python-pillow/Pillow
1
1
Fork 0
mirror of https://github.com/python-pillow/Pillow.git synced 2025-08-10 23:34:44 +03:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #14 from ActiveState/BE-164-cve-2021-25289_B

Browse Source 
BE-164-cve-2021-25289_B Add files to show that cve-2021-25289 has been fixed.
This commit is contained in:
Marc Gutman 2023-04-11 18:25:08 -05:00 committed by GitHub
commit 8da0274ff5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES.rst
View File

@ -8,6 +8,9 @@ Changelog (Pillow)
- Fix CVE-2020-35654
[rickprice]
- Catch TiffDecode heap-based buffer overflow. CVE 2021-25289
Add test files that show the CVE was fixed
[rickprice]
6.2.2.4 (2023-03-29)
------------------

BIN
Tests/images/crash-0e16d3bfb83be87356d026d66919deaefca44dac.tif Normal file
View File

Binary file not shown.

BIN
Tests/images/crash-1152ec2d1a1a71395b6f2ce6721c38924d025bf3.tif Normal file
View File

Binary file not shown.

3
docs/releasenotes/6.2.2.5.rst
View File

@ -1,4 +1,4 @@
6.2.2.4
6.2.2.5
-------
Security
@ -8,4 +8,5 @@ This release addresses several critical CVEs.
:cve:`CVE-2020-35654`: In Pillow before 8.1.0, TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode.
:cve:`CVE-2021-25289`: Catch TiffDecode heap-based buffer overflow. Add test files that show the CVE was fixed