mirror of
https://github.com/python-pillow/Pillow.git
synced 2024-12-25 17:36:18 +03:00
Merge pull request #7877 from python-pillow/7864-backfill
Backfill release notes with security fix details
This commit is contained in:
commit
913dc60d5d
|
@ -1,6 +1,33 @@
|
|||
10.0.0
|
||||
------
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
Limit size even if one dimension is zero
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
When performing decompression bomb checks, Pillow did not reject images with
|
||||
excessive width and zero height, or zero width and excessive height. That has
|
||||
now been fixed.
|
||||
|
||||
This effectively dates to the PIL fork, since problem images would still have
|
||||
been processed before Pillow started checking for decompression bombs.
|
||||
|
||||
.. _Added ImageFont.MAX_STRING_LENGTH:
|
||||
|
||||
:cve:`2023-44271`: Added ImageFont.MAX_STRING_LENGTH
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
To protect against potential DOS attacks when using arbitrary strings as text
|
||||
input, Pillow will now raise a :py:exc:`ValueError` if the number of characters
|
||||
passed into ImageFont methods is over a certain limit,
|
||||
:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`.
|
||||
|
||||
This threshold can be changed by setting
|
||||
:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`. It can be disabled by setting
|
||||
``ImageFont.MAX_STRING_LENGTH = None``.
|
||||
|
||||
Backwards Incompatible Changes
|
||||
==============================
|
||||
|
||||
|
@ -157,31 +184,6 @@ Added ``alpha_only`` argument to ``getbbox()``
|
|||
and the image has an alpha channel, trim transparent pixels. Otherwise, trim
|
||||
pixels when all channels are zero.
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
Limit size even if one dimension is zero
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
When performing decompression bomb checks, Pillow did not reject images with
|
||||
excessive width and zero height, or zero width and excessive height. That has
|
||||
now been fixed.
|
||||
|
||||
This effectively dates to the PIL fork, since problem images would still have
|
||||
been processed before Pillow started checking for decompression bombs.
|
||||
|
||||
Added ImageFont.MAX_STRING_LENGTH
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
:cve:`2023-44271`: To protect against potential DOS attacks when using arbitrary strings as text
|
||||
input, Pillow will now raise a :py:exc:`ValueError` if the number of characters
|
||||
passed into ImageFont methods is over a certain limit,
|
||||
:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`.
|
||||
|
||||
This threshold can be changed by setting
|
||||
:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`. It can be disabled by setting
|
||||
``ImageFont.MAX_STRING_LENGTH = None``.
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
||||
|
|
|
@ -4,11 +4,17 @@
|
|||
Security
|
||||
========
|
||||
|
||||
This release addresses :cve:`2023-4863`, by providing an updated install script and
|
||||
updated wheels to include libwebp 1.3.2, preventing a potential heap buffer overflow
|
||||
in WebP.
|
||||
:cve:`2023-4863`: Updated install script and updated wheels
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
This release provides an updated install script and updated wheels to
|
||||
include libwebp 1.3.2, preventing a potential heap buffer overflow in
|
||||
WebP.
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
||||
Updated tests to pass with latest zlib version
|
||||
==============================================
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
The release of zlib 1.3 caused one of the tests in the Pillow test suite to fail.
|
||||
|
|
|
@ -1,6 +1,38 @@
|
|||
10.2.0
|
||||
------
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
ImageFont.getmask: Applied ImageFont.MAX_STRING_LENGTH
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
To protect against potential DOS attacks when using arbitrary strings as text input,
|
||||
Pillow will now raise a :py:exc:`ValueError` if the number of characters passed into
|
||||
:py:meth:`PIL.ImageFont.ImageFont.getmask` is over a certain limit,
|
||||
:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`.
|
||||
|
||||
This threshold can be changed by setting :py:data:`PIL.ImageFont.MAX_STRING_LENGTH`. It
|
||||
can be disabled by setting ``ImageFont.MAX_STRING_LENGTH = None``.
|
||||
|
||||
A decompression bomb check has also been added to
|
||||
:py:meth:`PIL.ImageFont.ImageFont.getmask`.
|
||||
|
||||
ImageFont.getmask: Trim glyph size
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
To protect against potential DOS attacks when using PIL fonts,
|
||||
:py:class:`PIL.ImageFont.ImageFont` now trims the size of individual glyphs so that
|
||||
they do not extend beyond the bitmap image.
|
||||
|
||||
:cve:`2023-50447`: ImageMath.eval: Restricted environment keys
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
If an attacker has control over the keys passed to the
|
||||
``environment`` argument of :py:meth:`PIL.ImageMath.eval`, they may be able to execute
|
||||
arbitrary code. To prevent this, keys matching the names of builtins and keys
|
||||
containing double underscores will now raise a :py:exc:`ValueError`.
|
||||
|
||||
Deprecations
|
||||
============
|
||||
|
||||
|
@ -63,38 +95,6 @@ JPEG tables-only streamtype
|
|||
When saving JPEG files, ``streamtype`` can now be set to 1, for tables-only. This will
|
||||
output only the quantization and Huffman tables for the image.
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
ImageFont.getmask: Applied ImageFont.MAX_STRING_LENGTH
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
To protect against potential DOS attacks when using arbitrary strings as text input,
|
||||
Pillow will now raise a :py:exc:`ValueError` if the number of characters passed into
|
||||
:py:meth:`PIL.ImageFont.ImageFont.getmask` is over a certain limit,
|
||||
:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`.
|
||||
|
||||
This threshold can be changed by setting :py:data:`PIL.ImageFont.MAX_STRING_LENGTH`. It
|
||||
can be disabled by setting ``ImageFont.MAX_STRING_LENGTH = None``.
|
||||
|
||||
A decompression bomb check has also been added to
|
||||
:py:meth:`PIL.ImageFont.ImageFont.getmask`.
|
||||
|
||||
ImageFont.getmask: Trim glyph size
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
To protect against potential DOS attacks when using PIL fonts,
|
||||
:py:class:`PIL.ImageFont.ImageFont` now trims the size of individual glyphs so that
|
||||
they do not extend beyond the bitmap image.
|
||||
|
||||
ImageMath.eval: Restricted environment keys
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
:cve:`2023-50447`: If an attacker has control over the keys passed to the
|
||||
``environment`` argument of :py:meth:`PIL.ImageMath.eval`, they may be able to execute
|
||||
arbitrary code. To prevent this, keys matching the names of builtins and keys
|
||||
containing double underscores will now raise a :py:exc:`ValueError`.
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
||||
|
|
|
@ -1,6 +1,19 @@
|
|||
10.3.0
|
||||
------
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
TODO
|
||||
^^^^
|
||||
|
||||
TODO
|
||||
|
||||
:cve:`YYYY-XXXXX`: TODO
|
||||
^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
TODO
|
||||
|
||||
Backwards Incompatible Changes
|
||||
==============================
|
||||
|
||||
|
@ -63,14 +76,6 @@ Added PerspectiveTransform
|
|||
that all of the :py:data:`~PIL.Image.Transform` values now have a corresponding
|
||||
subclass of :py:class:`~PIL.ImageTransform.Transform`.
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
TODO
|
||||
^^^^
|
||||
|
||||
TODO
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
||||
|
@ -85,3 +90,19 @@ Release GIL when fetching WebP frames
|
|||
|
||||
Python's Global Interpreter Lock is now released when fetching WebP frames from
|
||||
the libwebp decoder.
|
||||
|
||||
Added release notes for past releases
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Added release notes for past releases: ``2.6.0``, ``2.5.2``,
|
||||
``2.3.2``, ``2.3.1``. With these additions we are able to
|
||||
provide a comprehensive list of all Pillow CVE records from
|
||||
1995 to 2024 across three noteworthy periods:
|
||||
|
||||
- 1995-2009: No known CVEs
|
||||
- 2010-2018: :cve:`2014-1932`, :cve:`2014-3589`, :cve:`2016-0740`, :cve:`2016-3076`
|
||||
- 2019-2024: :cve:`2019-16865`, :cve:`2019-19911`, :cve:`2020-10177`, :cve:`2020-15999`,
|
||||
:cve:`2020-35653`, :cve:`2021-25289`, :cve:`2020-35654`, :cve:`2020-35654`,
|
||||
:cve:`2021-27921`, :cve:`2021-27922`, :cve:`2021-27923`, :cve:`2021-25287`,
|
||||
:cve:`2021-25288`, :cve:`2021-34552`, :cve:`2021-23437`, :cve:`2022-22817`,
|
||||
:cve:`2022-24303`, :cve:`2022-30595`, :cve:`2023-44271`, :cve:`2023-4863`
|
||||
|
|
26
docs/releasenotes/2.3.1.rst
Normal file
26
docs/releasenotes/2.3.1.rst
Normal file
|
@ -0,0 +1,26 @@
|
|||
2.3.1
|
||||
-----
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
These issues reported in
|
||||
`Debian bug #737059 <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737059>`_.
|
||||
|
||||
:cve:`2014-1932`: Fix insecure use of :py:func:`tempfile.mktemp`
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
The (1) load_djpeg function in ``JpegImagePlugin.py``, (2) Ghostscript function
|
||||
in EpsImagePlugin.py, (3) load function in ``IptcImagePlugin.py``, and (4)
|
||||
``_copy`` function in Image.py in Python Image Library (PIL) 1.1.7 and earlier
|
||||
and Pillow before 2.3.1 do not properly create temporary files, which allow
|
||||
local users to overwrite arbitrary files and obtain sensitive information via a
|
||||
symlink attack on the temporary file.
|
||||
|
||||
:cve:`2014-1933`: Fix insecure use of :py:func:`tempfile.mktemp`
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
The (1) ``JpegImagePlugin.py`` and (2) ``EpsImagePlugin.py`` scripts in Python
|
||||
Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of
|
||||
temporary files on the command line, which makes it easier for local users to
|
||||
conduct symlink attacks by listing the processes.
|
14
docs/releasenotes/2.3.2.rst
Normal file
14
docs/releasenotes/2.3.2.rst
Normal file
|
@ -0,0 +1,14 @@
|
|||
2.3.2
|
||||
-----
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
:cve:`2014-3589`: Fix DOS attack
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
``PIL/IcnsImagePlugin.py`` in Python Imaging Library (PIL) and Pillow before 2.3.2 and
|
||||
2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted
|
||||
block size.
|
||||
|
||||
Found and reported by Andrew Drake of dropbox.com
|
14
docs/releasenotes/2.5.2.rst
Normal file
14
docs/releasenotes/2.5.2.rst
Normal file
|
@ -0,0 +1,14 @@
|
|||
2.5.2
|
||||
-----
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
:cve:`2014-3589`: Fix DOS attack
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
``PIL/IcnsImagePlugin.py`` in Python Imaging Library (PIL) and Pillow before 2.3.2 and
|
||||
2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted
|
||||
block size.
|
||||
|
||||
Found and reported by Andrew Drake of dropbox.com
|
22
docs/releasenotes/2.6.0.rst
Normal file
22
docs/releasenotes/2.6.0.rst
Normal file
|
@ -0,0 +1,22 @@
|
|||
2.6.0
|
||||
-----
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
:cve:`2014-3589`: Fix DOS attack
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
``PIL/IcnsImagePlugin.py`` in Python Imaging Library (PIL) and Pillow before 2.3.2 and
|
||||
2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted
|
||||
block size.
|
||||
|
||||
Found and reported by Andrew Drake of dropbox.com
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
||||
Relaxed precision of some tests
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Relaxed imagedraw tests to allow slight errors for x86 vs x64.
|
|
@ -1,15 +1,17 @@
|
|||
2.7.0
|
||||
=====
|
||||
-----
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
||||
Sane Plugin
|
||||
-----------
|
||||
^^^^^^^^^^^
|
||||
|
||||
The Sane plugin has now been split into its own repo:
|
||||
https://github.com/python-pillow/Sane .
|
||||
|
||||
|
||||
Png text chunk size limits
|
||||
--------------------------
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
To prevent potential denial of service attacks using compressed text
|
||||
chunks, there are now limits to the decompressed size of text chunks
|
||||
|
@ -24,7 +26,7 @@ default. The total decompressed size of all text chunks is limited to
|
|||
know that there are large text blocks that are desired.
|
||||
|
||||
Image resizing filters
|
||||
----------------------
|
||||
^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Image resizing methods :py:meth:`~PIL.Image.Image.resize` and
|
||||
:py:meth:`~PIL.Image.Image.thumbnail` take a ``resample`` argument, which tells
|
||||
|
@ -33,7 +35,7 @@ which filter should be used for resampling. Possible values are:
|
|||
were changed in this version.
|
||||
|
||||
Bicubic and bilinear downscaling
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
++++++++++++++++++++++++++++++++
|
||||
|
||||
From the beginning ``BILINEAR`` and ``BICUBIC`` filters were based on affine
|
||||
transformations and used a fixed number of pixels from the source image for
|
||||
|
@ -50,7 +52,7 @@ If you have previously used any tricks to maintain quality when downscaling with
|
|||
steps), they are unnecessary now.
|
||||
|
||||
Antialias renamed to Lanczos
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
++++++++++++++++++++++++++++
|
||||
|
||||
A new ``LANCZOS`` constant was added instead of ``ANTIALIAS``.
|
||||
|
||||
|
@ -64,19 +66,19 @@ The ``ANTIALIAS`` constant is left for backward compatibility and is an alias
|
|||
for ``LANCZOS``.
|
||||
|
||||
Lanczos upscaling quality
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
+++++++++++++++++++++++++
|
||||
|
||||
The image upscaling quality with ``LANCZOS`` filter was almost the same as
|
||||
``BILINEAR`` due to a bug. This has been fixed.
|
||||
|
||||
Bicubic upscaling quality
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
+++++++++++++++++++++++++
|
||||
|
||||
The ``BICUBIC`` filter for affine transformations produced sharp, slightly
|
||||
pixelated image for upscaling. Bicubic for convolutions is more soft.
|
||||
|
||||
Resize performance
|
||||
^^^^^^^^^^^^^^^^^^
|
||||
++++++++++++++++++
|
||||
|
||||
In most cases, convolution is more a expensive algorithm for downscaling
|
||||
because it takes into account all the pixels of source image. Therefore
|
||||
|
@ -93,7 +95,7 @@ The upscaling performance of the ``LANCZOS`` filter has remained the same. For
|
|||
times.
|
||||
|
||||
Default filter for thumbnails
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
+++++++++++++++++++++++++++++
|
||||
|
||||
In Pillow 2.5 the default filter for :py:meth:`~PIL.Image.Image.thumbnail` was
|
||||
changed from ``NEAREST`` to ``ANTIALIAS``. Antialias was chosen because all the
|
||||
|
@ -103,7 +105,6 @@ other filters gave poor quality for reduction. Starting from Pillow 2.7.0,
|
|||
uses supersampling internally, not convolutions.
|
||||
|
||||
Image transposition
|
||||
-------------------
|
||||
|
||||
A new method ``TRANSPOSE`` has been added for the
|
||||
:py:meth:`~PIL.Image.Image.transpose` operation in addition to
|
||||
|
@ -115,7 +116,7 @@ The speed of ``ROTATE_90``, ``ROTATE_270`` and ``TRANSPOSE`` has been significan
|
|||
improved for large images which don't fit in the processor cache.
|
||||
|
||||
Gaussian blur and unsharp mask
|
||||
------------------------------
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
The :py:meth:`~PIL.ImageFilter.GaussianBlur` implementation has been replaced
|
||||
with a sequential application of box filters. The new implementation is based on
|
||||
|
@ -125,7 +126,7 @@ implementations use Gaussian blur internally, all changes from this chapter
|
|||
are also applicable to it.
|
||||
|
||||
Blur radius
|
||||
^^^^^^^^^^^
|
||||
+++++++++++
|
||||
|
||||
There was an error in the previous version of Pillow, where blur radius (the
|
||||
standard deviation of Gaussian) actually meant blur diameter. For example, to
|
||||
|
@ -136,7 +137,7 @@ If you used a Gaussian blur with some radius value, you need to divide this
|
|||
value by two.
|
||||
|
||||
Blur performance
|
||||
^^^^^^^^^^^^^^^^
|
||||
++++++++++++++++
|
||||
|
||||
Box filter computation time is constant relative to the radius and depends
|
||||
on source image size only. Because the new Gaussian blur implementation
|
||||
|
@ -148,7 +149,7 @@ second for radius 1, 3.6 seconds for radius 10 and 17 seconds for 50, now blur
|
|||
with any radius on same image is executed for 0.2 seconds.
|
||||
|
||||
Blur quality
|
||||
^^^^^^^^^^^^
|
||||
++++++++++++
|
||||
|
||||
The previous implementation takes into account only source pixels within
|
||||
2 * standard deviation radius for every destination pixel. This was not enough,
|
||||
|
@ -157,7 +158,7 @@ so the quality was worse compared to other Gaussian blur software.
|
|||
The new implementation does not have this drawback.
|
||||
|
||||
TIFF Parameter Changes
|
||||
----------------------
|
||||
^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Several kwarg parameters for saving TIFF images were previously
|
||||
specified as strings with included spaces (e.g. 'x resolution'). This
|
||||
|
|
|
@ -1,8 +1,11 @@
|
|||
2.8.0
|
||||
=====
|
||||
-----
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
||||
Open HTTP response objects with Image.open
|
||||
------------------------------------------
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
HTTP response objects returned from ``urllib2.urlopen(url)`` or
|
||||
``requests.get(url, stream=True).raw`` are 'file-like' but do not support ``.seek()``
|
||||
|
|
|
@ -1,32 +1,8 @@
|
|||
|
||||
3.0.0
|
||||
=====
|
||||
-----
|
||||
|
||||
Saving Multipage Images
|
||||
-----------------------
|
||||
|
||||
There is now support for saving multipage images in the ``GIF`` and
|
||||
``PDF`` formats. To enable this functionality, pass in ``save_all=True``
|
||||
as a keyword argument to the save::
|
||||
|
||||
im.save('test.pdf', save_all=True)
|
||||
|
||||
Tiff ImageFileDirectory Rewrite
|
||||
-------------------------------
|
||||
|
||||
The Tiff ImageFileDirectory metadata code has been rewritten. Where
|
||||
previously it returned a somewhat arbitrary set of values and tuples,
|
||||
it now returns bare values where appropriate and tuples when the
|
||||
metadata item is a sequence or collection.
|
||||
|
||||
The original metadata is still available in the TiffImage.tags, the
|
||||
new values are available in the TiffImage.tags_v2 member. The old
|
||||
structures will be deprecated at some point in the future. When
|
||||
saving Tiff metadata, new code should use the
|
||||
TiffImagePlugin.ImageFileDirectory_v2 class.
|
||||
|
||||
Deprecated Methods
|
||||
------------------
|
||||
Deprecations
|
||||
============
|
||||
|
||||
Several methods that have been marked as deprecated for many releases
|
||||
have been removed in this release::
|
||||
|
@ -42,8 +18,34 @@ have been removed in this release::
|
|||
ImageWin.fromstring()
|
||||
ImageWin.tostring()
|
||||
|
||||
LibJpeg and Zlib are Required by Default
|
||||
----------------------------------------
|
||||
Other Changes
|
||||
=============
|
||||
|
||||
Saving Multipage Images
|
||||
^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
There is now support for saving multipage images in the ``GIF`` and
|
||||
``PDF`` formats. To enable this functionality, pass in ``save_all=True``
|
||||
as a keyword argument to the save::
|
||||
|
||||
im.save('test.pdf', save_all=True)
|
||||
|
||||
Tiff ImageFileDirectory Rewrite
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
The Tiff ImageFileDirectory metadata code has been rewritten. Where
|
||||
previously it returned a somewhat arbitrary set of values and tuples,
|
||||
it now returns bare values where appropriate and tuples when the
|
||||
metadata item is a sequence or collection.
|
||||
|
||||
The original metadata is still available in the TiffImage.tags, the
|
||||
new values are available in the TiffImage.tags_v2 member. The old
|
||||
structures will be deprecated at some point in the future. When
|
||||
saving Tiff metadata, new code should use the
|
||||
TiffImagePlugin.ImageFileDirectory_v2 class.
|
||||
|
||||
LibJpeg and Zlib are required by default
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
The external dependencies on libjpeg and zlib are now required by default.
|
||||
If the headers or libraries are not found, then installation will abort
|
||||
|
|
|
@ -1,9 +1,11 @@
|
|||
|
||||
3.1.0
|
||||
=====
|
||||
-----
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
||||
ImageDraw arc, chord and pieslice can now use floats
|
||||
----------------------------------------------------
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
There is no longer a need to ensure that the start and end arguments for ``arc``,
|
||||
``chord`` and ``pieslice`` are integers.
|
||||
|
@ -12,7 +14,7 @@ Note that these numbers are not simply rounded internally, but are actually
|
|||
utilised in the drawing process.
|
||||
|
||||
Consistent multiline text spacing
|
||||
---------------------------------
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
When using the ``ImageDraw`` multiline methods, the spacing between
|
||||
lines was inconsistent, based on the combination on ascenders and
|
||||
|
@ -24,7 +26,7 @@ not the absolute height of each line.
|
|||
There is also now a default spacing of 4px between lines.
|
||||
|
||||
Exif, Jpeg and Tiff Metadata
|
||||
----------------------------
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
There were major changes in the TIFF ImageFileDirectory support in
|
||||
Pillow 3.0 that led to a number of regressions. Some of them have been
|
||||
|
|
|
@ -1,12 +1,15 @@
|
|||
|
||||
3.1.1
|
||||
=====
|
||||
-----
|
||||
|
||||
CVE-2016-0740 -- Buffer overflow in TiffDecode.c
|
||||
------------------------------------------------
|
||||
Security
|
||||
========
|
||||
|
||||
:cve:`2016-0740`: Buffer overflow in ``TiffDecode.c``
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Pillow 3.1.0 and earlier when linked against libtiff >= 4.0.0 on x64
|
||||
may overflow a buffer when reading a specially crafted tiff file (:cve:`2016-0740`).
|
||||
may overflow a buffer when reading a specially crafted tiff file
|
||||
(:cve:`2016-0740`).
|
||||
|
||||
Specifically, libtiff >= 4.0.0 changed the return type of
|
||||
``TIFFScanlineSize`` from ``int32`` to machine dependent
|
||||
|
@ -19,9 +22,8 @@ image data over 64k is written over the heap, causing a segfault.
|
|||
|
||||
This issue was found by security researcher FourOne.
|
||||
|
||||
|
||||
CVE-2016-0775 -- Buffer overflow in FliDecode.c
|
||||
-----------------------------------------------
|
||||
:cve:`2016-0775`: Buffer overflow in ``FliDecode.c``
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
In all versions of Pillow, dating back at least to the last PIL 1.1.7
|
||||
release, FliDecode.c has a buffer overflow error (:cve:`2016-0775`).
|
||||
|
@ -49,8 +51,8 @@ off the end of the memory buffer, causing a segfault.
|
|||
|
||||
This issue was found by Alyssa Besseling at Atlassian.
|
||||
|
||||
CVE-2016-2533 -- Buffer overflow in PcdDecode.c
|
||||
-----------------------------------------------
|
||||
:cve:`2016-2533`: Buffer overflow in ``PcdDecode.c``
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
In all versions of Pillow, dating back at least to the last PIL 1.1.7
|
||||
release, ``PcdDecode.c`` has a buffer overflow error (:cve:`2016-2533`).
|
||||
|
@ -62,7 +64,7 @@ the buffer into other Python object storage. In some cases, this
|
|||
causes a segfault, in others an internal Python malloc error.
|
||||
|
||||
Integer overflow in Resample.c
|
||||
------------------------------
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
If a large value was passed into the new size for an image, it is
|
||||
possible to overflow an ``int32`` value passed into malloc.
|
||||
|
|
|
@ -1,13 +1,15 @@
|
|||
|
||||
3.1.2
|
||||
=====
|
||||
-----
|
||||
|
||||
CVE-2016-3076 -- Buffer overflow in Jpeg2KEncode.c
|
||||
--------------------------------------------------
|
||||
Security
|
||||
========
|
||||
|
||||
Pillow between 2.5.0 and 3.1.1 may overflow a buffer when writing
|
||||
large Jpeg2000 files, allowing for code execution or other memory
|
||||
corruption (:cve:`2016-3076`).
|
||||
:cve:`2016-3076`: Buffer overflow in Jpeg2KEncode.c
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Pillow between 2.5.0 and 3.1.1 may overflow a buffer
|
||||
when writing large Jpeg2000 files, allowing for code execution or other
|
||||
memory corruption.
|
||||
|
||||
This occurs specifically in the function ``j2k_encode_entry``, at the line:
|
||||
|
||||
|
|
|
@ -1,9 +1,11 @@
|
|||
|
||||
3.2.0
|
||||
-----
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
||||
New DDS and FTEX Image Plugins
|
||||
==============================
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
The ``DdsImagePlugin`` reading DXT1 and DXT5 encoded ``.dds`` images was
|
||||
added. DXT3 images are not currently supported.
|
||||
|
@ -14,13 +16,13 @@ per file, in the ``.ftc`` (compressed) and ``.ftu`` (uncompressed)
|
|||
formats.
|
||||
|
||||
Updates to the GbrImagePlugin
|
||||
=============================
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
The ``GbrImagePlugin`` (GIMP brush format) has been updated to fix
|
||||
support for version 1 files and add support for version 2 files.
|
||||
|
||||
Passthrough Parameters for ImageDraw.text
|
||||
=========================================
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
``ImageDraw.multiline_text`` and ``ImageDraw.multiline_size`` take extra
|
||||
spacing parameters above what are used in ``ImageDraw.text`` and
|
||||
|
@ -29,7 +31,7 @@ spacing parameters above what are used in ``ImageDraw.text`` and
|
|||
to the corresponding multiline functions.
|
||||
|
||||
ImageSequence.Iterator changes
|
||||
==============================
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
``ImageSequence.Iterator`` is now an actual iterator implementing the
|
||||
Iterator protocol. It is also now possible to seek to the first image
|
||||
|
|
|
@ -1,8 +1,11 @@
|
|||
3.3.0
|
||||
-----
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
||||
Libimagequant support
|
||||
=====================
|
||||
^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
There is now support for using libimagequant as a higher quality
|
||||
quantization option in ``Image.quantize()`` on Unix-like
|
||||
|
@ -12,7 +15,7 @@ differences.
|
|||
|
||||
|
||||
New Setup.py options
|
||||
====================
|
||||
^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
There are two new options to control the ``build_ext`` task in ``setup.py``:
|
||||
|
||||
|
@ -24,9 +27,8 @@ There are two new options to control the ``build_ext`` task in ``setup.py``:
|
|||
cross compilers that specify that information in via environment
|
||||
variables.
|
||||
|
||||
|
||||
Resizing
|
||||
========
|
||||
^^^^^^^^
|
||||
|
||||
Image resampling for 8-bit per channel images was rewritten using only integer
|
||||
computings. This is faster on most platforms and doesn't introduce precision
|
||||
|
@ -36,18 +38,16 @@ makes resampling 60% faster on average.
|
|||
Color calculation for images in the ``LA`` mode on semitransparent pixels
|
||||
was fixed.
|
||||
|
||||
|
||||
Rotation
|
||||
========
|
||||
^^^^^^^^
|
||||
|
||||
Rotation for angles divisible by 90 degrees now always uses transposition.
|
||||
This greatly improves both quality and performance in this case.
|
||||
Also, the bug with wrong image size calculation when rotating by 90 degrees
|
||||
was fixed.
|
||||
|
||||
|
||||
Image Metadata
|
||||
==============
|
||||
^^^^^^^^^^^^^^
|
||||
|
||||
The return type for binary data in version 2 Exif and Tiff metadata
|
||||
has been changed from a tuple of integers to bytes. This is a change
|
||||
|
|
|
@ -1,9 +1,11 @@
|
|||
|
||||
3.3.2
|
||||
=====
|
||||
-----
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
Integer overflow in Map.c
|
||||
-------------------------
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Pillow prior to 3.3.2 may experience integer overflow errors in map.c
|
||||
when reading specially crafted image files. This may lead to memory
|
||||
|
@ -26,7 +28,7 @@ memory without duplicating the image first.
|
|||
This issue was found by Cris Neckar at Divergent Security.
|
||||
|
||||
Sign Extension in Storage.c
|
||||
---------------------------
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Pillow prior to 3.3.2 and PIL 1.1.7 (at least) do not check for
|
||||
negative image sizes in ``ImagingNew`` in ``Storage.c``. A negative
|
||||
|
|
|
@ -1,9 +1,29 @@
|
|||
|
||||
3.4.0
|
||||
-----
|
||||
|
||||
Deprecations
|
||||
============
|
||||
|
||||
Deprecation Warning when Saving JPEGs
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
JPEG images cannot contain an alpha channel. Pillow prior to 3.4.0
|
||||
silently drops the alpha channel. With this release Pillow will now
|
||||
issue a :py:exc:`DeprecationWarning` when attempting to save a ``RGBA`` mode
|
||||
image as a JPEG. This will become an error in Pillow 4.2.
|
||||
|
||||
Image.core.open_ppm removed
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
The nominally private/debugging function ``Image.core.open_ppm`` has
|
||||
been removed. If you were using this function, please use
|
||||
``Image.open`` instead.
|
||||
|
||||
Other changes
|
||||
=============
|
||||
|
||||
New resizing filters
|
||||
====================
|
||||
^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Two new filters available for ``Image.resize()`` and ``Image.thumbnail()``
|
||||
functions: ``BOX`` and ``HAMMING``. ``BOX`` is the high-performance filter with
|
||||
|
@ -14,23 +34,15 @@ two times shorter window than ``BILINEAR``. It can be used for image reduction
|
|||
providing the image downscaling quality comparable to ``BICUBIC``.
|
||||
Both new filters don't show good quality for the image upscaling.
|
||||
|
||||
Deprecation Warning when Saving JPEGs
|
||||
=====================================
|
||||
|
||||
JPEG images cannot contain an alpha channel. Pillow prior to 3.4.0
|
||||
silently drops the alpha channel. With this release Pillow will now
|
||||
issue a :py:exc:`DeprecationWarning` when attempting to save a ``RGBA`` mode
|
||||
image as a JPEG. This will become an error in Pillow 4.2.
|
||||
|
||||
New DDS Decoders
|
||||
================
|
||||
^^^^^^^^^^^^^^^^
|
||||
|
||||
Pillow can now decode DXT3 images, as well as the previously supported
|
||||
DXT1 and DXT5 formats. All three formats are now decoded in C code for
|
||||
better performance.
|
||||
|
||||
Append images to GIF
|
||||
====================
|
||||
^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Additional frames can now be appended when saving a GIF file, through the
|
||||
``append_images`` argument. The new frames are passed in as a list of images,
|
||||
|
@ -42,16 +54,9 @@ in effect, e.g.::
|
|||
im.save(out, save_all=True, append_images=[im1, im2, ...])
|
||||
|
||||
Save multiple frame TIFF
|
||||
========================
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Multiple frames can now be saved in a TIFF file by using the ``save_all`` option.
|
||||
e.g.::
|
||||
|
||||
im.save("filename.tiff", format="TIFF", save_all=True)
|
||||
|
||||
Image.core.open_ppm removed
|
||||
===========================
|
||||
|
||||
The nominally private/debugging function ``Image.core.open_ppm`` has
|
||||
been removed. If you were using this function, please use
|
||||
``Image.open`` instead.
|
||||
|
|
|
@ -1,8 +1,11 @@
|
|||
4.0.0
|
||||
-----
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
||||
Python 2.6 and 3.2 Dropped
|
||||
==========================
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Pillow 4.0 no longer supports Python 2.6 and 3.2. We will not be
|
||||
creating binaries, testing, or retaining compatibility with these
|
||||
|
@ -10,12 +13,12 @@ releases. This release removes some workarounds for those Python
|
|||
releases, so the final working version of Pillow on 2.6 or 3.2 is 3.4.2.
|
||||
|
||||
Support added for Python 3.6
|
||||
============================
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Pillow 4.0 supports Python 3.6.
|
||||
|
||||
OleFileIO.py
|
||||
============
|
||||
^^^^^^^^^^^^
|
||||
|
||||
``OleFileIO.py`` has been removed as a vendored file and is now installed
|
||||
from the upstream :pypi:`olefile` PyPI package. All internal dependencies are
|
||||
|
@ -24,19 +27,19 @@ redirected to the olefile package. Direct accesses to
|
|||
upstream olefile into ``sys.modules`` in its place.
|
||||
|
||||
SGI image save
|
||||
==============
|
||||
^^^^^^^^^^^^^^
|
||||
|
||||
It is now possible to save images in modes ``L``, ``RGB``, and
|
||||
``RGBA`` to the uncompressed SGI image format.
|
||||
|
||||
Zero sized images
|
||||
=================
|
||||
^^^^^^^^^^^^^^^^^
|
||||
|
||||
Pillow 3.4.0 removed support for creating images with (0,0) size. This
|
||||
has been reenabled, restoring pre 3.4 behavior.
|
||||
|
||||
Internal handles_eof flag
|
||||
=========================
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
The ``handles_eof flag`` for decoding images has been removed, as there
|
||||
were no internal users of the flag. Anyone maintaining image decoders
|
||||
|
@ -44,7 +47,7 @@ outside of the Pillow source tree should consider using the cleanup
|
|||
function pointers instead.
|
||||
|
||||
Image.core.stretch removed
|
||||
==========================
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
The stretch function on the core image object has been removed. This
|
||||
used to be for enlarging the image, but has been aliased to resize
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
4.1.0
|
||||
-----
|
||||
|
||||
Removed Deprecated Items
|
||||
========================
|
||||
Deprecations
|
||||
============
|
||||
|
||||
Several deprecated items have been removed.
|
||||
|
||||
|
@ -15,8 +15,11 @@ Several deprecated items have been removed.
|
|||
``PIL.ImageDraw.ImageDraw.setfont`` have been removed.
|
||||
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
||||
Closing Files When Opening Images
|
||||
=================================
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
The file handling when opening images has been overhauled. Previously,
|
||||
Pillow would attempt to close some, but not all image formats
|
||||
|
@ -38,9 +41,8 @@ is specified:
|
|||
the underlying file until we are done with the image. The mapping
|
||||
will be closed in the ``close`` or ``__del__`` method.
|
||||
|
||||
|
||||
Changes to GIF Handling When Saving
|
||||
===================================
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
The :py:class:`PIL.GifImagePlugin` code has been refactored to fix the flow when
|
||||
saving images. There are two external changes that arise from this:
|
||||
|
@ -56,14 +58,14 @@ This refactor fixed some bugs with palette handling when saving
|
|||
multiple frame GIFs.
|
||||
|
||||
New Method: Image.remap_palette
|
||||
===============================
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
The method :py:meth:`PIL.Image.Image.remap_palette()` has been
|
||||
added. This method was hoisted from the GifImagePlugin code used to
|
||||
optimize the palette.
|
||||
|
||||
Added Decoder Registry and Support for Python Based Decoders
|
||||
============================================================
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
There is now a decoder registry similar to the image plugin
|
||||
registries. Image plugins can register a decoder, and it will be
|
||||
|
@ -73,7 +75,7 @@ their C based counterparts, they may be easier and quicker to develop
|
|||
or safer to run.
|
||||
|
||||
Tests
|
||||
=====
|
||||
^^^^^
|
||||
|
||||
Many tests have been added, including correctness tests for image
|
||||
formats that have been previously untested.
|
||||
|
|
|
@ -1,8 +1,11 @@
|
|||
4.1.1
|
||||
-----
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
||||
Fix Regression with reading DPI from EXIF data
|
||||
==============================================
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Some JPEG images don't contain DPI information in the image metadata,
|
||||
but do contain it in the EXIF data. A patch was added in 4.1.0 to read
|
||||
|
@ -10,9 +13,8 @@ from the EXIF data, but it did not accept all possible types that
|
|||
could be included there. This fix adds the ability to read ints as
|
||||
well as rational values.
|
||||
|
||||
|
||||
Incompatibility between 3.6.0 and 3.6.1
|
||||
=======================================
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
CPython 3.6.1 added a new symbol, PySlice_GetIndicesEx, which was not
|
||||
present in 3.6.0. This had the effect of causing binaries compiled on
|
||||
|
|
|
@ -1,37 +1,11 @@
|
|||
4.2.0
|
||||
-----
|
||||
|
||||
Added Complex Text Rendering
|
||||
============================
|
||||
Deprecations
|
||||
============
|
||||
|
||||
Pillow now supports complex text rendering for scripts requiring glyph
|
||||
composition and bidirectional flow. This optional feature adds three
|
||||
dependencies: harfbuzz, fribidi, and raqm. See the :doc:`install documentation
|
||||
<../installation>` for further details. This feature is tested and works on
|
||||
Unix and Mac, but has not yet been built on Windows platforms.
|
||||
|
||||
New Optional Parameters
|
||||
=======================
|
||||
|
||||
* :py:meth:`PIL.ImageDraw.floodfill` has a new optional parameter:
|
||||
threshold. This specifies a tolerance for the color to replace with
|
||||
the flood fill.
|
||||
|
||||
* The TIFF and PDF image writers now support the ``append_images``
|
||||
optional parameter for specifying additional images to create
|
||||
multipage outputs.
|
||||
|
||||
New DecompressionBomb Warning
|
||||
=============================
|
||||
|
||||
:py:meth:`PIL.Image.Image.crop` now may raise a DecompressionBomb
|
||||
warning if the crop region enlarges the image over the threshold
|
||||
specified by :py:data:`PIL.Image.MAX_IMAGE_PIXELS`.
|
||||
|
||||
Removed Deprecated Items
|
||||
========================
|
||||
|
||||
Several deprecated items have been removed.
|
||||
Several deprecated items have been removed
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
* The methods ``PIL.ImageWin.Dib.fromstring``,
|
||||
``PIL.ImageWin.Dib.tostring`` and
|
||||
|
@ -44,8 +18,38 @@ Several deprecated items have been removed.
|
|||
an :py:exc:`IOError` is raised.
|
||||
|
||||
Removed Core Image Function
|
||||
===========================
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
The unused function ``Image.core.new_array`` was removed. This is an
|
||||
internal function that should not have been used by user code, but it
|
||||
was accessible from the python layer.
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
||||
Added Complex Text Rendering
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Pillow now supports complex text rendering for scripts requiring glyph
|
||||
composition and bidirectional flow. This optional feature adds three
|
||||
dependencies: harfbuzz, fribidi, and raqm. See the :doc:`install documentation
|
||||
<../installation>` for further details. This feature is tested and works on
|
||||
Unix and Mac, but has not yet been built on Windows platforms.
|
||||
|
||||
New Optional Parameters
|
||||
^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
* :py:meth:`PIL.ImageDraw.floodfill` has a new optional parameter:
|
||||
threshold. This specifies a tolerance for the color to replace with
|
||||
the flood fill.
|
||||
|
||||
* The TIFF and PDF image writers now support the ``append_images``
|
||||
optional parameter for specifying additional images to create
|
||||
multipage outputs.
|
||||
|
||||
New DecompressionBomb Warning
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
:py:meth:`PIL.Image.Image.crop` now may raise a DecompressionBomb
|
||||
warning if the crop region enlarges the image over the threshold
|
||||
specified by :py:data:`PIL.Image.MAX_IMAGE_PIXELS`.
|
||||
|
|
|
@ -3,8 +3,11 @@
|
|||
|
||||
There are no functional changes in this release.
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
||||
Fixed Windows PyPy Build
|
||||
========================
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
A change in the 4.2.0 cycle broke the Windows PyPy build. This has
|
||||
been fixed, and PyPy is now part of the Windows CI matrix.
|
||||
|
|
|
@ -1,15 +1,6 @@
|
|||
5.1.0
|
||||
-----
|
||||
|
||||
New File Format
|
||||
===============
|
||||
|
||||
BLP File Format
|
||||
^^^^^^^^^^^^^^^
|
||||
|
||||
Pillow now supports reading the BLP "Blizzard Mipmap" file format used
|
||||
for tiles in Blizzard's engine.
|
||||
|
||||
API Changes
|
||||
===========
|
||||
|
||||
|
@ -30,6 +21,12 @@ Images can now be appended to PDF files in place by passing in
|
|||
Other Changes
|
||||
=============
|
||||
|
||||
New BLP File Format
|
||||
^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Pillow now supports reading the BLP "Blizzard Mipmap" file format used
|
||||
for tiles in Blizzard's engine.
|
||||
|
||||
WebP memory leak
|
||||
^^^^^^^^^^^^^^^^
|
||||
|
||||
|
|
|
@ -3,6 +3,9 @@
|
|||
|
||||
This release fixes regressions in 5.4.0.
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
||||
Installation on Termux
|
||||
^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
|
|
|
@ -1,6 +1,34 @@
|
|||
6.2.0
|
||||
-----
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
This release catches several buffer overruns and fixes :cve:`2019-16865`.
|
||||
|
||||
Buffer overruns
|
||||
^^^^^^^^^^^^^^^
|
||||
|
||||
In ``RawDecode.c``, an error is now thrown if skip is calculated to be less than
|
||||
zero. It is intended to skip padding between lines, not to go backwards.
|
||||
|
||||
In ``PsdImagePlugin``, if the combined sizes of the individual parts is larger than
|
||||
the declared size of the extra data field, then it looked for the next layer by
|
||||
seeking backwards. This is now corrected by seeking to (the start of the layer
|
||||
+ the size of the extra data field) instead of (the read parts of the layer +
|
||||
the rest of the layer).
|
||||
|
||||
Decompression bomb checks have been added to GIF and ICO formats.
|
||||
|
||||
An error is now raised if a TIFF dimension is a string, rather than trying to
|
||||
perform operations on it.
|
||||
|
||||
:cve:`2019-16865`: Fix DOS attack
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
The CVE is regarding DOS problems, such as consuming large amounts of memory,
|
||||
or taking a large amount of time to process an image.
|
||||
|
||||
API Additions
|
||||
=============
|
||||
|
||||
|
@ -65,27 +93,6 @@ There has been a longstanding warning that the defaults of ``Image.frombuffer``
|
|||
may change in the future for the "raw" decoder. The change will now take place
|
||||
in Pillow 7.0.
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
This release catches several buffer overruns, as well as addressing
|
||||
:cve:`2019-16865`. The CVE is regarding DOS problems, such as consuming large
|
||||
amounts of memory, or taking a large amount of time to process an image.
|
||||
|
||||
In RawDecode.c, an error is now thrown if skip is calculated to be less than
|
||||
zero. It is intended to skip padding between lines, not to go backwards.
|
||||
|
||||
In PsdImagePlugin, if the combined sizes of the individual parts is larger than
|
||||
the declared size of the extra data field, then it looked for the next layer by
|
||||
seeking backwards. This is now corrected by seeking to (the start of the layer
|
||||
+ the size of the extra data field) instead of (the read parts of the layer +
|
||||
the rest of the layer).
|
||||
|
||||
Decompression bomb checks have been added to GIF and ICO formats.
|
||||
|
||||
An error is now raised if a TIFF dimension is a string, rather than trying to
|
||||
perform operations on it.
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
||||
|
|
|
@ -4,15 +4,17 @@
|
|||
Security
|
||||
========
|
||||
|
||||
This release addresses several security problems.
|
||||
This release fixes several buffer overflow issues and a DOS attack vulnerability.
|
||||
|
||||
:cve:`2019-19911` is regarding FPX images. If an image reports that it has a large
|
||||
number of bands, a large amount of resources will be used when trying to process the
|
||||
image. This is fixed by limiting the number of bands to those usable by Pillow.
|
||||
:cve:`2019-19911`: DOS attack vulnerability
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Buffer overruns were found when processing an SGI (:cve:`2020-5311`),
|
||||
PCX (:cve:`2020-5312`) or FLI image (:cve:`2020-5313`). Checks have been added
|
||||
to prevent this.
|
||||
If an FPX image reports that it has a large number of bands, a large amount of
|
||||
resources will be used when trying to process the image. This is fixed by
|
||||
limiting the number of bands to those usable by Pillow.
|
||||
|
||||
:cve:`2020-5310`: Overflow checks have been added when calculating the size of a
|
||||
memory block to be reallocated in the processing of a TIFF image.
|
||||
:cve:`2020-5310`, :cve:`2020-5311`, :cve:`2020-5312`, :cve:`2020-5313`: Overflow checks added
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Overflow checks have been added when calculating the size of a memory block to be reallocated
|
||||
in the processing of TIFF, SGI, PCX and FLI images.
|
||||
|
|
|
@ -1,6 +1,37 @@
|
|||
7.1.0
|
||||
-----
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
This release includes many security fixes.
|
||||
|
||||
:cve:`2020-10177`: Multiple out-of-bounds reads in FLI decoding
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Pillow before 7.1.0 has multiple out-of-bounds reads in ``libImaging/FliDecode.c``.
|
||||
|
||||
:cve:`2020-10378`: Bounds overflow in PCX decoding
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
In ``libImaging/PcxDecode.c`` in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer.
|
||||
|
||||
:cve:`2020-10379`: Two buffer overflows in TIFF decoding
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
In Pillow before 7.1.0, there are two buffer overflows in ``libImaging/TiffDecode.c``.
|
||||
|
||||
:cve:`2020-10994`: Bounds overflow in JPEG 2000 decoding
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
In ``libImaging/Jpeg2KDecode.c`` in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file.
|
||||
|
||||
:cve:`2020-11538`: Buffer overflow in SGI-RLE decoding
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
In ``libImaging/SgiRleDecode.c`` in Pillow through 7.0.0, a number of out-of-bounds
|
||||
reads exist in the parsing of SGI image files, a different issue than :cve:`2020-5311`.
|
||||
|
||||
API Changes
|
||||
===========
|
||||
|
||||
|
@ -67,17 +98,6 @@ Passing a different value on Windows or macOS will force taking a snapshot
|
|||
using the selected X server; pass an empty string to use the default X server.
|
||||
XCB support is not included in pre-compiled wheels for Windows and macOS.
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
This release includes security fixes.
|
||||
|
||||
* :cve:`2020-10177` Fix multiple out-of-bounds reads in FLI decoding
|
||||
* :cve:`2020-10378` Fix bounds overflow in PCX decoding
|
||||
* :cve:`2020-10379` Fix two buffer overflows in TIFF decoding
|
||||
* :cve:`2020-10994` Fix bounds overflow in JPEG 2000 decoding
|
||||
* :cve:`2020-11538` Fix buffer overflow in SGI-RLE decoding
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
||||
|
|
|
@ -1,8 +1,11 @@
|
|||
7.1.1
|
||||
-----
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
||||
Fix regression seeking PNG files
|
||||
================================
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
This fixes a regression introduced in 7.1.0 when adding support for APNG files when calling
|
||||
``seek`` and ``tell``:
|
||||
|
|
|
@ -1,8 +1,11 @@
|
|||
7.1.2
|
||||
-----
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
||||
Fix another regression seeking PNG files
|
||||
========================================
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
This fixes a regression introduced in 7.1.0 when adding support for APNG files.
|
||||
|
||||
|
|
|
@ -4,12 +4,13 @@
|
|||
Security
|
||||
========
|
||||
|
||||
Update FreeType used in binary wheels to `2.10.4`_ to fix :cve:`2020-15999`:
|
||||
:cve:`2020-15999`: Update FreeType in wheels to `2.10.4`_
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
- A heap buffer overflow has been found in the handling of embedded PNG bitmaps,
|
||||
introduced in FreeType version 2.6.
|
||||
* A heap buffer overflow has been found in the handling of embedded PNG bitmaps,
|
||||
introduced in FreeType version 2.6.
|
||||
|
||||
If you use option ``FT_CONFIG_OPTION_USE_PNG`` you should upgrade immediately.
|
||||
* If you use option ``FT_CONFIG_OPTION_USE_PNG`` you should upgrade immediately.
|
||||
|
||||
We strongly recommend updating to Pillow 8.0.1 if you are using Pillow 8.0.0, which improved support for bitmap fonts.
|
||||
|
||||
|
|
|
@ -1,6 +1,50 @@
|
|||
8.1.0
|
||||
-----
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
This release includes security fixes.
|
||||
|
||||
* An out-of-bounds read when saving TIFFs with custom metadata through LibTIFF
|
||||
* An out-of-bounds read when saving a GIF of 1px width
|
||||
|
||||
:cve:`2020-35653`: Buffer read overrun in PCX decoding
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
The PCX image decoder used the reported image stride to calculate
|
||||
the row buffer, rather than calculating it from the image size. This issue dates back
|
||||
to the PIL fork. Thanks to Google's `OSS-Fuzz`_ project for finding this.
|
||||
|
||||
:cve:`2020-35654`: TIFF out-of-bounds write error
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Out-of-bounds write in ``TiffDecode.c`` when reading corrupt YCbCr
|
||||
files in some LibTIFF versions (4.1.0/Ubuntu 20.04, but not 4.0.9/Ubuntu 18.04).
|
||||
In some cases LibTIFF's interpretation of the file is different when reading in RGBA mode,
|
||||
leading to an out-of-bounds write in ``TiffDecode.c``. This potentially affects Pillow
|
||||
versions from 6.0.0 to 8.0.1, depending on the version of LibTIFF. This was reported through
|
||||
`Tidelift`_.
|
||||
|
||||
:cve:`2020-35655`: SGI Decode buffer overrun
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
4 byte read overflow in ``SgiRleDecode.c``, where the code was not correctly
|
||||
checking the offsets and length tables. Independently reported through `Tidelift`_ and Google's
|
||||
`OSS-Fuzz`_. This vulnerability covers Pillow versions 4.3.0->8.0.1.
|
||||
|
||||
.. _Tidelift: https://tidelift.com/subscription/pkg/pypi-pillow?utm_source=pillow&utm_medium=referral&utm_campaign=docs
|
||||
.. _OSS-Fuzz: https://github.com/google/oss-fuzz
|
||||
|
||||
Dependencies
|
||||
^^^^^^^^^^^^
|
||||
|
||||
OpenJPEG in the macOS and Linux wheels has been updated from 2.3.1 to 2.4.0, including
|
||||
security fixes.
|
||||
|
||||
LibTIFF in the macOS and Linux wheels has been updated from 4.1.0 to 4.2.0, including
|
||||
security fixes discovered by fuzzers.
|
||||
|
||||
Deprecations
|
||||
============
|
||||
|
||||
|
@ -33,46 +77,6 @@ With this release, a list of images can be provided to the ``append_images`` par
|
|||
when saving, to replace the scaled down versions. This is the same functionality that
|
||||
already exists for the ICNS format.
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
This release includes security fixes.
|
||||
|
||||
* An out-of-bounds read when saving TIFFs with custom metadata through LibTIFF
|
||||
* An out-of-bounds read when saving a GIF of 1px width
|
||||
* :cve:`2020-35653` Buffer read overrun in PCX decoding
|
||||
|
||||
The PCX image decoder used the reported image stride to calculate the row buffer,
|
||||
rather than calculating it from the image size. This issue dates back to the PIL fork.
|
||||
Thanks to Google's `OSS-Fuzz`_ project for finding this.
|
||||
|
||||
* :cve:`2020-35654` Fix TIFF out-of-bounds write error
|
||||
|
||||
Out-of-bounds write in ``TiffDecode.c`` when reading corrupt YCbCr files in some
|
||||
LibTIFF versions (4.1.0/Ubuntu 20.04, but not 4.0.9/Ubuntu 18.04). In some cases
|
||||
LibTIFF's interpretation of the file is different when reading in RGBA mode, leading to
|
||||
an out-of-bounds write in ``TiffDecode.c``. This potentially affects Pillow versions
|
||||
from 6.0.0 to 8.0.1, depending on the version of LibTIFF. This was reported through
|
||||
`Tidelift`_.
|
||||
|
||||
* :cve:`2020-35655` Fix for SGI Decode buffer overrun
|
||||
|
||||
4 byte read overflow in ``SgiRleDecode.c``, where the code was not correctly checking the
|
||||
offsets and length tables. Independently reported through `Tidelift`_ and Google's
|
||||
`OSS-Fuzz`_. This vulnerability covers Pillow versions 4.3.0->8.0.1.
|
||||
|
||||
.. _Tidelift: https://tidelift.com/subscription/pkg/pypi-pillow?utm_source=pillow&utm_medium=referral&utm_campaign=docs
|
||||
.. _OSS-Fuzz: https://github.com/google/oss-fuzz
|
||||
|
||||
Dependencies
|
||||
^^^^^^^^^^^^
|
||||
|
||||
OpenJPEG in the macOS and Linux wheels has been updated from 2.3.1 to 2.4.0, including
|
||||
security fixes.
|
||||
|
||||
LibTIFF in the macOS and Linux wheels has been updated from 4.1.0 to 4.2.0, including
|
||||
security fixes discovered by fuzzers.
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
||||
|
|
|
@ -4,21 +4,33 @@
|
|||
Security
|
||||
========
|
||||
|
||||
:cve:`2021-25289`: The previous fix for :cve:`2020-35654` was insufficient
|
||||
due to incorrect error checking in ``TiffDecode.c``.
|
||||
:cve:`2021-25289`: Fix the fix for :cve:`2020-35654`
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
:cve:`2021-25290`: In ``TiffDecode.c``, there is a negative-offset ``memcpy``
|
||||
with an invalid size.
|
||||
The previous fix for :cve:`2020-35654` was insufficient due to incorrect
|
||||
error checking in ``TiffDecode.c``.
|
||||
|
||||
:cve:`2021-25291`: In ``TiffDecode.c``, invalid tile boundaries could lead to
|
||||
an out-of-bounds read in ``TIFFReadRGBATile``.
|
||||
:cve:`2021-25290`: Fix buffer overflow in ``TiffDecode.c``
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
:cve:`2021-25292`: The PDF parser has a catastrophic backtracking regex
|
||||
that could be used as a DOS attack.
|
||||
In ``TiffDecode.c``, there is a negative-offset ``memcpy`` with an invalid size.
|
||||
|
||||
:cve:`2021-25293`: There is an out-of-bounds read in ``SgiRleDecode.c``,
|
||||
since Pillow 4.3.0.
|
||||
:cve:`2021-25291`: Fix buffer overflow in ``TIFFReadRGBATile``
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
In ``TiffDecode.c``, invalid tile boundaries could lead to an out-of-bounds
|
||||
read in ``TIFFReadRGBATile``.
|
||||
|
||||
:cve:`2021-25292`: Fix DOS attack
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
The PDF parser has a catastrophic backtracking regex that could be used as a
|
||||
DOS attack.
|
||||
|
||||
:cve:`2021-25293`: Fix buffer overflow in ``SgiRleDecode.c``
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
There is an out-of-bounds read in ``SgiRleDecode.c`` since Pillow 4.3.0.
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
|
|
@ -4,9 +4,12 @@
|
|||
Security
|
||||
========
|
||||
|
||||
There is an exhaustion of memory DOS in the BLP (:cve:`2021-27921`),
|
||||
ICNS (:cve:`2021-27922`) and ICO (:cve:`2021-27923`) container formats
|
||||
:cve:`2021-27921`, :cve:`2021-27922`, :cve:`2021-27923`: Fix DOS attacks
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
There is an exhaustion of memory DOS attack in BLP, ICNS, ICO images
|
||||
where Pillow did not properly check the reported size of the contained image.
|
||||
These images could cause arbitrarily large memory allocations. This was reported
|
||||
by Jiayi Lin, Luke Shaffer, Xinran Xie, and Akshay Ajayan of
|
||||
`Arizona State University <https://www.asu.edu/>`_.
|
||||
These images could cause arbitrarily large memory allocations.
|
||||
|
||||
These issues were reported by Jiayi Lin, Luke Shaffer, Xinran Xie and
|
||||
Akshay Ajayan of `Arizona State University <https://www.asu.edu/>`_.
|
||||
|
|
|
@ -1,6 +1,60 @@
|
|||
8.2.0
|
||||
-----
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
These issues were all found with `OSS-Fuzz`_.
|
||||
|
||||
:cve:`2021-25287`, :cve:`2021-25288`: OOB read in Jpeg2KDecode
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
* For J2k images with multiple bands, it's legal to have different widths for each band,
|
||||
e.g. 1 byte for ``L``, 4 bytes for ``A``.
|
||||
* This dates to Pillow 2.4.0.
|
||||
|
||||
:cve:`2021-28675`: DOS attack in PsdImagePlugin
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
* :py:class:`.PsdImagePlugin.PsdImageFile` did not sanity check the number of input
|
||||
layers with regard to the size of the data block, this could lead to a
|
||||
denial-of-service on :py:meth:`~PIL.Image.open` prior to
|
||||
:py:meth:`~PIL.Image.Image.load`.
|
||||
* This dates to the PIL fork.
|
||||
|
||||
:cve:`2021-28676`: FLI image DOS attack
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
* ``FliDecode.c`` did not properly check that the block advance was non-zero,
|
||||
potentially leading to an infinite loop on load.
|
||||
* This dates to the PIL fork.
|
||||
|
||||
:cve:`2021-28677`: EPS DOS on _open
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
* The readline used in EPS has to deal with any combination of ``\r`` and ``\n`` as line
|
||||
endings. It accidentally used a quadratic method of accumulating lines while looking
|
||||
for a line ending.
|
||||
* A malicious EPS file could use this to perform a denial-of-service of Pillow in the
|
||||
open phase, before an image was accepted for opening.
|
||||
* This dates to the PIL fork.
|
||||
|
||||
:cve:`2021-28678`: BLP DOS attack
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
* ``BlpImagePlugin`` did not properly check that reads after jumping to file offsets
|
||||
returned data. This could lead to a denial-of-service where the decoder could be run a
|
||||
large number of times on empty data.
|
||||
* This dates to Pillow 5.1.0.
|
||||
|
||||
Fix memory DOS in ImageFont
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
* A corrupt or specially crafted TTF font could have font metrics that lead to
|
||||
unreasonably large sizes when rendering text in font. ``ImageFont.py`` did not check
|
||||
the image size before allocating memory for it.
|
||||
* This dates to the PIL fork.
|
||||
|
||||
Deprecations
|
||||
============
|
||||
|
||||
|
@ -123,61 +177,6 @@ be specified through a keyword argument::
|
|||
|
||||
im.save("out.tif", icc_profile=...)
|
||||
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
These were all found with `OSS-Fuzz`_.
|
||||
|
||||
:cve:`2021-25287`, :cve:`2021-25288`: Fix OOB read in Jpeg2KDecode
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
* For J2k images with multiple bands, it's legal to have different widths for each band,
|
||||
e.g. 1 byte for ``L``, 4 bytes for ``A``.
|
||||
* This dates to Pillow 2.4.0.
|
||||
|
||||
:cve:`2021-28675`: Fix DOS in PsdImagePlugin
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
* :py:class:`.PsdImagePlugin.PsdImageFile` did not sanity check the number of input
|
||||
layers with regard to the size of the data block, this could lead to a
|
||||
denial-of-service on :py:meth:`~PIL.Image.open` prior to
|
||||
:py:meth:`~PIL.Image.Image.load`.
|
||||
* This dates to the PIL fork.
|
||||
|
||||
:cve:`2021-28676`: Fix FLI DOS
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
* ``FliDecode.c`` did not properly check that the block advance was non-zero,
|
||||
potentially leading to an infinite loop on load.
|
||||
* This dates to the PIL fork.
|
||||
|
||||
:cve:`2021-28677`: Fix EPS DOS on _open
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
* The readline used in EPS has to deal with any combination of ``\r`` and ``\n`` as line
|
||||
endings. It accidentally used a quadratic method of accumulating lines while looking
|
||||
for a line ending.
|
||||
* A malicious EPS file could use this to perform a denial-of-service of Pillow in the
|
||||
open phase, before an image was accepted for opening.
|
||||
* This dates to the PIL fork.
|
||||
|
||||
:cve:`2021-28678`: Fix BLP DOS
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
* ``BlpImagePlugin`` did not properly check that reads after jumping to file offsets
|
||||
returned data. This could lead to a denial-of-service where the decoder could be run a
|
||||
large number of times on empty data.
|
||||
* This dates to Pillow 5.1.0.
|
||||
|
||||
Fix memory DOS in ImageFont
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
* A corrupt or specially crafted TTF font could have font metrics that lead to
|
||||
unreasonably large sizes when rendering text in font. ``ImageFont.py`` did not check
|
||||
the image size before allocating memory for it.
|
||||
* This dates to the PIL fork.
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
||||
|
|
|
@ -1,6 +1,27 @@
|
|||
8.3.0
|
||||
-----
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
:cve:`2021-34552`: Fix buffer overflow
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
PIL since 1.1.4 and Pillow since 1.0 allowed parameters passed into a convert
|
||||
function to trigger buffer overflow in ``Convert.c``.
|
||||
|
||||
Parsing XML
|
||||
^^^^^^^^^^^
|
||||
|
||||
Pillow previously parsed XMP data using Python's ``xml`` module. However, this module
|
||||
is not secure.
|
||||
|
||||
- :py:meth:`~PIL.Image.Image.getexif` has used ``xml`` to potentially retrieve
|
||||
orientation data since Pillow 7.2.0. It has been refactored to use ``re`` instead.
|
||||
- :py:meth:`~PIL.JpegImagePlugin.JpegImageFile.getxmp` was added in Pillow 8.2.0. It
|
||||
will now use ``defusedxml`` instead. If the dependency is not present, an empty
|
||||
dictionary will be returned and a warning raised.
|
||||
|
||||
Deprecations
|
||||
============
|
||||
|
||||
|
@ -79,28 +100,6 @@ format, through the new ``bitmap_format`` argument::
|
|||
|
||||
im.save("out.ico", bitmap_format="bmp")
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
Buffer overflow
|
||||
^^^^^^^^^^^^^^^
|
||||
|
||||
This release addresses :cve:`2021-34552`. PIL since 1.1.4 and Pillow since 1.0
|
||||
allowed parameters passed into a convert function to trigger buffer overflow in
|
||||
Convert.c.
|
||||
|
||||
Parsing XML
|
||||
^^^^^^^^^^^
|
||||
|
||||
Pillow previously parsed XMP data using Python's ``xml`` module. However, this module
|
||||
is not secure.
|
||||
|
||||
- :py:meth:`~PIL.Image.Image.getexif` has used ``xml`` to potentially retrieve
|
||||
orientation data since Pillow 7.2.0. It has been refactored to use ``re`` instead.
|
||||
- :py:meth:`~PIL.JpegImagePlugin.JpegImageFile.getxmp` was added in Pillow 8.2.0. It
|
||||
will now use ``defusedxml`` instead. If the dependency is not present, an empty
|
||||
dictionary will be returned and a warning raised.
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
||||
|
|
|
@ -1,8 +1,11 @@
|
|||
8.3.1
|
||||
-----
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
||||
Fixed regression converting to NumPy arrays
|
||||
===========================================
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
This fixes a regression introduced in 8.3.0 when converting an image to a NumPy array
|
||||
with a ``dtype`` argument.
|
||||
|
@ -19,7 +22,7 @@ with a ``dtype`` argument.
|
|||
>>>
|
||||
|
||||
Catch OSError when checking if destination is sys.stdout
|
||||
========================================================
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
In 8.3.0, a check to see if the destination was ``sys.stdout`` when saving an image was
|
||||
updated. This lead to an :py:exc:`OSError` being raised if the environment restricted
|
||||
|
@ -28,7 +31,7 @@ access.
|
|||
The :py:exc:`OSError` is now silently caught.
|
||||
|
||||
Fixed removing orientation in ImageOps.exif_transpose
|
||||
=====================================================
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
In 8.3.0, :py:meth:`~PIL.ImageOps.exif_transpose` was changed to ensure that the
|
||||
original image EXIF data was not modified, and the orientation was only removed from
|
||||
|
|
|
@ -4,14 +4,21 @@
|
|||
Security
|
||||
========
|
||||
|
||||
* :cve:`2021-23437`: Avoid a potential ReDoS (regular expression denial of service)
|
||||
in :py:class:`~PIL.ImageColor`'s :py:meth:`~PIL.ImageColor.getrgb` by raising
|
||||
:py:exc:`ValueError` if the color specifier is too long. Present since Pillow 5.2.0.
|
||||
:cve:`2021-23437`: Avoid potential ReDoS (regular expression denial of service)
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
* Fix 6-byte out-of-bounds (OOB) read. The previous bounds check in ``FliDecode.c``
|
||||
incorrectly calculated the required read buffer size when copying a chunk, potentially
|
||||
reading six extra bytes off the end of the allocated buffer from the heap. Present
|
||||
since Pillow 7.1.0. This bug was found by Google's `OSS-Fuzz`_ `CIFuzz`_ runs.
|
||||
Avoid a potential ReDoS (regular expression denial of service) in :py:class:`~PIL.ImageColor`'s
|
||||
:py:meth:`~PIL.ImageColor.getrgb` by raising :py:exc:`ValueError` if the color specifier is
|
||||
too long. Present since Pillow 5.2.0.
|
||||
|
||||
Fix 6-byte out-of-bounds (OOB) read
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Fix 6-byte out-of-bounds (OOB) read. The previous bounds check in ``FliDecode.c`` incorrectly
|
||||
calculated the required read buffer size when copying a chunk, potentially reading six extra
|
||||
bytes off the end of the allocated buffer from the heap. Present since Pillow 7.1.0.
|
||||
|
||||
This bug was found by Google's `OSS-Fuzz`_ `CIFuzz`_ runs.
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
|
|
@ -24,6 +24,40 @@ success of Python.
|
|||
|
||||
Thank you, Fredrik.
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
Ensure JpegImagePlugin stops at the end of a truncated file
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
``JpegImagePlugin`` may append an EOF marker to the end of a truncated file, so that
|
||||
the last segment of the data will still be processed by the decoder.
|
||||
|
||||
If the EOF marker is not detected as such however, this could lead to an infinite
|
||||
loop where ``JpegImagePlugin`` keeps trying to end the file.
|
||||
|
||||
Remove consecutive duplicate tiles that only differ by their offset
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
To prevent attempts to slow down loading times for images, if an image has consecutive
|
||||
duplicate tiles that only differ by their offset, only load the last tile. Credit to
|
||||
Google's `OSS-Fuzz`_ project for finding this issue.
|
||||
|
||||
:cve:`2022-22817`: Restrict builtins available to ImageMath.eval
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
To limit :py:class:`PIL.ImageMath` to working with images, Pillow
|
||||
will now restrict the builtins available to :py:meth:`PIL.ImageMath.eval`. This will
|
||||
help prevent problems arising if users evaluate arbitrary expressions, such as
|
||||
``ImageMath.eval("exec(exit())")``.
|
||||
|
||||
:cve:`2022-22815`: ImagePath.Path array handling
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
(:cwe:`126`) and :cve:`2022-22816` (:cwe:`665`) were found when initializing ``ImagePath.Path``.
|
||||
|
||||
.. _OSS-Fuzz: https://github.com/google/oss-fuzz
|
||||
|
||||
Backwards Incompatible Changes
|
||||
==============================
|
||||
|
||||
|
@ -97,41 +131,6 @@ Support has been added for the "title" argument in
|
|||
argument will also now be supported, e.g. ``im.show(title="My Image")`` and
|
||||
``ImageShow.show(im, title="My Image")``.
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
Ensure JpegImagePlugin stops at the end of a truncated file
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
``JpegImagePlugin`` may append an EOF marker to the end of a truncated file, so that
|
||||
the last segment of the data will still be processed by the decoder.
|
||||
|
||||
If the EOF marker is not detected as such however, this could lead to an infinite
|
||||
loop where ``JpegImagePlugin`` keeps trying to end the file.
|
||||
|
||||
Remove consecutive duplicate tiles that only differ by their offset
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
To prevent attempts to slow down loading times for images, if an image has consecutive
|
||||
duplicate tiles that only differ by their offset, only load the last tile. Credit to
|
||||
Google's `OSS-Fuzz`_ project for finding this issue.
|
||||
|
||||
Restrict builtins available to ImageMath.eval
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
:cve:`2022-22817`: To limit :py:class:`PIL.ImageMath` to working with images, Pillow
|
||||
will now restrict the builtins available to :py:meth:`PIL.ImageMath.eval`. This will
|
||||
help prevent problems arising if users evaluate arbitrary expressions, such as
|
||||
``ImageMath.eval("exec(exit())")``.
|
||||
|
||||
Fixed ImagePath.Path array handling
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
:cve:`2022-22815` (:cwe:`126`) and :cve:`2022-22816` (:cwe:`665`) were
|
||||
found when initializing ``ImagePath.Path``.
|
||||
|
||||
.. _OSS-Fuzz: https://github.com/google/oss-fuzz
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
||||
|
|
|
@ -6,14 +6,20 @@ Security
|
|||
|
||||
This release addresses several security problems.
|
||||
|
||||
:cve:`2022-24303`: If the path to the temporary directory on Linux or macOS
|
||||
:cve:`2022-24303`: Temp image removal
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
If the path to the temporary directory on Linux or macOS
|
||||
contained a space, this would break removal of the temporary image file after
|
||||
``im.show()`` (and related actions), and potentially remove an unrelated file. This
|
||||
has been present since PIL.
|
||||
|
||||
:cve:`2022-22817`: While Pillow 9.0 restricted top-level builtins available to
|
||||
:py:meth:`PIL.ImageMath.eval`, it did not prevent builtins available to lambda
|
||||
expressions. These are now also restricted.
|
||||
:cve:`2022-22817`: Restrict lambda expressions
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
While Pillow 9.0 restricted top-level builtins available to
|
||||
:py:meth:`PIL.ImageMath.eval`, it did not prevent builtins
|
||||
available to lambda expressions. These are now also restricted.
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
|
|
@ -4,9 +4,12 @@
|
|||
Security
|
||||
========
|
||||
|
||||
This release addresses several security problems.
|
||||
This release addresses several security issues.
|
||||
|
||||
:cve:`2022-30595`: When reading a TGA file with RLE packets that cross scan lines,
|
||||
:cve:`2022-30595`: Heap buffer overflow
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
When reading a TGA file with RLE packets that cross scan lines,
|
||||
Pillow reads the information past the end of the first line without deducting that
|
||||
from the length of the remaining file data. This vulnerability was introduced in Pillow
|
||||
9.1.0, and can cause a heap buffer overflow.
|
||||
|
|
|
@ -1,6 +1,25 @@
|
|||
9.4.0
|
||||
-----
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
Fix memory DOS in ImageFont
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
A corrupt or specially crafted TTF font could have font metrics that lead to
|
||||
unreasonably large sizes when rendering text in font. ``ImageFont.py`` did not
|
||||
check the image size before allocating memory for it. This dates to the PIL
|
||||
fork. Pillow 8.2.0 added a check for large sizes, but did not consider the
|
||||
case where one dimension is zero.
|
||||
|
||||
Null pointer dereference crash in ImageFont
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Pillow attempted to dereference a null pointer in ``ImageFont``, leading to a
|
||||
crash. An error is now raised instead. This has been present since
|
||||
Pillow 8.0.0.
|
||||
|
||||
API Additions
|
||||
=============
|
||||
|
||||
|
@ -69,25 +88,6 @@ When saving a JPEG image, a comment can now be written from
|
|||
|
||||
im.save(out, comment="Test comment")
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
Fix memory DOS in ImageFont
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
A corrupt or specially crafted TTF font could have font metrics that lead to
|
||||
unreasonably large sizes when rendering text in font. ``ImageFont.py`` did not
|
||||
check the image size before allocating memory for it. This dates to the PIL
|
||||
fork. Pillow 8.2.0 added a check for large sizes, but did not consider the
|
||||
case where one dimension is zero.
|
||||
|
||||
Null pointer dereference crash in ImageFont
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Pillow attempted to dereference a null pointer in ``ImageFont``, leading to a
|
||||
crash. An error is now raised instead. This has been present since
|
||||
Pillow 8.0.0.
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
||||
|
|
|
@ -69,4 +69,8 @@ expected to be backported to earlier versions.
|
|||
3.0.0
|
||||
2.8.0
|
||||
2.7.0
|
||||
2.6.0
|
||||
2.5.2
|
||||
2.3.2
|
||||
2.3.1
|
||||
versioning
|
||||
|
|
|
@ -1,6 +1,19 @@
|
|||
xx.y.z
|
||||
------
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
TODO
|
||||
^^^^
|
||||
|
||||
TODO
|
||||
|
||||
:cve:`YYYY-XXXXX`: TODO
|
||||
^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
TODO
|
||||
|
||||
Backwards Incompatible Changes
|
||||
==============================
|
||||
|
||||
|
@ -31,14 +44,6 @@ TODO
|
|||
|
||||
TODO
|
||||
|
||||
Security
|
||||
========
|
||||
|
||||
TODO
|
||||
^^^^
|
||||
|
||||
TODO
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user