diff --git a/CHANGES.rst b/CHANGES.rst index c5bf6b5f8..b7b6fbfc6 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -15,10 +15,6 @@ Changelog (Pillow) [radarhere] - Adjust BITSPERSAMPLE to match SAMPLESPERPIXEL when opening TIFFs #6270 - [radarhere] - -- Do not open images with zero or negative height #6269 - [radarhere] - Search pkgconf system libs/cflags #6138 [jameshilliard, radarhere] @@ -50,6 +46,15 @@ Changelog (Pillow) - Deprecated PhotoImage.paste() box parameter #6178 [radarhere] +9.1.1 (2022-05-17) +------------------ + +- When reading past the end of a TGA scan line, reduce bytes left. CVE-2022-30595 + [radarhere] + +- Do not open images with zero or negative height #6269 + [radarhere] + 9.1.0 (2022-04-01) ------------------ diff --git a/docs/releasenotes/9.1.1.rst b/docs/releasenotes/9.1.1.rst new file mode 100644 index 000000000..f8b155f3d --- /dev/null +++ b/docs/releasenotes/9.1.1.rst @@ -0,0 +1,16 @@ +9.1.1 +----- + +Security +======== + +This release addresses several security problems. + +:cve:`CVE-2022-30595`: When reading a TGA file with RLE packets that cross scan lines, +Pillow reads the information past the end of the first line without deducting that +from the length of the remaining file data. This vulnerability was introduced in Pillow +9.1.0, and can cause a heap buffer overflow. + +Opening an image with a zero or negative height has been found to bypass a +decompression bomb check. This will now raise a :py:exc:`SyntaxError` instead, in turn +raising a ``PIL.UnidentifiedImageError``. diff --git a/docs/releasenotes/index.rst b/docs/releasenotes/index.rst index db578bdb7..597c804f8 100644 --- a/docs/releasenotes/index.rst +++ b/docs/releasenotes/index.rst @@ -15,6 +15,7 @@ expected to be backported to earlier versions. :maxdepth: 2 9.2.0 + 9.1.1 9.1.0 9.0.1 9.0.0