scaled down versions. This is the same functionality that
already exists for the ICNS format.
Security
========
This release includes security fixes.
* An out-of-bounds read when saving TIFFs with custom metadata through LibTIFF
* An out-of-bounds read when saving a GIF of 1px width
* :cve:`2020-35653` Buffer read overrun in PCX decoding
The PCX image decoder used the reported image stride to calculate the row buffer,
rather than calculating it from the image size. This issue dates back to the PIL fork.
Thanks to Google's `OSS-Fuzz`_ project for finding this.
* :cve:`2020-35654` Fix TIFF out-of-bounds write error
Out-of-bounds write in ``TiffDecode.c`` when reading corrupt YCbCr files in some
LibTIFF versions (4.1.0/Ubuntu 20.04, but not 4.0.9/Ubuntu 18.04). In some cases
LibTIFF's interpretation of the file is different when reading in RGBA mode, leading to
an out-of-bounds write in ``TiffDecode.c``. This potentially affects Pillow versions
from 6.0.0 to 8.0.1, depending on the version of LibTIFF. This was reported through
`Tidelift`_.
* :cve:`2020-35655` Fix for SGI Decode buffer overrun
4 byte read overflow in ``SgiRleDecode.c``, where the code was not correctly checking the
offsets and length tables. Independently reported through `Tidelift`_ and Google's
`OSS-Fuzz`_. This vulnerability covers Pillow versions 4.3.0->8.0.1.
.. _Tidelift: https://tidelift.com/subscription/pkg/pypi-pillow?utm_source=pillow&utm_medium=referral&utm_campaign=docs
.. _OSS-Fuzz: https://github.com/google/oss-fuzz
Dependencies
^^^^^^^^^^^^
OpenJPEG in the macOS and Linux wheels has been updated from 2.3.1 to 2.4.0, including
security fixes.
LibTIFF in the macOS and Linux wheels has been updated from 4.1.0 to 4.2.0, including
security fixes discovered by fuzzers.
Other Changes
=============

45
docs/releasenotes/8.1.1.rst
View File

@ -4,20 +4,51 @@
Security
========
:cve:`2021-25289`: The previous fix for :cve:`2020-35654` was insufficient
due to incorrect error checking in ``TiffDecode.c``.
Fix CVE-2021-25289
^^^^^^^^^^^^^^^^^^
:cve:`2021-25290`: In ``TiffDecode.c``, there is a negative-offset ``memcpy``
The previous fix for CVE-2020-35654 was insufficient.
.. note:: More information about this vulnerability included in database record :cve:`2021-25289`
The previous fix for :cve:`2020-35654` was insufficient due to incorrect error checking in ``TiffDecode.c``.
Fix CVE-2021-25290
^^^^^^^^^^^^^^^^^^
In ``TiffDecode.c`` there is a negative-offset.
.. note:: More information about this vulnerability included in database record :cve:`2021-25290`
In ``TiffDecode.c``, there is a negative-offset ``memcpy``
with an invalid size.
:cve:`2021-25291`: In ``TiffDecode.c``, invalid tile boundaries could lead to
Fix CVE-2021-25291
^^^^^^^^^^^^^^^^^^
``TiffDecode.c`` has invalid tile boundaries.
.. note:: More information about this vulnerability included in database record :cve:`2021-25291`
In ``TiffDecode.c``, invalid tile boundaries could lead to
an out-of-bounds read in ``TIFFReadRGBATile``.
:cve:`2021-25292`: The PDF parser has a catastrophic backtracking regex
Fix CVE-2021-25292
^^^^^^^^^^^^^^^^^^
The PDF parser has a catastrophic backtracking regex.
.. note:: More information about this vulnerability included in database record :cve:`2021-25292`:
The PDF parser has a catastrophic backtracking regex
that could be used as a DOS attack.
:cve:`2021-25293`: There is an out-of-bounds read in ``SgiRleDecode.c``,
since Pillow 4.3.0.
Fix CVE-2021-25293
^^^^^^^^^^^^^^^^^^
There is an out-of-bounds read in ``SgiRleDecode.c`` since Pillow 4.3.0.
.. note:: More information about this vulnerability included in database record :cve:`2021-25293`
Other Changes

44
docs/releasenotes/8.1.2.rst
View File

@ -4,9 +4,41 @@
Security
========
There is an exhaustion of memory DOS in the BLP (:cve:`2021-27921`),
ICNS (:cve:`2021-27922`) and ICO (:cve:`2021-27923`) container formats
where Pillow did not properly check the reported size of the contained image.
These images could cause arbitrarily large memory allocations. This was reported
by Jiayi Lin, Luke Shaffer, Xinran Xie, and Akshay Ajayan of
`Arizona State University <https://www.asu.edu/>`_.
Fix CVE-2021-27921
^^^^^^^^^^^^^^^^^^
There is an exhaustion of memory DOS in BLP images.
.. note:: More information about this vulnerability included in database record :cve:`2021-27921`
There is an exhaustion of memory DOS in BLP
images where Pillow did not properly check the reported size of the
contained image. These images could cause arbitrarily large memory
allocations.
Fix CVE-2021-27922
^^^^^^^^^^^^^^^^^^
There is an exhaustion of memory DOS in ICNS images.
.. note:: More information about this vulnerability included in database record :cve:`2021-27921`
There is an exhaustion of memory DOS in the ICNS
images where Pillow did not properly check the reported size of the
contained image. These images could cause arbitrarily large memory
allocations.
Fix CVE-2021-27923
^^^^^^^^^^^^^^^^^^
There is an exhaustion of memory DOS in ICO images.
.. note:: More information about this vulnerability included in database record :cve:`2021-27923`
There is an exhaustion of memory DOS in ICO
images where Pillow did not properly check the reported size of the
contained image. These images could cause arbitrarily large memory
allocations.
These were reported by Jiayi Lin, Luke Shaffer, Xinran Xie and
Akshay Ajayan of `Arizona State University <https://www.asu.edu/>`_.

122
docs/releasenotes/8.2.0.rst
View File

@ -1,6 +1,73 @@
8.2.0
-----
Security
========
These were all found with `OSS-Fuzz`_.
Fix CVE-2021-25287, CVE-2021-25288, CVE-2021-28675
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
OOB read in Jpeg2KDecode
.. note:: More information about these vulnerabilities included in database records
:cve:`2021-25287`, :cve:`2021-25288`, :cve:`2021-28675`
* For J2k images with multiple bands, it's legal to have different widths for each band,
e.g. 1 byte for ``L``, 4 bytes for ``A``.
* This dates to Pillow 2.4.0.
Fix CVE-2021-28675 -- DOS attack in PsdImagePlugin
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
.. note:: More information about this vulnerability included in database record :cve:`2021-28675`
* :py:class:`.PsdImagePlugin.PsdImageFile` did not sanity check the number of input
layers with regard to the size of the data block, this could lead to a
denial-of-service on :py:meth:`~PIL.Image.open` prior to
:py:meth:`~PIL.Image.Image.load`.
* This dates to the PIL fork.
Fix CVE-2021-28676 -- FLI image DOS attack
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
.. note:: More information about this vulnerability included in database record :cve:`2021-28676`
* ``FliDecode.c`` did not properly check that the block advance was non-zero,
potentially leading to an infinite loop on load.
* This dates to the PIL fork.
Fix CVE-2021-28677 -- EPS DOS on _open
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
.. note:: More information about this vulnerability included in database record :cve:`2021-28677`
* The readline used in EPS has to deal with any combination of ``\r`` and ``\n`` as line
endings. It accidentally used a quadratic method of accumulating lines while looking
for a line ending.
* A malicious EPS file could use this to perform a denial-of-service of Pillow in the
open phase, before an image was accepted for opening.
* This dates to the PIL fork.
CVE-2021-28678 -- BLP DOS attack
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
.. note:: More information about this vulnerability included in database record :cve:`2021-28678`
* ``BlpImagePlugin`` did not properly check that reads after jumping to file offsets
returned data. This could lead to a denial-of-service where the decoder could be run a
large number of times on empty data.
* This dates to Pillow 5.1.0.
Fix memory DOS in ImageFont
^^^^^^^^^^^^^^^^^^^^^^^^^^^
* A corrupt or specially crafted TTF font could have font metrics that lead to
unreasonably large sizes when rendering text in font. ``ImageFont.py`` did not check
the image size before allocating memory for it.
* This dates to the PIL fork.
Deprecations
============
@ -123,61 +190,6 @@ be specified through a keyword argument::
im.save("out.tif", icc_profile=...)
Security
========
These were all found with `OSS-Fuzz`_.
:cve:`2021-25287`, :cve:`2021-25288`: Fix OOB read in Jpeg2KDecode
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
* For J2k images with multiple bands, it's legal to have different widths for each band,
e.g. 1 byte for ``L``, 4 bytes for ``A``.
* This dates to Pillow 2.4.0.
:cve:`2021-28675`: Fix DOS in PsdImagePlugin
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
* :py:class:`.PsdImagePlugin.PsdImageFile` did not sanity check the number of input
layers with regard to the size of the data block, this could lead to a
denial-of-service on :py:meth:`~PIL.Image.open` prior to
:py:meth:`~PIL.Image.Image.load`.
* This dates to the PIL fork.
:cve:`2021-28676`: Fix FLI DOS
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
* ``FliDecode.c`` did not properly check that the block advance was non-zero,
potentially leading to an infinite loop on load.
* This dates to the PIL fork.
:cve:`2021-28677`: Fix EPS DOS on _open
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
* The readline used in EPS has to deal with any combination of ``\r`` and ``\n`` as line
endings. It accidentally used a quadratic method of accumulating lines while looking
for a line ending.
* A malicious EPS file could use this to perform a denial-of-service of Pillow in the
open phase, before an image was accepted for opening.
* This dates to the PIL fork.
:cve:`2021-28678`: Fix BLP DOS
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
* ``BlpImagePlugin`` did not properly check that reads after jumping to file offsets
returned data. This could lead to a denial-of-service where the decoder could be run a
large number of times on empty data.
* This dates to Pillow 5.1.0.
Fix memory DOS in ImageFont
^^^^^^^^^^^^^^^^^^^^^^^^^^^
* A corrupt or specially crafted TTF font could have font metrics that lead to
unreasonably large sizes when rendering text in font. ``ImageFont.py`` did not check
the image size before allocating memory for it.
* This dates to the PIL fork.
Other Changes
=============

50
docs/releasenotes/8.3.0.rst
View File

@ -1,6 +1,34 @@
8.3.0
-----
Security
========
Buffer overflow
^^^^^^^^^^^^^^^
Fix CVE-2021-34552
^^^^^^^^^^^^^^^^^^
Buffer overflow
.. note:: More information about this vulnerability included in database record :cve:`2021-34552`
PIL since 1.1.4 and Pillow since 1.0 allowed parameters passed into a convert function to trigger
buffer overflow in Convert.c.
Parsing XML
^^^^^^^^^^^
Pillow previously parsed XMP data using Python's ``xml`` module. However, this module
is not secure.
- :py:meth:`~PIL.Image.Image.getexif` has used ``xml`` to potentially retrieve
orientation data since Pillow 7.2.0. It has been refactored to use ``re`` instead.
- :py:meth:`~PIL.JpegImagePlugin.JpegImageFile.getxmp` was added in Pillow 8.2.0. It
will now use ``defusedxml`` instead. If the dependency is not present, an empty
dictionary will be returned and a warning raised.
Deprecations
============
@ -79,28 +107,6 @@ format, through the new ``bitmap_format`` argument::
im.save("out.ico", bitmap_format="bmp")
Security
========
Buffer overflow
^^^^^^^^^^^^^^^
This release addresses :cve:`2021-34552`. PIL since 1.1.4 and Pillow since 1.0
allowed parameters passed into a convert function to trigger buffer overflow in
Convert.c.
Parsing XML
^^^^^^^^^^^
Pillow previously parsed XMP data using Python's ``xml`` module. However, this module
is not secure.
- :py:meth:`~PIL.Image.Image.getexif` has used ``xml`` to potentially retrieve
orientation data since Pillow 7.2.0. It has been refactored to use ``re`` instead.
- :py:meth:`~PIL.JpegImagePlugin.JpegImageFile.getxmp` was added in Pillow 8.2.0. It
will now use ``defusedxml`` instead. If the dependency is not present, an empty
dictionary will be returned and a warning raised.
Other Changes
=============

25
docs/releasenotes/8.3.2.rst
View File

@ -4,14 +4,25 @@
Security
========
* :cve:`2021-23437`: Avoid a potential ReDoS (regular expression denial of service)
in :py:class:`~PIL.ImageColor`'s :py:meth:`~PIL.ImageColor.getrgb` by raising
:py:exc:`ValueError` if the color specifier is too long. Present since Pillow 5.2.0.
Fix CVE-2021-23437
^^^^^^^^^^^^^^^^^^
* Fix 6-byte out-of-bounds (OOB) read. The previous bounds check in ``FliDecode.c``
incorrectly calculated the required read buffer size when copying a chunk, potentially
reading six extra bytes off the end of the allocated buffer from the heap. Present
since Pillow 7.1.0. This bug was found by Google's `OSS-Fuzz`_ `CIFuzz`_ runs.
Avoid potential ReDoS (regular expression denial of service)
.. note:: More information about this vulnerability included in database record :cve:`2021-23437`
Avoid a potential ReDoS (regular expression denial of service) in :py:class:`~PIL.ImageColor`'s
:py:meth:`~PIL.ImageColor.getrgb` by raising :py:exc:`ValueError` if the color specifier is
too long. Present since Pillow 5.2.0.
Fix 6-byte out-of-bounds (OOB) read
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Fix 6-byte out-of-bounds (OOB) read. The previous bounds check in ``FliDecode.c`` incorrectly
calculated the required read buffer size when copying a chunk, potentially reading six extra
bytes off the end of the allocated buffer from the heap. Present since Pillow 7.1.0.
This bug was found by Google's `OSS-Fuzz`_ `CIFuzz`_ runs.
Other Changes
=============

75
docs/releasenotes/9.0.0.rst
View File

@ -24,6 +24,46 @@ success of Python.
Thank you, Fredrik.
Security
========
Ensure JpegImagePlugin stops at the end of a truncated file
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
``JpegImagePlugin`` may append an EOF marker to the end of a truncated file, so that
the last segment of the data will still be processed by the decoder.
If the EOF marker is not detected as such however, this could lead to an infinite
loop where ``JpegImagePlugin`` keeps trying to end the file.
Remove consecutive duplicate tiles that only differ by their offset
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
To prevent attempts to slow down loading times for images, if an image has consecutive
duplicate tiles that only differ by their offset, only load the last tile. Credit to
Google's `OSS-Fuzz`_ project for finding this issue.
Fix CVE-2022-22817
^^^^^^^^^^^^^^^^^^
Restrict builtins available to ImageMath.eval
.. note:: More information about this vulnerability included in database record :cve:`2022-22817`
To limit :py:class:`PIL.ImageMath` to working with images, Pillow
will now restrict the builtins available to :py:meth:`PIL.ImageMath.eval`. This will
help prevent problems arising if users evaluate arbitrary expressions, such as
``ImageMath.eval("exec(exit())")``.
Fix CVE-2022-22817 -- ImagePath.Path array handling
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
.. note:: More information about this vulnerability included in database record :cve:`2022-22815`
(:cwe:`126`) and :cve:`2022-22816` (:cwe:`665`) were found when initializing ``ImagePath.Path``.
.. _OSS-Fuzz: https://github.com/google/oss-fuzz
Backwards Incompatible Changes
==============================
@ -97,41 +137,6 @@ Support has been added for the "title" argument in
argument will also now be supported, e.g. ``im.show(title="My Image")`` and
``ImageShow.show(im, title="My Image")``.
Security
========
Ensure JpegImagePlugin stops at the end of a truncated file
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
``JpegImagePlugin`` may append an EOF marker to the end of a truncated file, so that
the last segment of the data will still be processed by the decoder.
If the EOF marker is not detected as such however, this could lead to an infinite
loop where ``JpegImagePlugin`` keeps trying to end the file.
Remove consecutive duplicate tiles that only differ by their offset
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
To prevent attempts to slow down loading times for images, if an image has consecutive
duplicate tiles that only differ by their offset, only load the last tile. Credit to
Google's `OSS-Fuzz`_ project for finding this issue.
Restrict builtins available to ImageMath.eval
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
:cve:`2022-22817`: To limit :py:class:`PIL.ImageMath` to working with images, Pillow
will now restrict the builtins available to :py:meth:`PIL.ImageMath.eval`. This will
help prevent problems arising if users evaluate arbitrary expressions, such as
``ImageMath.eval("exec(exit())")``.
Fixed ImagePath.Path array handling
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
:cve:`2022-22815` (:cwe:`126`) and :cve:`2022-22816` (:cwe:`665`) were
found when initializing ``ImagePath.Path``.
.. _OSS-Fuzz: https://github.com/google/oss-fuzz
Other Changes
=============

18
docs/releasenotes/9.0.1.rst
View File

@ -6,12 +6,26 @@ Security
This release addresses several security problems.
:cve:`2022-24303`: If the path to the temporary directory on Linux or macOS
Fix CVE-2022-24303
^^^^^^^^^^^^^^^^^^
Temp image removal
.. note:: More information about this vulnerability included in database record :cve:`2022-24303`
If the path to the temporary directory on Linux or macOS
contained a space, this would break removal of the temporary image file after
``im.show()`` (and related actions), and potentially remove an unrelated file. This
has been present since PIL.
:cve:`2022-22817`: While Pillow 9.0 restricted top-level builtins available to
Fix CVE-2022-24303
^^^^^^^^^^^^^^^^^^
Restrict lambda expressions
.. note:: More information about this vulnerability included in database record :cve:`2022-22817`
While Pillow 9.0 restricted top-level builtins available to
:py:meth:`PIL.ImageMath.eval`, it did not prevent builtins available to lambda
expressions. These are now also restricted.

9
docs/releasenotes/9.1.1.rst
View File

@ -6,7 +6,14 @@ Security
This release addresses several security problems.
:cve:`2022-30595`: When reading a TGA file with RLE packets that cross scan lines,
Fix CVE-2022-30595
^^^^^^^^^^^^^^^^^^
Heap buffer overflow
.. note:: More information about this vulnerability included in database record :cve:`2022-30595`
When reading a TGA file with RLE packets that cross scan lines,
Pillow reads the information past the end of the first line without deducting that
from the length of the remaining file data. This vulnerability was introduced in Pillow
9.1.0, and can cause a heap buffer overflow.

1
docs/releasenotes/index.rst
View File

@ -69,4 +69,5 @@ expected to be backported to earlier versions.
3.0.0
2.8.0
2.7.0
2.3.1
versioning

23
docs/releasenotes/template.rst
View File

@ -1,6 +1,21 @@
xx.y.z
------
Security
========
TODO
^^^^
TODO
Fix CVE-YYYY-XXXXX -- TODO
^^^^^^^^^^^^^^^^^^^^^^^^^^
.. note:: More information about this vulnerability included in database record :cve:`YYYY-XXXXX`
TODO
Backwards Incompatible Changes
==============================
@ -31,14 +46,6 @@ TODO
TODO
Security
========
TODO
^^^^
TODO
Other Changes
=============