Added release notes for 9.1.1

CHANGES.rst

@@ -15,10 +15,6 @@ Changelog (Pillow)
   [radarhere]
 
 - Adjust BITSPERSAMPLE to match SAMPLESPERPIXEL when opening TIFFs #6270
-  [radarhere]
-
-- Do not open images with zero or negative height #6269
-  [radarhere]
 
 - Search pkgconf system libs/cflags #6138
   [jameshilliard, radarhere]
@@ -50,6 +46,15 @@ Changelog (Pillow)
 - Deprecated PhotoImage.paste() box parameter #6178
   [radarhere]
 
+9.1.1 (2022-05-17)
+------------------
+
+- When reading past the end of a TGA scan line, reduce bytes left. CVE-2022-30595
+  [radarhere]
+
+- Do not open images with zero or negative height #6269
+  [radarhere]
+
 9.1.0 (2022-04-01)
 ------------------
 

docs/releasenotes/9.1.1.rst

@@ -0,0 +1,16 @@
+9.1.1
+-----
+
+Security
+========
+
+This release addresses several security problems.
+
+:cve:`CVE-2022-30595`: When reading a TGA file with RLE packets that cross scan lines,
+Pillow reads the information past the end of the first line without deducting that
+from the length of the remaining file data. This vulnerability was introduced in Pillow
+9.1.0, and can cause a heap buffer overflow.
+
+Opening an image with a zero or negative height has been found to bypass a
+decompression bomb check. This will now raise a :py:exc:`SyntaxError` instead, in turn
+raising a ``PIL.UnidentifiedImageError``.

docs/releasenotes/index.rst

@@ -15,6 +15,7 @@ expected to be backported to earlier versions.
   :maxdepth: 2
 
   9.2.0
+  9.1.1
   9.1.0
   9.0.1
   9.0.0