Added release notes [ci skip]

2024-12-26 01:46:18 +03:00 · 2020-01-02 14:36:56 +11:00 · 2020-01-02 14:36:56 +11:00 · afc93b0d76
commit afc93b0d76
parent b9c68540dc
2 changed files with 37 additions and 1 deletions
--- a/CHANGES.rst
+++ b/CHANGES.rst
@ -92,11 +92,29 @@ Changelog (Pillow)
 - Changed default frombuffer raw decoder args #1730
  [radarhere]

-6.2.1 (2019-10-21)
+6.2.2 (2020-01-02)
 ------------------

 - This is the last Pillow release to support Python 2.7 #3642

+- Overflow checks for realloc for tiff decoding. CVE TBD
+  [wiredfool, radarhere]
+
+- Catch SGI buffer overrun. CVE TBD
+  [radarhere]
+
+- Catch PCX P mode buffer overrun. CVE TBD
+  [radarhere]
+
+- Catch FLI buffer overrun. CVE TBD
+  [radarhere]
+
+- Raise an error for an invalid number of bands in FPX image. CVE-2019-19911
+  [wiredfool, radarhere]
+
+6.2.1 (2019-10-21)
+------------------
+
 - Add support for Python 3.8 #4141
  [hugovk]

--- a/docs/releasenotes/6.2.2.rst
+++ b/docs/releasenotes/6.2.2.rst
@ -0,0 +1,18 @@
+6.2.2
+-----
+
+Security
+========
+
+This release addresses several security problems {CVEs TBD), as well as addressing
+CVE-2019-19911.
+
+CVE-2019-19911 is regarding FPX images. If an image reports that it has a large number
+of bands, a large amount of resources will be used when trying to process the
+image. This is fixed by limiting the number of bands to those usable by Pillow.
+
+Buffer overruns were found when processing an SGI, PCX or FLI image. Checks
+have been added to prevent this.
+
+Overflow checks have been added when calculating the size of a memory block to
+be reallocated in the processing of a TIFF image.