diff --git a/CHANGES.rst b/CHANGES.rst index 7a21cf440..668aaa7c5 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -5,6 +5,15 @@ Changelog (Pillow) 8.1.0 (unreleased) ------------------ +- Fix TIFF OOB Write error. CVE-2020-35654 #5175 + [wiredfool] + +- Fix for Read Overflow in PCX Decoding. CVE-2020-35653 #5174 + [wiredfool, radarhere] + +- Fix for SGI Decode buffer overrun. CVE-2020-35655 #5173 + [wiredfool, radarhere] + - Fix OOB Read when saving GIF of xsize=1 #5149 [wiredfool] diff --git a/docs/releasenotes/8.1.0.rst b/docs/releasenotes/8.1.0.rst index da5f95405..90847af81 100644 --- a/docs/releasenotes/8.1.0.rst +++ b/docs/releasenotes/8.1.0.rst @@ -20,14 +20,6 @@ Makefile The 'install-venv' target has been deprecated. -API Changes -=========== - -TODO -^^^^ - -TODO - API Additions ============= @@ -44,8 +36,32 @@ already exists for the ICNS format. Security ======== -An out-of-bounds read when saving TIFFs with custom metadata through libtiff has been -fixed, as well as when saving a GIF of 1px width. +This release includes security fixes. + +* An out-of-bounds read when saving TIFFs with custom metadata through LibTIFF +* An out-of-bounds read when saving a GIF of 1px width +* :cve:`CVE-2020-35653` Buffer read overrun in PCX decoding + +The PCX image decoder used the reported image stride to calculate the row buffer, +rather than calculating it from the image size. This issue dates back to the PIL fork. +Thanks to Google's `OSS-Fuzz`_ project for finding this. + +* :cve:`CVE-2020-35654` Fix TIFF OOB Write error + +OOB Write in TiffDecode.c when reading corrupt YCbCr files in some LibTIFF versions +(4.1.0/Ubuntu 20.04, but not 4.0.9/Ubuntu 18.04). In some cases LibTIFF's +interpretation of the file is different when reading in RGBA mode, leading to an Out of +bounds write in TiffDecode.c. This potentially affects Pillow versions from 6.0.0 to +8.0.1, depending on the version of LibTIFF. This was reported through `Tidelift`_. + +* :cve:`CVE-2020-35655` Fix for SGI Decode buffer overrun + +4 byte read overflow in SGIRleDecode.c, where the code was not correctly checking the +offsets and length tables. Independently reported through `Tidelift`_ and Google's +`OSS-Fuzz`_. This vulnerability covers Pillow versions 4.3.0->8.0.1. + +.. _Tidelift: https://tidelift.com/subscription/pkg/pypi-pillow?utm_source=pillow&utm_medium=referral&utm_campaign=docs +.. _OSS-Fuzz: https://github.com/google/oss-fuzz Dependencies ^^^^^^^^^^^^