From afc93b0d76f030694de5bbff581be9cd45ea1497 Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Thu, 2 Jan 2020 14:36:56 +1100 Subject: [PATCH] Added release notes [ci skip] --- CHANGES.rst | 20 +++++++++++++++++++- docs/releasenotes/6.2.2.rst | 18 ++++++++++++++++++ 2 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 docs/releasenotes/6.2.2.rst diff --git a/CHANGES.rst b/CHANGES.rst index 647383c7b..e35759393 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -92,11 +92,29 @@ Changelog (Pillow) - Changed default frombuffer raw decoder args #1730 [radarhere] -6.2.1 (2019-10-21) +6.2.2 (2020-01-02) ------------------ - This is the last Pillow release to support Python 2.7 #3642 +- Overflow checks for realloc for tiff decoding. CVE TBD + [wiredfool, radarhere] + +- Catch SGI buffer overrun. CVE TBD + [radarhere] + +- Catch PCX P mode buffer overrun. CVE TBD + [radarhere] + +- Catch FLI buffer overrun. CVE TBD + [radarhere] + +- Raise an error for an invalid number of bands in FPX image. CVE-2019-19911 + [wiredfool, radarhere] + +6.2.1 (2019-10-21) +------------------ + - Add support for Python 3.8 #4141 [hugovk] diff --git a/docs/releasenotes/6.2.2.rst b/docs/releasenotes/6.2.2.rst new file mode 100644 index 000000000..586ea7d85 --- /dev/null +++ b/docs/releasenotes/6.2.2.rst @@ -0,0 +1,18 @@ +6.2.2 +----- + +Security +======== + +This release addresses several security problems {CVEs TBD), as well as addressing +CVE-2019-19911. + +CVE-2019-19911 is regarding FPX images. If an image reports that it has a large number +of bands, a large amount of resources will be used when trying to process the +image. This is fixed by limiting the number of bands to those usable by Pillow. + +Buffer overruns were found when processing an SGI, PCX or FLI image. Checks +have been added to prevent this. + +Overflow checks have been added when calculating the size of a memory block to +be reallocated in the processing of a TIFF image.