Clean up for #7864

docs/releasenotes/10.0.0.rst

@@ -17,10 +17,10 @@ been processed before Pillow started checking for decompression bombs.
 Fix CVE-2023-44271
 ^^^^^^^^^^^^^^^^^^
 
-Added ImageFont.MAX_STRING_LENGTH.
-
 .. note:: More information about this vulnerability included in database record :cve:`2023-44271`
 
+Added ImageFont.MAX_STRING_LENGTH.
+
 To protect against potential DOS attacks when using arbitrary strings as text
 input, Pillow will now raise a :py:exc:`ValueError` if the number of characters
 passed into ImageFont methods is over a certain limit,

docs/releasenotes/10.0.1.rst

@@ -7,8 +7,6 @@ Security
 Fix CVE-2023-4863
 ^^^^^^^^^^^^^^^^^
 
-Updated install script and wheels with libwebp 1.3.2
-
 .. note:: More information about this vulnerability included in database record :cve:`2023-4863`
 
 This release provides an updated install script and updated wheels to

docs/releasenotes/10.2.0.rst

@@ -28,10 +28,10 @@ they do not extend beyond the bitmap image.
 Fix CVE-2023-50447
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-ImageMath.eval: Restricted environment keys.
-
 .. note:: More information about this vulnerability included in database record :cve:`2023-50447`
 
+ImageMath.eval: Restricted environment keys.
+
 If an attacker has control over the keys passed to the
 ``environment`` argument of :py:meth:`PIL.ImageMath.eval`, they may be able to execute
 arbitrary code. To prevent this, keys matching the names of builtins and keys

docs/releasenotes/3.1.1.rst

@@ -7,10 +7,10 @@ Security
 Fix CVE-2016-0740
 ^^^^^^^^^^^^^^^^^
 
-Buffer overflow in TiffDecode.c.
-
 .. note:: More information about this vulnerability included in database record :cve:`2016-0740`
 
+Buffer overflow in TiffDecode.c.
+
 Pillow 3.1.0 and earlier when linked against
 libtiff >= 4.0.0 on x64 may overflow a buffer when reading a
 specially crafted tiff file. 
@@ -29,10 +29,10 @@ This issue was found by security researcher FourOne.
 Fix CVE-2016-0775
 ^^^^^^^^^^^^^^^^^
 
-Buffer overflow in FliDecode.c.
-
 .. note:: More information about this vulnerability included in database record :cve:`2016-0775`
 
+Buffer overflow in FliDecode.c.
+
 In all versions of Pillow, dating back at least to
 the last PIL 1.1.7 release, FliDecode.c has a buffer overflow error. 
 
@@ -62,10 +62,10 @@ This issue was found by Alyssa Besseling at Atlassian.
 Fix CVE-2016-2533
 ^^^^^^^^^^^^^^^^^
 
-Buffer overflow in PcdDecode.c.
-
 .. note:: More information about this vulnerability available in :cve:`2016-2533`
 
+Buffer overflow in PcdDecode.c.
+
 In all versions of Pillow, dating back at least to the
 last PIL 1.1.7 release, ``PcdDecode.c`` has a buffer overflow error. 
 

docs/releasenotes/3.1.2.rst

@@ -7,10 +7,10 @@ Security
 Fix CVE-2016-3076
 ^^^^^^^^^^^^^^^^^
 
-Buffer overflow in Jpeg2KEncode.c.
-
 .. note:: More information about this vulnerability included in database record :cve:`2016-3076`
 
+Buffer overflow in Jpeg2KEncode.c.
+
 Pillow between 2.5.0 and 3.1.1 may overflow a buffer
 when writing large Jpeg2000 files, allowing for code execution or other
 memory corruption. 

docs/releasenotes/6.2.0.rst

@@ -26,8 +26,6 @@ perform operations on it.
 Fix CVE-2019-16865
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-DOS attack vulnerabilities.
-
 .. note:: More information about this vulnerability included in database record :cve:`2019-16865`
 
 The CVE is regarding DOS problems, such as consuming large

docs/releasenotes/6.2.2.rst

@@ -9,51 +9,39 @@ This release fixes several buffer overruns and DOS attacks reported in CVE-2019-
 Fix CVE-2019-19911
 ^^^^^^^^^^^^^^^^^^
 
-DOS attack vulnerability.
-
 .. note:: More information about this vulnerability included in database record :cve:`2019-19911`
 
+DOS attack vulnerability.
+
 If an FPX image reports that it has a large number of bands, a large amount of
 resources will be used when trying to process the image. This is fixed by
 limiting the number of bands to those usable by Pillow.
 
-
 Fix CVE-2020-5310
 ^^^^^^^^^^^^^^^^^
 
-Overflow checks added to TIFF image processing.
-
 .. note:: More information about this vulnerability included in database record :cve:`2020-5310`
 
-Overflow checks have been added when calculating the size of a
+Overflow checks have been added when calculating the size of a memory block to be reallocated
-memory block to be reallocated in the processing of a TIFF image.
+in the processing of a TIFF image.
 
 Fix CVE-2020-5311
 ^^^^^^^^^^^^^^^^^
 
-Overflow checks added to SGI image processing.
-
 .. note:: More information about this vulnerability included in database record :cve:`2020-5311`
 
-Buffer overruns were found when processing an SGI image. Checks
+Buffer overruns were found when processing an SGI image. Checks have been added to prevent this.
-have been added to prevent this.
 
 Fix CVE-2020-5312
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-Overflow checks added to PCX image processing.
-
 .. note:: More information about this vulnerability included in database record :cve:`2020-5312`
 
-Buffer overruns were found when processing an SGI PCX. Checks have
+Buffer overruns were found when processing an SGI PCX. Checks have been added to prevent this.
-been added to prevent this.
 
 Fix CVE-2020-5313
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-Overflow checks added to FLI image processing.
-
 .. note:: More information about this vulnerability included in database record :cve:`2020-5313`
 
-Buffer overruns were found when processing an FLI image. Checks
+Buffer overruns were found when processing an FLI image. Checks have been added to prevent this.
-have been added to prevent this.

docs/releasenotes/7.1.0.rst

@@ -9,38 +9,38 @@ This release includes many security fixes.
 Fix CVE-2020-10177
 ^^^^^^^^^^^^^^^^^^
 
-Multiple out-of-bounds reads in FLI decoding.
-
 .. note:: More information about this vulnerability included in database record :cve:`2020-10177`
 
+Multiple out-of-bounds reads in FLI decoding.
+
 Fix CVE-2020-10378
 ^^^^^^^^^^^^^^^^^^
 
-Bounds overflow in PCX decoding.
-
 .. note:: More information about this vulnerability included in database record :cve:`2020-10378`
 
+Bounds overflow in PCX decoding.
+
 Fix CVE-2020-10379
 ^^^^^^^^^^^^^^^^^^
 
-Two buffer overflows in TIFF decoding
-
 .. note:: More information about this vulnerability included in database record :cve:`2020-10379`
 
+Two buffer overflows in TIFF decoding.
+
 Fix CVE-2020-10994
 ^^^^^^^^^^^^^^^^^^
 
-Bounds overflow in JPEG 2000 decoding
-
 .. note:: More information about this vulnerability included in database record :cve:`2020-10994`
 
+Bounds overflow in JPEG 2000 decoding.
+
 Fix CVE-2020-11538
 ^^^^^^^^^^^^^^^^^^
 
-Buffer overflow in SGI-RLE decoding
-
 .. note:: More information about this vulnerability included in database record :cve:`2020-11538`
 
+Buffer overflow in SGI-RLE decoding.
+
 API Changes
 ===========
 

docs/releasenotes/8.0.1.rst

@@ -7,11 +7,9 @@ Security
 Fix CVE-2020-15999
 ^^^^^^^^^^^^^^^^^^
 
-Update FreeType version in wheels.
-
 .. note:: More information about this vulnerability included in database record :cve:`2020-15999`
 
-Update FreeType used in binary wheels to `2.10.4`_. 
+Update FreeType in wheels to `2.10.4`_. 
 
   - A heap buffer overflow has been found  in the handling of embedded PNG bitmaps,
     introduced in FreeType version 2.6.

docs/releasenotes/8.1.0.rst

@@ -12,10 +12,10 @@ This release includes security fixes.
 Fix CVE-2020-35653
 ^^^^^^^^^^^^^^^^^^
 
-Buffer read overrun in PCX decoding.
-
 .. note:: More information about this vulnerability included in database record :cve:`2020-35653`
 
+Buffer read overrun in PCX decoding.
+
 The PCX image decoder used the reported image stride to calculate
 the row buffer, rather than calculating it from the image size. This issue dates back
 to the PIL fork. Thanks to Google's `OSS-Fuzz`_ project for finding this.
@@ -23,10 +23,10 @@ to the PIL fork. Thanks to Google's `OSS-Fuzz`_ project for finding this.
 Fix CVE-2020-35654
 ^^^^^^^^^^^^^^^^^^
 
-TIFF out-of-bounds write error.
-
 .. note:: More information about this vulnerability included in database record :cve:`2020-35654`
 
+TIFF out-of-bounds write error.
+
 Out-of-bounds write in ``TiffDecode.c`` when reading corrupt YCbCr
 files in some LibTIFF versions (4.1.0/Ubuntu 20.04, but not 4.0.9/Ubuntu 18.04).
 In some cases LibTIFF's interpretation of the file is different when reading in RGBA mode,
@@ -37,10 +37,10 @@ versions from 6.0.0 to 8.0.1, depending on the version of LibTIFF. This was repo
 Fix CVE-2020-35655
 ^^^^^^^^^^^^^^^^^^
 
-SGI Decode buffer overrun
-
 .. note:: More information about this vulnerability included in database record :cve:`2020-35655`
 
+SGI Decode buffer overrun.
+
 4 byte read overflow in ``SgiRleDecode.c``, where the code was not correctly
 checking the offsets and length tables. Independently reported through `Tidelift`_ and Google's
 `OSS-Fuzz`_. This vulnerability covers Pillow versions 4.3.0->8.0.1.

docs/releasenotes/8.1.1.rst

@@ -7,8 +7,6 @@ Security
 Fix CVE-2021-25289 
 ^^^^^^^^^^^^^^^^^^
 
-The previous fix for CVE-2020-35654 was insufficient.
-
 .. note:: More information about this vulnerability included in database record :cve:`2021-25289`
 
 The previous fix for :cve:`2020-35654` was insufficient due to incorrect error checking in ``TiffDecode.c``.
@@ -16,40 +14,30 @@ The previous fix for :cve:`2020-35654` was insufficient due to incorrect error c
 Fix CVE-2021-25290
 ^^^^^^^^^^^^^^^^^^
 
-In ``TiffDecode.c`` there is a negative-offset.
-
 .. note:: More information about this vulnerability included in database record :cve:`2021-25290`
 
-In ``TiffDecode.c``, there is a negative-offset ``memcpy``
+In ``TiffDecode.c``, there is a negative-offset ``memcpy`` with an invalid size.
-with an invalid size.
 
 Fix CVE-2021-25291
 ^^^^^^^^^^^^^^^^^^
 
-``TiffDecode.c`` has invalid tile boundaries.
-
 .. note:: More information about this vulnerability included in database record :cve:`2021-25291`
 
-In ``TiffDecode.c``, invalid tile boundaries could lead to
+In ``TiffDecode.c``, invalid tile boundaries could lead to an out-of-bounds read in ``TIFFReadRGBATile``.
-an out-of-bounds read in ``TIFFReadRGBATile``.
 
 Fix CVE-2021-25292
 ^^^^^^^^^^^^^^^^^^
 
-The PDF parser has a catastrophic backtracking regex.
-
 .. note:: More information about this vulnerability included in database record :cve:`2021-25292`:
 
-The PDF parser has a catastrophic backtracking regex
+The PDF parser has a catastrophic backtracking regex that could be used as a DOS attack.
-that could be used as a DOS attack.
 
 Fix CVE-2021-25293
 ^^^^^^^^^^^^^^^^^^
 
-There is an out-of-bounds read in ``SgiRleDecode.c`` since Pillow 4.3.0.
-
 .. note:: More information about this vulnerability included in database record :cve:`2021-25293`
 
+There is an out-of-bounds read in ``SgiRleDecode.c`` since Pillow 4.3.0.
 
 Other Changes
 =============

docs/releasenotes/8.1.2.rst

@@ -7,38 +7,27 @@ Security
 Fix CVE-2021-27921
 ^^^^^^^^^^^^^^^^^^
 
-There is an exhaustion of memory DOS in BLP images.
-
 .. note:: More information about this vulnerability included in database record :cve:`2021-27921`
 
-There is an exhaustion of memory DOS in BLP
+There is an exhaustion of memory DOS in BLP images. where Pillow did not properly check the
-images where Pillow did not properly check the reported size of the
+reported size of the contained image. These images could cause arbitrarily large memory
-contained image. These images could cause arbitrarily large memory
 allocations.
 
 Fix CVE-2021-27922
 ^^^^^^^^^^^^^^^^^^
 
-There is an exhaustion of memory DOS in ICNS images.
-
 .. note:: More information about this vulnerability included in database record :cve:`2021-27921`
 
-There is an exhaustion of memory DOS in the ICNS
+There is an exhaustion of memory DOS in ICNS images where Pillow did not properly check the
-images where Pillow did not properly check the reported size of the
+reported size of the contained image. These images could cause arbitrarily large memory allocations.
-contained image. These images could cause arbitrarily large memory
-allocations.
 
 Fix CVE-2021-27923
 ^^^^^^^^^^^^^^^^^^
 
-There is an exhaustion of memory DOS in ICO images.
-
 .. note:: More information about this vulnerability included in database record :cve:`2021-27923`
 
-There is an exhaustion of memory DOS in ICO
+There is an exhaustion of memory DOS in ICO images where Pillow did not properly check the reported
-images where Pillow did not properly check the reported size of the
+size of the contained image. These images could cause arbitrarily large memory allocations.
-contained image. These images could cause arbitrarily large memory
-allocations.
 
 These were reported by Jiayi Lin, Luke Shaffer, Xinran Xie and
 Akshay Ajayan of `Arizona State University <https://www.asu.edu/>`_.

docs/releasenotes/8.2.0.rst

@@ -9,11 +9,11 @@ These were all found with `OSS-Fuzz`_.
 Fix CVE-2021-25287, CVE-2021-25288, CVE-2021-28675
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-OOB read in Jpeg2KDecode
-
 .. note:: More information about these vulnerabilities included in database records
     :cve:`2021-25287`, :cve:`2021-25288`, :cve:`2021-28675`
 
+OOB read in Jpeg2KDecode
+
 * For J2k images with multiple bands, it's legal to have different widths for each band,
   e.g. 1 byte for ``L``, 4 bytes for ``A``.
 * This dates to Pillow 2.4.0.

docs/releasenotes/8.3.0.rst

@@ -10,10 +10,10 @@ Buffer overflow
 Fix CVE-2021-34552
 ^^^^^^^^^^^^^^^^^^
 
-Buffer overflow
-
 .. note:: More information about this vulnerability included in database record :cve:`2021-34552`
 
+Buffer overflow
+
 PIL since 1.1.4 and Pillow since 1.0 allowed parameters passed into a convert function to trigger
 buffer overflow in Convert.c.
 

docs/releasenotes/8.3.2.rst

@@ -7,10 +7,10 @@ Security
 Fix CVE-2021-23437
 ^^^^^^^^^^^^^^^^^^
 
-Avoid potential ReDoS (regular expression denial of service)
-
 .. note:: More information about this vulnerability included in database record :cve:`2021-23437`
 
+Avoid potential ReDoS (regular expression denial of service)
+
 Avoid a potential ReDoS (regular expression denial of service) in :py:class:`~PIL.ImageColor`'s
 :py:meth:`~PIL.ImageColor.getrgb` by raising :py:exc:`ValueError` if the color specifier is
 too long. Present since Pillow 5.2.0.

docs/releasenotes/9.0.0.rst

@@ -46,10 +46,10 @@ Google's `OSS-Fuzz`_ project for finding this issue.
 Fix CVE-2022-22817
 ^^^^^^^^^^^^^^^^^^
 
-Restrict builtins available to ImageMath.eval
-
 .. note:: More information about this vulnerability included in database record :cve:`2022-22817`
 
+Restrict builtins available to ImageMath.eval.
+
 To limit :py:class:`PIL.ImageMath` to working with images, Pillow
 will now restrict the builtins available to :py:meth:`PIL.ImageMath.eval`. This will
 help prevent problems arising if users evaluate arbitrary expressions, such as

docs/releasenotes/9.0.1.rst

@@ -9,10 +9,10 @@ This release addresses several security problems.
 Fix CVE-2022-24303
 ^^^^^^^^^^^^^^^^^^
 
-Temp image removal
-
 .. note:: More information about this vulnerability included in database record :cve:`2022-24303`
 
+Temp image removal.
+
 If the path to the temporary directory on Linux or macOS
 contained a space, this would break removal of the temporary image file after
 ``im.show()`` (and related actions), and potentially remove an unrelated file. This

docs/releasenotes/9.1.1.rst

@@ -9,10 +9,10 @@ This release addresses several security problems.
 Fix CVE-2022-30595
 ^^^^^^^^^^^^^^^^^^
 
-Heap buffer overflow
-
 .. note:: More information about this vulnerability included in database record :cve:`2022-30595`
 
+Heap buffer overflow.
+
 When reading a TGA file with RLE packets that cross scan lines,
 Pillow reads the information past the end of the first line without deducting that
 from the length of the remaining file data. This vulnerability was introduced in Pillow

docs/releasenotes/template.rst

@@ -9,8 +9,8 @@ TODO
 
 TODO
 
-Fix CVE-YYYY-XXXXX -- TODO
+Fix CVE-YYYY-XXXXX
-^^^^^^^^^^^^^^^^^^^^^^^^^^
+^^^^^^^^^^^^^^^^^^
 
 .. note:: More information about this vulnerability included in database record :cve:`YYYY-XXXXX`