From 43e2ee0433779eedc0514922af896540d7bd98d6 Mon Sep 17 00:00:00 2001
From: Andrew Murray <radarhere@users.noreply.github.com>
Date: Sun, 15 May 2022 16:18:24 +1000
Subject: [PATCH] Added release notes for 9.1.1

---
 CHANGES.rst                 | 13 +++++++++----
 docs/releasenotes/9.1.1.rst | 16 ++++++++++++++++
 docs/releasenotes/index.rst |  1 +
 3 files changed, 26 insertions(+), 4 deletions(-)
 create mode 100644 docs/releasenotes/9.1.1.rst

diff --git a/CHANGES.rst b/CHANGES.rst
index c5bf6b5f8..b7b6fbfc6 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -15,10 +15,6 @@ Changelog (Pillow)
   [radarhere]
 
 - Adjust BITSPERSAMPLE to match SAMPLESPERPIXEL when opening TIFFs #6270
-  [radarhere]
-
-- Do not open images with zero or negative height #6269
-  [radarhere]
 
 - Search pkgconf system libs/cflags #6138
   [jameshilliard, radarhere]
@@ -50,6 +46,15 @@ Changelog (Pillow)
 - Deprecated PhotoImage.paste() box parameter #6178
   [radarhere]
 
+9.1.1 (2022-05-17)
+------------------
+
+- When reading past the end of a TGA scan line, reduce bytes left. CVE-2022-30595
+  [radarhere]
+
+- Do not open images with zero or negative height #6269
+  [radarhere]
+
 9.1.0 (2022-04-01)
 ------------------
 
diff --git a/docs/releasenotes/9.1.1.rst b/docs/releasenotes/9.1.1.rst
new file mode 100644
index 000000000..f8b155f3d
--- /dev/null
+++ b/docs/releasenotes/9.1.1.rst
@@ -0,0 +1,16 @@
+9.1.1
+-----
+
+Security
+========
+
+This release addresses several security problems.
+
+:cve:`CVE-2022-30595`: When reading a TGA file with RLE packets that cross scan lines,
+Pillow reads the information past the end of the first line without deducting that
+from the length of the remaining file data. This vulnerability was introduced in Pillow
+9.1.0, and can cause a heap buffer overflow.
+
+Opening an image with a zero or negative height has been found to bypass a
+decompression bomb check. This will now raise a :py:exc:`SyntaxError` instead, in turn
+raising a ``PIL.UnidentifiedImageError``.
diff --git a/docs/releasenotes/index.rst b/docs/releasenotes/index.rst
index db578bdb7..597c804f8 100644
--- a/docs/releasenotes/index.rst
+++ b/docs/releasenotes/index.rst
@@ -15,6 +15,7 @@ expected to be backported to earlier versions.
   :maxdepth: 2
 
   9.2.0
+  9.1.1
   9.1.0
   9.0.1
   9.0.0